Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
Quick Fix
— The $750 million for SolarWinds hack cleanup in Biden’s budget proposal includes much-needed funds to help multiple departments implement basic security features.
— First in MC: Rep. Ted Lieu is introducing a bill to extend the federal vulnerability disclosure policy to federal contractors.
— Here’s what we’re expecting from the UN’s cybercrimes report after a working group came to an agreement Friday.
HAPPY TUESDAY and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. Today’s edition is brought to you by the sheer beauty that is two cats curled up like little donuts right next to me. Is there anything more beautiful than that?
Send your thoughts, feedback and — especially — tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
White House
WHERE THE SOLAR DOLLARS ARE GOING — The Biden administration’s proposed $750 million SolarWinds response fund in the recent budget proposal could go a long way to helping several departments and agencies upgrade their security systems following the months-long Russian cyberespionage campaign (especially given the litany of cyber projects they’re undertaking as a part of last month’s executive order). While the broader budget proposal doesn’t shed much light on which agencies will spend the money in what ways, individual department budgets indicate a good chunk of the funding will help beef up IT staffs, implement encryption and multi-factor authentication and toughen up cloud security
Here’s where we know the money is going so far:
— DHS: The Biden administration would give roughly $93 million of the total $750 million budget to the Department of Homeland Security for “SolarWinds breach remediation and security operation improvements.” The bulk of the funding would be for licensing upgrades and enhancing the department’s security operations, including beefing up tools to supply chain risk management and the IT cyber staff, as well as providing more cloud security, encryption options and multi-factor authentication.
While much has been said about the need to bolster DHS’s CISA, the funding for DHS as a whole highlights the need to shore up its defenses. Chad Wolf, the department’s acting secretary at the time of the SolarWinds hack, confirmed in April that hackers accessed his official email account during the attack.
— DOJ: The Justice Department’s chief information officer would also get $78.8 million more to respond to the SolarWinds incident. All of the money would go towards modernizing the department’s cybersecurity efforts, although specifics beyond that aren’t mentioned in the proposal. Roughly three percent of the department’s email accounts were “potentially accessed” during the incident, DOJ said in January, and seeing funding to modernize the department’s efforts is a new category.
— State: The State Department would also receive $101 million from the total Cyber Reserve budget increase to respond to SolarWinds. The funding comes as the alleged SolarWinds-linked hacking group spoofed State’s USAID agency in a spear-phishing campaign, according to a Microsoft report Thursday. Similar to DHS, the funding would go towards cloud security, encryption, multi-factor authentication, as well as increased monitoring tools and the department’s Security Operations Center.
Although not solely SolarWinds-related, CISA’s six-percent budget bump could help all federal agencies, with the administration pushing to bring its total budget to $2.1 billion, and fund the new $10-million Joint Cyber Planning Office, which was established in the latest NDAA and would provide resources for agencies to help them respond to cyber incidents.
By and large, Biden’s proposal is a boon for cybersecurity, with most major cyber agencies seeing a budget increase — a stark difference from former President Donald Trump's proposal last year to cut funding to CISA, Commerce’s NIST and federal IT modernization efforts.
Vulnerabilities
FIRST IN MC: NEW VULNERABILITY DISCLOSURE BILL — Rep. Ted Lieu (D-Calif.) will introduce a bill today expanding agency requirements to maintain vulnerability disclosure policies and programs for the federal contractors who work with them, according to a statement shared first with MC. The bill would codify a requirement in Biden’s cyber executive order, signed last month, for third-party government vendors to establish a Vulnerability Disclosure Program, which allows researchers to safely report security vulnerabilities and issues.
Called the Improving Contractor Cybersecurity Act, the legislation plays off of CISA’s order in September giving federal agencies six months to establish their own programs for detailing how private sector actors can report possible security flaws. As CISA noted in that order, the programs will help encourage private-public partnerships since those who report vulnerabilities often fear retaliatory legal action or that the agency won’t do anything with the information shared.
— Notably, Lieu’s bill is one of the first aimed at codifying a provision in last month’s cyber EO.
“There is no reason government contractors shouldn't also be asked to maintain vulnerability disclosure policies, given the complex web of third-party vendors on which the United States relies,” Lieu said in a statement.
The bill has support from a mix of privacy groups and former cyber officials, including the Institute for Critical Infrastructure Technology, the Electronic Privacy Information Center and Chris Painter, former State Department’s coordinator for cyber issues during the Obama administration.
