CISA's plans for 2020

The latest budget request for the Cybersecurity and Infrastructure Security Agency would continue funding core federal cybersecurity programs while exploring new tech programs around DNS threats, botnet detection and malware analysis.

The budget overview for CISA seeks $1.1 billion for cybersecurity operations. About half of that covers the National Cybersecurity Protection System (NCPS), which includes Einstein ($405 million) and the Continuous Diagnostics and Mitigation program ($232 million).

The budget document includes targets for both programs: CISA hopes to have 63 percent of agencies sharing user activity data via the DHS-managed federal dashboard under CDM by the end of fiscal year 2020.

DHS spent the past year helping agencies hook up to a federal reporting dashboard and tinkering with the program and procurement structure, shifting from tracking individual agency progress by phases to capabilities and rolling out CDM DEFEND, a new contracting vehicle. The shift from phases to capabilities came after Congress complained the old approach prevented agencies from implementing multiple phases of the program at the same time.

Einstein's goals involve attribution of attempts to hack federal networks to nation-state actors. The target for 2020 is 22 percent -- the budget document states that increases in attributable activity is a sign that information sharing and threat indicator development are improving.

According to the budget, in fiscal year 2020 the program plans to complete deployment of asset management and identity and access management for agencies that have signed memorandums of agreement, continue expanding pilot programs on data protection, begin deployment across federal agencies and develop AWARE, a risk scoring algorithm that will be used to judge agency performance.

The National Cybersecurity and Communications Integration Center (NCCIC) would receive $248 million.

The budget also requests an additional $4.4 million for NCPS to begin developing a centralized DNS name resolution service over the next year. The project would provide better visibility of threats to federal DNS infrastructure and provide agencies with enterprise DNS management and analytics. DHS plans to procure and award a contract for those services in fiscal year 2020.

In January, CISA issued its first-ever emergency directive giving agencies 10 days to put in place a series of protections against DNS hijacking.

While officials say they have no direct evidence any federal domains were hijacked during a recent global campaign, two Hill staffers briefed by DHS on the matter told FCW that because of the shifting nature of the attacks and the lack of monitoring employed by many federal agencies, DHS officials are not sure whether a compromise may have happened in the past.

In the directive, CISA stated it would begin regular delivery of Certificate Transparency logs for all agency domains, and it required each agency to immediately begin monitoring them for anomalous activity. The budget said a new, centralized DNS security device would "provide insights into threat activity across the federal government by giving CISA cyber visibility into all DNS requests."

The budget requests $9.8 million to support research and development of technologies to detect and identify botnets and other large-scale threats. CISA currently relies on a patchwork of threat intelligence reporting from multiple sources to keep tabs on botnet activity and is looking for a more automated solution that will aggregate those reports into a coherent narrative.

The agency is also searching for a way to provide "quick, accurate analysis of file binaries for malware discovery at scale" and will be redesigning and refreshing its Advanced Malware Analysis Center to bolster reliability and scalability this year.  

The budget also calls for $11 million to run CyberSentry, a pilot program that would voluntarily extend existing NCCIC services to critical infrastructure organizations. The pilot will deploy network sensor systems at the boundary between an organization's control systems and its corporate IT networks, detecting and tracking any malicious cyber activity along the way. With the requested funding, the agency said it plans to achieve initial operating capabilities for up to five organizations by the end of FY 2020.