In September 2018, the National Cyber Strategy was released, complete with the Presidential seal. The National Cyber Strategy is supposed to complement The Federal Information Security Modernization Act of 2014 - the intention of which was to reduce the impact of cyberattacks on American government agencies.
Let’s take a look at the National Cyber Strategy, which is now just over a year old. According to its report, the Strategy aims to:
- Defend the Homeland by protecting networks, systems, functions, and data.
- Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation.
- Preserve peace and security by strengthening the ability of the United States — in concert with allies and partners.
- Punish those who use cyber tools for malicious purposes; and expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.
It’s hard to imagine how American influence abroad could possibly be extended further. The United States has always been in a position to influence how the Internet is implemented, ever since ARPANET was founded by the Advanced Research Projects Agency of the U.S. Department of Defense (DoD) in 1969.
The trillion-dollar question is, will the Strategy protect “networks, systems, functions, and data?”
Centralizing U.S Cybersecurity
The first significant action proposed in the Strategy’s report is to centralize management and oversight of federal civilian cybersecurity (which I presume pertains to all U.S. government agencies outside of the military). The Strategy states:
“The Administration will act to further enable the Department of Homeland Security (DHS) to secure Federal department and agency networks, with the exception of national security systems and Department of Defense (DOD) and Intelligence Community (IC) systems. This includes ensuring DHS has appropriate access to agency information systems for cybersecurity purposes and can take and direct action to safeguard systems from the spectrum of risks. “
Depending on the details, that could be good. Centralizing cybersecurity under the DHS would make it easier to exchange information about cyber risks and how to harden security in a uniform way.
This part of the Act is especially promising:
“The United States cannot afford to have sensitive government information or systems inadequately secured by contractors. Federal contractors provide important services to the United States Government and must properly secure the systems through which they provide those services. Going forward, the Federal Government will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, and responding to incidents on contractor systems.”
The private sector could perhaps take a clue about this and also implement more specific cybersecurity policies for reducing the risk of third-party contractors to their networks.
Speaking of the private sector, there’s also this:
“The Federal Government will work with the private sector to manage risks to critical infrastructure at the greatest risk. The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”
Those are all lofty goals. What matters is the implementation, the actual details of how the American government is applying this strategy.
Cyber Incidents in the Last 12 Months
Let’s return to Federal Information Security Modernization Act, and look at the latest annual report about it, pertaining to 2018. According to the report, U.S. government agencies were subjected to a collective 35,277 cyber incidents in the 2017 fiscal year. But in the 2018 fiscal year, that number was reduced to 31,107. Of the incidents recorded in 2018, there were 7,000 phishing attacks, nearly 9,700 breaches from errors by authorized users, and more than 8,000 incidents that could not be traced to either an attack vendor or identify a cause.
Moving on, the government now has a new standard for what constitutes a “major” incident. Major incidents are now defined as those that either:
- “(Are) likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
- “A breach that involves personally identifiable information that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”
According to the new definition of a major incident, the U.S. government apparently had none during the fiscal year of 2018. The definition is somewhat subjective and I’m personally more than a little skeptical.
All in all, the U.S. government spent a total of $14.9 billion on federal agency cybersecurity in 2018, of which more than $8 billion was spent by the Department of Defense (DoD). To put that into perspective, the DoD had a budget of $639.1 billion in 2018. So cybersecurity is about 1.25% of the DoD’s overall budget.
According to IBM, companies should spend 9 to 14% of their overall IT budget on security. I don’t know what the U.S. military’s overall IT budget is, but perhaps they should spend more on cybersecurity and less on the F-35 jet.