Top cyber executives from CrowdStrike, CGI Federal, Armis and Intrusion said there would be “major impacts and delays” to key government cyber projects if the government is unable to pass annual appropriations bills or reach a continuing resolution, resulting in a shutdown, which is a realistic possibility according to some political experts. 

“Having done this for many years I’ve lived through a couple of government shutdowns and the impacts I think really day-to-day operationally are ones of continuity and resource availability,” Stephen Zakowicz, vice president of CGI Federal, said during a House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee hearing. “So what are we able to do and make progress on? And ultimately what trade-offs are cyber agencies making when they’re facing questions of what resources they have left and how are they going to keep the doors open?”

Another cyber executive testifying Tuesday, Brian Gumbel, president of cyber intelligence platform company Armis, said that “this shutdown will obviously cause delays and some cyber projects will come to a halt. The longer we delay the longer our adversaries will have a chance to get in front of us. So delays are just terrible for this nation and it’s going to cause some major impact.”

While a continuing resolution would keep the government open and operating, some cybersecurity executives highlighted that without the full funding of annual appropriations, the government would be unable to move forward with new, innovative government cybersecurity programs, leaving big gaps in the government’s defense systems. 

“The thing that hits you the hardest is the new initiatives just get stopped completely and we need a lot of innovation in cyberspace. So y’all need a way to fund during a CR especially new programs and reactive reach responses and that’s sadly lacking across the table,” said Joe Head, the chief technology officer at cybersecurity company Intrusion.

“You can’t start a new effort under a CR but you can continue an old one. And this is all new, it’s new every day with a new breach, a new zero-day, a new attack,” Head added.

During the hearing, Rep. Rob Menendez, D-N.J., asked the cyber executives about the potential negative effects and ramifications on the ability of CISA to innovate and match the current threat environment if a year-long CR that locks in last year’s spending limits is passed.

“We need to obviously match what CISA is doing in order to progress some of the changes in the systems that we’re looking to put forth, so I think it’s a big concern,” said Gumbel from Armis.

The post Government shutdown would cause ‘terrible’ disruptions to federal cyber defenses, industry leaders say appeared first on FedScoop.

Advanced Research Projects Agency for Health (ARPA-H) last week launched its Digital Health Security (DIGIHEALS) project, looking to contract for “proven technologies developed for national security and apply them to civilian health systems, clinical care facilities, and personal health devices,” according to an agency announcement.

“DIGIHEALS aims to ensure patients continue to receive care in the wake of a widespread cyberattack on a medical facility — like those that have caused hospitals to close their doors permanently,” said an agency release.

Earlier this month, a medical system with hospitals in Connecticut, Pennsylvania, Rhode Island and Southern California was disrupted by ransomware attacks that forced it to close some facilities. The attack was the latest in a growing trend of hospitals being targeted by bad actors — a scenario that can become a matter of life and death if patients are unable to receive the care they need.

A similar “IT security incident” occurred late last year affecting hospitals in Iowa, Nebraska and Washington. That came shortly after the release of a report that found that 90% of IT professionals working in health care said their facilities suffered a cyberattack in the past year, with ransomware in particular on the rise.

ARPA-H is soliciting proposals from industry through its Scaling Health Applications Research for Everyone (SHARE) broad agency announcement that it opened earlier this month.

“The DIGIHEALS project comes when the U.S. healthcare system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives,” ARPA-H Director Dr. Renee Wegrzyn said in a statement. “Currently, off-the-shelf software tools fall short in detecting emerging cyberthreats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative.”

According to the BAA, the DIGIHEALS project aims to accomplish three main objectives: find and patch flaws in mission-critical hospital systems; develop novel approaches to data and analytics; and improve the resiliency of digital health technology code.

“By adapting and extending security, usability, and software assurance technologies, this digital health security effort will play a crucial role in addressing vulnerabilities in health systems,” said ARPA-H Program Manager Andrew Carney. “This project will also help us identify technical limitations of future technology deployments and contribute to the development of new innovations in digital security to better keep our health systems and patients’ information secure.”

