The Senate just passed The National Defense Authorization Act, or NDAA, annual defense spending bill – with key cyber provisions, but noticeably lacking a cyber incident reporting measure (following partisan disagreements).
Here are a few highlights covering cyber issues:
- The NDAA authorizes CISA’s CyberSentry program for securing industrial control systems
- An amendment would require CISA to update its IRP at least every two years
- It codifies CISA’s National Cyber Exercise program
- Requires the DOD to submit a report on how its Cybersecurity Maturity Model Certification program affects small businesses
<p>It is always interesting to see what issues make it out of committee and into law, especially one as large as the annual National Defense Authorization Act, over ¾ Trillion dollars this year. Missing from the bill is the controversial cyber incident reporting measure that would have made companies report breaches or ransomware attacks within 72 hours of discovery, and payments within 24 hours of payout, if memory serves. Some companies had issues with this, especially smaller ones that do not have a 24/7 security operations center available to them which limits their ability to respond to such incidents, much less tell the US government what is happening during incident response. Still, DHS/CISA will tell you they are the lead agency for asset response during a significant cyber event, and “operators are standing by” to potentially help companies that voluntarily call for assistance.</p>
<p>Funding for the CyberSentry program made it through to fund engagements with critical infrastructure (CI) partners to place network sensors on their IT and OT systems (Q: Doesn’t the commercial sector offer this? A: Yes. Yes, they do.). “Under the MOA between CISA and the CI partner, CISA may access all network traffic, including the content of communications, as stored within the CyberSentry stack to further analyze the origins of an alert and/or evaluate the state of the network…” There are valid reasons for CISA to help protect US critical infrastructure just as their are valid reasons for CI owners and operators to not want government sensors on their networks, as well as valid arguments from security providers that the government is giving cyber services away for free (using taxpayer money, of course). DHS does include a great deal of privacy considerations in the CyberSentry write-up. It would be helpful to also read about the tactical and strategic objectives of this program and see if rapid information sharing with all CI asset owners and operators is included, and help determine if this juice is worth the squeeze on the commercial providers. I have my apprehensions.</p>
<p>The US Federal government took steps to further the ability to respond to the ever-growing threats of the cybersecurity landscape. While there are many aspects of the latest Defense Authorization Act which provide improvements and a commitment to improving the United States Defensive capabilities there are also several missed opportunities. The addition of the apprentice program to expand the available talent, as well as the Veteran training program allows for an increased capability to bring human capital to bear in a highly trained way. (sec. 1531) The prevention of the Department Chief Information Officer from also serving as the Principal Cyber Advisor to the Department properly prevents at least that level of conflict of interest. (sec. 1532) The acknowledgement of the need to review legacy systems, software, and policies to provide improvements, replacements, or decommission represents a proper foundational approach to underlying vulnerabilities and proper hygiene. (sec. 1511)</p>
<p>For all the benefits the passage of this authorization act brings, some of the areas which would have provide greater clarity and capability fall in the continued containment of cybersecurity functions under other divisions. Just as large enterprises suffer from continuing to relegate cybersecurity functions as secondary duties of other officers within the company, so too does the government. The US government authorized the creation of a space force but has yet to create a proper division of defense focused on the largest and I argue the most critical battlefield of the 21st century, cyberspace. Each existing branch within the dept of defense is relegated to its own measures and while all branches will report to a central figure within the DOD, what of other areas of the government? Where is the dedicated focus? </p>
<p>This puts the US at a disadvantage, due to the need to accommodate various regulatory and interdepartmental needs governing information sharing and correlation of data, slowing down the ability to respond or identify trends in the attacks before being able to respond accordingly. The lack of an enforcement to update response plans more than every 2 years (sec. 1538) belies the ever evolving and speed with which attacks, and the attack surface at large, move. We should never let great be the enemy of good, and this legislation moves us significantly forward in the cybersecurity space, but we must continue to focus on additional improvements sooner rather than later, as the speed with which threats emerge dictates a vigilant focus.</p>