Officials: Cybersecurity Mandates Are important But Don’t Address Funding Needs

Federal officials are keen to meet the latest cybersecurity mandates issued by the Biden administration but are having trouble finding the funding to do so.

When President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” was released in May, it was widely praised for directing tangible, serious actions to be taken by federal agencies to strengthen the protection of their cyber assets.

How that is translating into boots-on-the-ground actions is causing a lot of pain, however, particularly because there hasn’t been an accompanying boost in agency IT budgets to accomplish it.

The pain was on display during a webcast hosted by the Advanced Technology Academic Research Center Nov. 2 about event logging requirements set by the Office of Management and Budget in late August, which were developed to turn the EO’s policy directives into specific actions.

“For those of us who spent a little bit of quality time with SolarWinds, [we] understand the importance of logs,” said Ralph Mosios, chief information security officer of the Federal Housing Finance Agency, but “we have to maintain logs a lot longer, hot logs and cold logs. It poses challenges for us … How are we going to pay for all this? How are we going to get the people and money to do it? What are we going to do with all these logs besides just collecting them? How are we going to use them proactively? [And] how to prioritize this particular directive with all the others?”

Allison McCall, chief information officer of the National Technical Information Service, agreed. 

“As part of the Department of Labor, we’ll be handling this as a group through the CIO Council, the CISO Council, but it definitely poses a challenge,” she said. “We ourselves keep logs, but this memo has a lot of detail, a lot of nuances, so there’s a lot of work that’s got to be done … We want to comply with this memorandum but we also want to increase our efforts as we have more problems in the cybersecurity arena.”

Paul Blahusch, the Labor Department CISO, added that improving the collection of logging data causes downstream challenges, such as storage and network capacity. “How do we make this more valuable than just [collecting] the data?”

While Blahusch’s department is sprawling and complex—he pointed to its 27 mission areas and 77 different FISMA-reportable information systems as examples—other parts of the government face a global challenge.

“We’re the International Trade Administration,” said Joe Ramsey, ITA CISO. “We’re geographically distributed, with over a hundred locations around the world. [It’s] really challenging to do all things cyber, but logging is going to be a particular challenge … We don’t have any funding for this, and what are we going to do with these logs?”

McCall suggested setting up machine learning to digest the huge amounts of logging data and weed out what’s not needed so that agencies can focus their efforts most appropriately. “You have to be able to pare down and home in” on the important stuff, she said. “There’s going to be enormous challenges with this, but it’s important.”

“Correlation is key. You see a failed authentication in one place, it’s not a big deal, but you see it in 20 places and you’ve got an attack,” Ramsey added.

Blahusch said baselining networks’ behavior and characteristics is critical, in order to identify abnormal activity. And the baseline has to be reestablished frequently: “I’m adding more and more stuff [to my network] all the time.”

Different agencies will have different mechanisms to address funding needs, the panelists said. FHFA’s Mosios said his agency uses non-appropriated funds, instead levying a fee for its services. To get a sufficient cybersecurity budget, “I will leverage current events in the world to support my budget—everything from ransomware to SolarWinds,” he said.

Labor’s Blahusch, whose budget is included in the appropriations process, pointed to IT modernization funds, a portion of which is specifically set aside for cybersecurity, plus the department’s own working capital fund.

“We’re looking for additional funding. We did put in for [Technology Modernization Fund] funding—we’ve been successful with TMF in the past,” he said. “CISA’s [Continuous Diagnostics and Mitigation] program has assistance, as well. They’re open to listening to what your ideas are and what you’re doing and how they can help.”

Another aspect of the pain paradigm at work is that agencies feel caught between the EO and OMB mandates on the one hand, and what they see as urgent priorities within their own organizations on the other.

“Zero trust and logging—between the two, I think we’ve got a very challenging situation, where we have to plan out what’s appropriate for our agency, our systems, [and] what’s the biggest risk,” McCall said. “We’ve got a lot of thinking to do between these two initiatives … The one thing with initiatives like this, we need to incorporate it, we need to take it seriously, but we need to keep level-headed and prioritize. We can’t follow blindly and just focus in on certain areas. [We must] make sure we encompass all the final areas.”