The opportunity to submit proposals under the BAA closes Sept. 7.

The post ARPA-H looks to strengthen US hospital infrastructure in face of continued cyberattacks appeared first on FedScoop.

The Administrative Office of the U.S. Courts (AO), the arm of the federal courts that deals with non-judicial business, wants information about a product that regularly simulates threats to test cybersecurity, known as a “Breach and Attack Simulation,” according to a request for information posted online.

The AO is looking for a product that “will enable continuous and consistent testing of multiple attack vectors against the Courts’ assets, including external and insider threats, lateral movement, and data exfiltration,” the solicitation said.

The courts’ Information Technology Security Office would use a Breach and Attack Simulation product to “identify the levels of risk that may not be readily apparent,” the solicitation said. 

The judiciary, like other federal entities, has been the subject of cyberattacks in recent years, and those attempts are expected to become more acute. 

In its fiscal year 2024 budget request, the judiciary disclosed its cyber-defenses halted “approximately 600 million harmful events from reaching court local area networks in 2022.” It previously reported those defenses stopped 43 million “harmful events” in 2020. 

The judiciary, in the most recent budget request, said it expected cyberattacks to “continue to intensify as hackers become increasingly proficient.”

The Administrative Office didn’t immediately have more details on the solicitation.

The post Federal courts exploring breach and attack simulation for cyber threats appeared first on FedScoop.

The bipartisan fiscal 2023 omnibus spending agreement includes $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA), a $313 million increase over its current budget as well as $1.6 billion for the National Institute of Standards and Technology (NIST), an increase of $397 million for the agency.

Cybersecurity

The spending package includes $1.3 billion for CISA’s cybersecurity programs, which represents a year-on-year increase of $230 million, although the bill also includes unusual language that would fine the agency $50,000 for every day it is delayed on quarterly congressional briefings.

CISA is a year late submitting its organizational planning, staffing and budgeting document to Congress, known as a “force structure assessment.”

If Congress doesn’t have the document to evaluate budgeting for CISA soon, Rep. Jim Langevin, D-R.I. told CyberScoop earlier this month that it could impact the agency’s funding.

The omnibus also includes $200 million for the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (CESER) office and will allocate $100 million in funding for the Treasury Department’s Cybersecurity Enhancement Account, $20 million more than last year.

The spending package also targets cybercrime from foreign adversaries in particular by allocating $50 million to tackle cybersecurity threats emanating from Russia and other adversaries as well as $422 million for the Office of Personnel Management (OPM) to address cybersecurity and hiring initiatives. The bill includes a provision requiring the Federal Trade Commission (FTC) to collect and report on international cyberattacks committed by foreign actors, with a specific focus on those from China, Iran, North Korea and Russia, according to a Senate Republican summary of the bill.

The omnibus also provides $22 million for the White House Office of the National Cyber Director, the first time the new office will receive resources through an appropriations bill. The office is expected to issue a new national cyber strategy in 2023, as well as a cybersecurity workforce, training and education plan.

Science and Technology

Congress passed the Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act in August to boost domestic semiconductor manufacturing and help the U.S. compete with China in the development of cutting edge technologies.

The omnibus spending package ​​fell short of providing the maximum funding authorized under the CHIPS Act but nevertheless authorized large funding increases for NIST, the National Science Foundation (NSF), and the Department of Energy’s (DOE) Office of Science.

NIST’s $1.6 billion allocated includes $953 million for scientific and technical research and up to $462 million for the construction of new research facilities. 

NIST’s Manufacturing Extension Partnership Program was also allocated $175 million, an increase of $17 million, while an additional $4 million has been set aside to establish a NIST center of excellence to develop standards for measuring climate change and its effects on the country.

The post Big boosts to cybersecurity and tech funding in $1.7T omnibus bill signed by Biden appeared first on FedScoop.

The technology giant disclosed the settlement in a regulatory filing on Nov. 3 and also warned it has received notice from the Securities and Exchange Commission that the regulator has made a preliminary decision to file an enforcement action against the company over the cyber breach.

“SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” SolarWinds disclosed in its 8-K filing. 

During the breach, which was disclosed in late 2020, suspected Russia-backed hackers used routine software updates to add malicious code into the company’s Orion software product, which was used as a vehicle for a major cyberattack launched against private and public sector entities.

At least eight federal government agencies had systems compromised as a result of the attack.

As part of the settlement, the software maker did not acknowledge any wrongdoing and alleged they were misled about its security apparatus in advance of the attack. The sum will be paid by the company’s insurers who authorized and approved the sum, according to an 8-K filing with the US Securities and Exchange Commission.

“The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement,” the company said in its 8K filing. 

The SolarWinds attack took place over the course of almost nine months and affected roughly 18,000 entities in total.

The cyberattack occurred because SolarWinds, an IT company that runs network management systems for thousands of clients, was infiltrated through the company’s Orion software updates distributing malware to its customers’ computers.

In early 2021, SolarWinds stockholders sued the company after the stock tanked from news of the supply chain attack on SolarWinds’s software, which was first publicly reported in December 2020. In the second half of 2021 the company asked a US federal judge to throw out the lawsuit, claiming that it was “the victim of the most sophisticated cyberattack in history,” and described the legal arguments of certain shareholders as a way to “convert this sophisticated cyber-crime” into an unfair and unrelated securities fraud lawsuit.

As a result of the Wells notice, the SEC could force the company to stop engaging in future violation of federal securities laws subject to the action, impose civil monetary penalties and other equitable relief within the agency’s authority. 

It remains unclear if or when the SEC will take enforcement action and what the potential consequences of this could be for SolarWinds.

The post SolarWinds agrees to pay $26M to settle shareholder lawsuit over 2020 cyberattack appeared first on FedScoop.

In a policy options paper published Thursday, Warner called on the agencies to provide more timely health care sector-specific cybersecurity guidance. The lawmaker also advocated for the appointment of a new cybersecurity czar at HHS, who would report directly to the Secretary of Health.

In 2021, cybersecurity attacks on health care providers reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021 – a 32 percent increase over 2020.

“Staff has heard from industry experts about a lack of coordination between HHS (as the SRMA) and CISA, the U.S. government’s lead on ensuring cybersecurity integrity in commercial and infrastructure networks,” Warner’s policy paper stated. “Stakeholders have shared no matter who is in charge, so to speak, they would welcome increased timely, actionable, health care-specific cybersecurity guidance.”

The white paper also said different agencies within HHS, which includes agencies like the Centers for Medicare and Medicaid Services and the Food and Drug Administration (FDA), have varying degrees of experience and prioritization when it comes to tackling cybersecurity challenges.

The policy paper says that the health care sector is particularly vulnerable to cyberattacks due to its reliance on legacy technologies and software, a wide and highly varied attack surface, a high-pressure environment, funding constraints, and an old model of thinking that doesn’t view cybersecurity as a primary concern. 

Personal health information is also more valuable on the black market than other sensitive data like credit card information, as hackers can sell stolen medical records for anywhere from $10 to $1,000 per record, the paper highlights. The healthcare industry has therefore seen the highest cost per breach of any industry, according to IBM’s annual Cost of a Data Breach report.

In order to reduce cyberattacks on the industry and increase vigilance, Warner’s white paper strongly pushes for HHS to create a new senior leader within the agency who reports directly to the Secretary of Health and Human Services to lead the Department’s work on and “be accountable for cybersecurity,” the paper says.

“The person in this role should be empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role. This person should also work to effectively partner with other agencies to further these goals and advocate for HHS having the resources it needs to be successful” the policy paper states.

Sen. Warner’s staff declined to comment when asked for more information about the timing of his strong criticism of HHS and further details on lack of coordination with HHS.

HHS did not respond to request for comment at the time of publication.

The post Sen. Warner criticizes HHS and CISA for lack of coordination on cybersecurity, pushes for new cyber exec appeared first on FedScoop.

