The Department of Homeland Security was asked to transmit policy recommendations on data retention and event logging to the Office of Management and Budget by May 26 as part of President Joe Biden's cybersecurity executive order.
The first of many deadlines within President Joe Biden's cybersecurity executive order is due on Wednesday; this one surrounding policy recommendations for agency event logging and data retention. The potential changes on the surface may seem basic but unifying logging practices across federal agencies is a monumental and necessary task, experts told FCW.
"The call in President Biden's cyber EO for a standard logging process is a recognition that if there is any chance of effectively addressing cyber threats, there must be a system for archiving historical incident data that can be accessed quickly and securely," said Joseph Moreno, general counsel at SAP NS2, a cybersecurity firm focusing on AI and cloud solutions.
He added that while it may seem like "low-hanging fruit," data retention and event logging are "essential to any after-action report process to have accurate data logs that can be analyzed to understand what exactly happened, and why."
The Wednesday deadline, which marks 14 days since the executive order's release, directs the Department of Homeland Security to issue recommendations to the White House's Office of Management and Budget, according to the executive order.
"Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs," the order states.
OMB will then need to work with the Pentagon, Justice Department, DHS and the director of national intelligence before the Federal Acquisition Regulatory Council moves to publish those rules later this year.
What recommendations DHS offers remains to be seen, but cybersecurity experts tell FCW unifying logging practices could present a massive challenge due to the size of the government and inconsistencies across agencies.
"Private organizations struggle with this challenge and most of them don't have to deal with the sprawl of the federal networks. This is going to be a big lift just to get them on the same page let alone steering the battleship to real defensive gains," said Bryson Bort, senior fellow for cybersecurity and emerging threats at the R Street Institute.
Another issue bound to come up is money. The White House began work on its executive order in the early weeks of Biden's time in office, but the fiscal year 2022 budget was largely crafted by the Trump administration. This scenario places the president's cybersecurity agenda with two options: Find places in the existing budget to shift funds or potentially wait until FY-23 to enact the grander changes the EO sets out.
Julian Waits, an executive at the cloud-native logging and security analytics company Devo, said industry usually defines the cost of logging using the amount of data ingested.
"You're talking about literally in aggregate petabytes of data, potentially millions upon millions of dollars that needs to be spent government-wide to put the right controls in place," he said. On the other hand, Waits argued, the government has already budgeted funding into logging technologies. "It's just being spent inefficiently on things that should have been modernized a long time ago."
Some cybersecurity experts pointed out the recommendations alone will lack any immediate effect on the agencies or contractors, while others said the impact will be hard to define without knowing exactly what policies DHS develops. However, there was consensus around a need for the government to get a grip on its logging practices if it intends to prioritize cybersecurity in the way the president has personally promised.
"Logging best practice is essential for detection and prevention and data retention is central to the forensics process," said Padraic O'Reilly, co-founder of the cybersecurity risk firm CyberSaint. "This is an excellent start, particularly as logging best practice is well established and understood and can be implemented effectively and rapidly with guidance" from the National Institute of Standards and Technology.