Cybersecurity has been an issue in the US federal government at least as far back as 1983, when President Ronald Reagan saw the movie “War Games” and asked his national security team, “Can someone really do that?” The answer had been something like “Yes, sort of…” which led an increased emphasis on computer security at the federal level.
In 1993, President Bill Clinton convened a panel of industry security experts, who warned him of serious risks if the federal government did not get more serious about cyberthreats. Many initiatives and policies followed. They were all well-intended but perhaps not as effective as anyone would have wanted.
The deficiency of the federal government’s cyber programs has been on display ever since. A seemingly nonstop series of cyber disasters has beset the federal government. These range from the data breach at the Office of Personnel Management (OPM) in 2015 to the theft of secret submarine codes in 2018 and untold other brazen attacks.
Certainly, this last year has seen some incredible cyber lapses, including the SolarWinds hack, which effectively exposed every system in the federal government to unauthorized access and unknown tampering. It could take years to sort out what actually happened and determine if the damage can ever truly be remediated.
Critical infrastructure has also been revealed to be highly exposed, with the ransomware attack on the Colonial Pipeline demonstrating just how easy it is for foreign criminal gangs to wreak havoc on American life. Foreign hackers also shut down a major beef processor, showing in the space of one month that foreign adversaries can switch of the US fuel and food supplies at will.
The Biden administration is responding on multiple fronts. The president’s proposed $2 trillion infrastructure spending bill includes funding for upgrading the infrastructure resilience of the nation’s electrical grid, dealing with supply chain vulnerabilities—the root cause of the SolarWinds attack—and supporting research on artificial intelligence (AI) and quantum computing. The administration is also moving to treat ransomware attacks with the same law enforcement authority as terrorism. Biden has further asked Congress for $9.8 billion for federal agencies to use in improving their cybersecurity.
All of this comes on top of congressional movement to realize the recommendations of the 2020 Cyberspace Solarium Commission report. This respected report, which came from months of dialogues with the cyber industry’s best minds, contains more than 80 recommendations to make the country, not just the government, safer from cyber risk.
The US federal government’s cybersecurity
Disasters notwithstanding, it would be unfair to say that the federal government has been taking no action to combat cyber threats. The struggles the US faces in cyber are not for a lack of trying. The difficulty seems to be one of speed and agility. The government can only move so quickly. The bad guys, in contrast, can pivot very rapidly from one threat vector to another.
Indeed, the US federal government employs thousands of people in cybersecurity roles, across multiple departments, the military and the intelligence sector. These are highly trained professionals are motivated and sworn to defend the United States against all enemies. They are working to mitigate the massive cyber risks this society faces. Government entities, standards bodies and private companies are involved in the effort. There are laws and policies similarly aimed at reducing cyber risk. The following present some of the highlights.
The federal government works at cyber defense across a variety of agencies. The National Security Agency (NSA) is among the most prominent, but least well understood. They are involved in intercepting foreign cyberattacks while also engaging in offense cyber programs against our enemies. The NSA has been criticized for keeping cyber vulnerabilities secret so they can use them to attack others—but leaving American computers exposed.
They are starting to change this practice. In early 2020, for example, the agency made headlines for notifying Microsoft of a vulnerability in Windows 10, rather than holding the vulnerability back for their own purposes. The NSA discovery also triggered an emergency notification by The Cybersecurity and Infrastructure Security Agency (CISA), to federal agencies to remediate the Windows problem as quickly as possible—a good example of how federal cyber defense can work when everyone is doing their jobs.
CISA, which is part of the Department of Homeland Security (DHS), functions as the main cyber risk advisor to the United States. They focus primarily on securing federal network and digital critical infrastructure, like power plants and dams, but the CISA also finds itself in the lead on many other national cybersecurity efforts. CISA is a new agency, formed in 2018 through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed by President Trump. CISA is a continuation of several predecessor agencies, some of which were already operating inside DHS.
The CISA does not work alone. Rather, it has many partners across the government as well as in private industry and the non-profit sector. The agency works closely with industry groups that coordinate security and policies in the electrical power sector, nuclear plants, chemical plants and so forth. This includes the North American Electric Reliability Corporation (NERC). This organization’s Critical Infrastructure Protection Standards (NERC-CIP) form the core of countermeasures to protect the American electrical grid.
CISA departments include the National Risk Management Center (NRMC), which is a planning, analysis, and collaboration center for identifying and addressing critical infrastructure risks. They also run the Emergency Communications Division and the United States Computer Emergency Readiness Teams (US-CERT), which responds to cyber incidents.