U.S. government and military were among five industry categories from which survey respondents were least likely to express confidence about their organization’s ability to respond to potential cyber incidents.

The findings were outlined in a cybersecurity workforce study commissioned earlier this year by (ISC)², which surveyed over 11,000 cybersecurity professionals. (ISC)² is a major nonprofit association for certified cybersecurity professionals.

Of the cybersecurity professionals surveyed, 61% said their primary concern in the next two years is the potential risks of emerging technologies like blockchain, AI, VR, quantum computing, and keeping up with changing government regulatory requirements.  

According to the survey, 70% of respondents reported that their respective organizations don’t have enough cyber employees, and data from the study also revealed the need for 3.4 million more cyber workers globally to secure digital assets effectively.  

More than half of the survey respondents with cyber workforce shortages said that staff deficits put their organization at a “moderate” or “extreme” risk of a cyberattack. 

“As a result of geopolitical tensions and macroeconomic instability, alongside high-profile data breaches and growing physical security challenges, there is a greater focus on cybersecurity and increasing demand for professionals within the field,” said Clar Rosso, CEO of (ISC)².

“The study shows us that retaining and attracting strong talent is more important than ever. Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective.”

The survey showed also that while 75% of cyber professionals report strong job satisfaction and passion about their work, over 70% still feel overworked, while a quarter of respondents below age 30 consider “gatekeeping and generational tensions” as a top-five challenge for them in the next two years.

When it comes to diversity, equity and inclusion with the cybersecurity landscape, the survey showed that 55% of cyber employees believe diversity will increase among their teams within two years but 30% of female and 18% of non-white cyber employees feel discriminated against at work currently. 

The post Government cyber experts feel they lack resources for breach response, finds (ISC)² survey appeared first on FedScoop.

The recommendations include adopting measures to better determine staff needs and establishing a strategic workforce plan for cyber.

GAO’s assessment comes after the Coast Guard over the last two years has been hit with multiple cyberattacks and struggled to recruit and retain its critical cyber workforce. The recommendations were included in a new report published on Tuesday.

The Department of Homeland Security, which is the parent agency under which the Coast Guard operates, concurred with the GAO recommendations. 

“Like other federal agencies, the Coast Guard is increasingly dependent upon its cyberspace workforce to maintain and protect its information systems and data from threats. In recent years, its networks and information have been exploited and maritime critical infrastructure have experienced cyberattacks,” the GAO report titled ‘Workforce Planning Actions Needed to Address Growing Cyberspace Mission Demands’ said.

“These events have reinforced the importance of the Coast Guard’s cyber capabilities and the workforce who operate and maintain them,” the GAO report added.

The GAO’s three primary recruitment recommendations to the Coast Guard were: to create a strategic direction; conduct a supply, demand, and gap analyses; and third, monitor the plan’s progress to address all cyberspace competency and staffing needs.

In 2015, the Coast Guard established a cyberspace team to protect the U.S. marine transportation system from online and telecommunications threats which the GAO found needs improvements due to cyberattacks occurring and data breaches costing hundreds of millions of dollars in total.

Last year the Coast Guard announced a Cyber Strategic Outlook to build more cyber teams to focus on the cybersecurity of maritime critical infrastructure from attacks after a rash of hacks and ransomware incidents that shut down key services.

The Coast Guard, a military service, is uniquely housed under DHS, giving it law enforcement authority and relationships with other DHS agencies like the Cybersecurity and Infrastructure Security Agency (CISA). The service has sought to modernize its legacy IT since 2020. 

The post Coast Guard needs to improve its cyber workforce says watchdog appeared first on FedScoop.

The public will have until Nov. 14 to comment on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which directs CISA to oversee implementation of regulations that require relevant entities to provide the agency with detailed reports about cyber incidents and ransom payments they may face.

CISA Director Jen Easterly said last week that the agency would move forward with seeking industry feedback and implementing CIRCIA. Speaking at the Billington Cybersecurity Summit in Washington, she said: “This will finally allow us a much better understanding what’s going on across the ecosystem … [W]e don’t want to burden industry and we don’t want to burden the federal government with noise either.”