Cybercrime
A BIG OL’ CYBERCRIME AGREEMENT — The long-awaited United Nations report detailing new norms for state-sanctioned cyber activities is on its way after the 26 members adopted a final version of the report at the end of the last work session Friday, but little is known about what exactly will be in the treaty, despite nearly two years of debate. However, celebratory tweets and statements from officials in the United States and Japan, two of the states in the UN coalition behind the report that will inform a new international cybercrimes treaty, give us a glimpse of what to expect:
— Definitions for 11 norms for international cyberspace actions and what it means when a state implements them. Takeshi Akahori, Japan’s cyber ambassador, said in the meeting where the report was adopted that the report clarifies that states should not allow non-state actors or other states to “conduct an internationally wrongful act” or engage in acts that disrespect “human rights and fundamental freedoms both online and offline” like mass surveillance.
— The State Department’s cyber division tweeted Friday that the report will also have clarified guidance for how exactly states should respond to cyber incidents, such as through requests for assistance and attribution.
— International guidelines on shoring up supply chain security, as well as language saying states should not sponsor attacks on critical infrastructure, will also be in the report, per Akahori’s statement.
Although the State Department expressed concerns about the treaty process standing “against fundamental American freedoms” shortly after the resolution was approved in December 2019, Michele Markoff, deputy cyber coordinator at the State Department said in a tweet Friday that the 25 countries involved were able to “come together and work for two years to produce an in-depth” consensus report “of seriousness and depth.”
— Markoff also thanked Russian official Vladimir Shin and Chinese official Wang Lei for helping “us rise above our differences.”
But don’t expect everyone to be singing its praises: Human Rights Watch warned recently that certain policies in the treaty discussion could legitimize authoritarian policies to quiet government critics and encourage privacy violations. And since the new treaty is being led by Russia, there’s a chance that certain provisions raise eyebrows, even if the United States appears supportive.
On the Hill
EXCUSE ME, CYBER WORKFORCE BILL COMING THROUGH — Reps. Ro Khanna (D-Calif.) and Nancy Mace (R-S.C.) introduced Friday the House version of the Federal Rotational Cyber Workforce Program Act, which would establish a program to allow cybersecurity professionals to move from one civilian federal agency to another civilian federal agency to sample other jobs.
“Silicon Valley has and will continue to lead the world in creativity and scientific discovery, but we can’t rely on private investment alone to protect our cyber-infrastructure from bad actors,” Khanna said in a statement. “The federal government, America’s largest employer, must lead.”
— The House version comes after the Senate bill (S. 1097) was tucked into Senate Majority Leader Chuck Schumer’s China package, which has been stuck in lengthy partisan debates lately but is still expected to be taken up for final consideration after this week’s recess. The likely passage of the Senate version gives Khanna and Mace’s new bill a rosier outlook on passing depending on how the House responds to the Senate’s China deal.
TWEET OF THE DAY — Big Memorial Day mood from Cristin Goodwin, assistant general counsel focused on cybersecurity work at Microsoft: “I’d say the nice thing about working today is that I can do it in my pajamas but we do that every day now, so…”
Quick Bytes
— JBS Foods, the world’s largest beef and poultry producer, shut down production at multiple sites following a cyberattack. (Bleeping Computer)
— U.S. agencies have fended off the latest cyberespionage campaign from Russian intelligence operatives, per White House. (The Associated Press)
— A look back at Bob Lord’s tenure as the DNC’s first chief information security officer as he prepares to leave the role. (The New York Times)
— Colonial puts TSA’s history of voluntary pipeline security guidelines into question. (The Washington Post)
— A profile of Kurtis Minder, a ransomware negotiator who works with companies hit with ransomware to respond to hackers. (The New Yorker)
— U.S. soldiers have been inadvertently exposing nuclear weapons secrets through digital flashcard learning apps. (Bellingcat)
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Martin Matishak ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).
"impact" - Google News
June 01, 2021 at 09:00PM
https://ift.tt/34PeUkJ
SolarWinds' budget impact - POLITICO - Politico
"impact" - Google News
https://ift.tt/2RIFll8
https://ift.tt/3fk35XJ
Bagikan Berita Ini
0 Response to "SolarWinds' budget impact - POLITICO - Politico"
Post a Comment