One CISA program that’s drawing praise from industry experts is Continuous Diagnostics and Mitigation (CDM). CDM, which was commissioned by Congress, offers a dynamic approach to fortifying the cybersecurity of government networks and systems. It provides federal departments and agencies with capabilities and tools to conduct automated, on-going assessments.
CISA is just one agency. Each federal agency is responsible for establishing cybersecurity standards for itself and entities it works with through the Federal Information Security Management Act of 2002 (FISMA). This process can be uneven, as GAO reporting has revealed. Then, industry-specific laws that address cybersecurity each have their own agency oversight. The HIPAA law that covers healthcare privacy and cybersecurity is run out of the Department of Health and Human Services (HHS). The Gramm-Leach-Bliley Act, which deals with financial institutions and customer privacy, is managed by the Federal Trade Commission (FTC).
Private corporations receive little or no federal cyber protection. With critical infrastructure companies like power utilities, CISA provides extensive coordination, threat sharing and guidance. For companies outside of critical infrastructure, businesses are entirely self-reliant for cyber defense. This makes sense, because the government cannot possibly protect every American corporation. However, it’s extremely difficult for regular companies to fend off nation state actors.
The US Cyber Command
The United States Cyber Command (USCYBERCOM) is one of the Department of Defense’s (DoD’s) eleven unified commands. Its mandate includes strengthening DoD cyberspace capabilities and supporting both defensive and offensive cyber operations. It was created in 2009, originally as part of the NSA. Their mission statement reads, “USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
USCYBERCOM is not the only entity in the US military working on cyber defense and offense. Each branch of the service has its own CISO and cyber operations. USCYBERCOM may play a coordinating role in the work of these other groups. USCYBERCOM is quite small, however, when viewed in the context of the overall US military.
Laws and standards
Several federal regulations cover cybersecurity. These include HIPPA and Gramm-Leach-Bliley. The most prominent of them, however, is FISMA, which was originally part of the Homeland Security Act of 2002. FISMA “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security” for government agencies. Any company or public sector entity deals with the federal government must adhere to FISMA.
Like most federal regulations, FISMA is at once complex, sprawling and vague. The specific standards used for FISMA are determined by the National Institute of Standards (NIST). NIST has published various standards and frameworks to enable FISMA compliance. There are dozens of NIST standards and specialized specifications for data security, encryption and so forth. The essence of FISMA is that it binds all federal agencies to the same standard for cybersecurity. It assigns responsibility for cybersecurity to agency heads and provides accountability through certifications and audits.
However, as GAO reporting has shown, individual agencies may not be doing all they can to stay secure. Critics point out that the FISMA methodology emphasizes planning over the measurement of actual security. Most government security experts feel FISMA has helped the federal government get more secure, but worry that it can risk becoming a checklist rather than a driver of serious security improvement. Observers have also noted that these laws do not cover companies that are critical to the Internet, such as Internet Service Providers, software makers and so forth.
As progress is made in some areas, other parts of the government are clearly lagging. For example, the Office of Personnel Management (OPM) has still not fully addressed the cybersecurity weaknesses that led to the attack. A 2019 audit found “material weaknesses,” in the OPM’s the agency’s information systems control environment.
For example, as reported in Federal News Network, The Inspector General reported that “OPM didn’t have a system in place to identify and generate a complete and accurate listing of contractors and their employment status. Additionally, the IG found OPM didn’t appropriately provision and de-provision users’ access to the network based on their work status.” These are exactly the kind of control breakdowns that enable hackers to penetrate networks.
The government and private industry have gotten a lot better at sharing threat intelligence in recent years. There are now many Information Sharing and Analysis Centers (ISACs) across the US. ISACs are in the business of sharing relevant threat information with interested parties. For instance, if a company in the financial industry discovers a piece of malware, it can share its “signature,” or identifying characteristics with ISACs in the electrical power grid sector and so on. This sharing enables better protection all around.
Cybersecurity employment in the federal government
The US federal government either does not know, or will not disclose, just how many of its employees work in cybersecurity. The number is surely in the tens, if not hundreds of thousands, however. The federal government is likely the world’s largest employer of cybersecurity personnel.
Each federal agency has its own internal security team. Agencies like CISA, the National Security Agency and the FBI have dedicated cybersecurity personnel. Many of the jobs require security clearances. Each branch of the military has its own substantial cyber operations—spanning intelligence, offensive and defensive cyber war. With the recent push for increased cybersecurity action and regulation, it’s a good time to be preparing for a career in cybersecurity with the federal government.