Easterly added that after the request for information is issued, she also intends to host several listening sessions with industry to ensure the rule-making process is “consultative.”

CISA’s request for input comes after President Biden in March signed key legislation requiring critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.

The enactment of CIRCIA regulations would allow CISA, in conjunction with other federal partners, to more rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and understand how malicious cyber actors are perpetrating their attacks.

In its request for public comment CISA said it is particularly interested in feedback on its definitions of the terminology to be used in the proposed regulations, the manner in which reports will be required to be submitted under CIRCIA, and other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited.

The post CISA seeks public comment on upcoming major cyber incident reporting regulations appeared first on FedScoop.

“We’re basically hiring people from one federal agency to another. We’re stealing people from each other, that’s what it’s come down to,” Mendes told FedScoop.

“It’s a very, very tough situation with cybersecurity hiring. It’s extremely difficult getting the right people with the right skills right now,” said Mendes who spoke at the FedTalks tech conference on Wednesday, hosted by FedScoop.

The hiring challenges are likely due to a tight labor market and a severe shortage of skilled cyber engineers and analysts.

According to cybersecurity recruitment website CyberSeek, which is funded by the Commerce Department, there are currently 714,548 open cybersecurity jobs nationwide, which includes positions in the public and private sector. 

In the public sector or the government, the website estimates there are almost 39,000 vacant cyber jobs and 69,322 cybersecurity experts currently employed.

There has been a huge surge in cybersecurity job openings in the past year, following a series of massive attacks in the the last two years on the computer systems of the federal government, the Colonial Pipeline, and the meat producer JBS that have brought mainstream awareness to the need for increased cybersecurity within the government and the private sector.

Alongside difficulties hiring cybersecurity experts, Mendes also said the federal government has struggled with holding its tech vendors and contractors accountable for cybersecurity flaws and issues.

“All federal agencies have to hold their vendors accountable in terms of susceptibilities. So that when you sell a product to the federal government, you have to give some assurances that the product performs as indicated, and does not unduly expose you to cybersecurity attacks because of flaws that are inherent in its scope,” Mendes said.

The President’s National Security Telecommunications Advisory Committee (NSTAC) on Tuesday put forward proposals that would require all executive civilian branch agencies to monitor operational technology systems in real-time.

Mendes said the presidential proposals would help improve cybersecurity but would receive strong pushback from the tech industry and IT vendors.

“The administration has just started with the process and there will be an enormous amount of lobbying against it by vendors trying to minimize its effect. Vendors will do their best to minimize their exposure to change because they don’t want to have the accountability, they haven’t had accountability in the past, so why should they have it now? But the reality is that in the current environment, we can’t afford not to have accountability,” Mendes said.

Shortly after becoming the Commerce Department CIO in 2020, Mendes said that he would like to see greater accountability within the federal government regarding agency IT budgets due to “black hole” spending related to regulatory frameworks or modernization.

Mendes said he has worked in the past few years to use his almost $4.0 billion a year budget in a more efficient manner with less spending on IT tools and resources.

“We can show definite cost avoidance to a large degree by virtue of more collaboration within the agency in the past couple of years,” Mendes said.

“We’re leveraging those dollars elsewhere, where they’re more driven towards the mission of the Commerce bureaus and official business and less towards IT infrastructure,” he added.

Commerce spends approximately 30% of its budget on IT driven by heavy users like the National Oceanic and Atmospheric Administration, National Institute of Standards and Technology, U.S. Patent and Trademark Office, and Census Bureau. 

Mendes, however, drove the International Trade Administration, where he served previously as CIO, to spend only 10% of its budget on IT because of its cloud-first environments and abstraction layers. 

This allowed the agency to automate more processes and freed up employees for work more tied to mission areas like tariffs.

The post Cybersecurity skills shortage has led to a talent war between agencies says Commerce CIO appeared first on FedScoop.