FY2019 Budget Sees Cyber Funding Boost, Research Cuts. President Trump’s recently revealed budget for fiscal year 2019 increases #cybersecurity funding across the government, but also includes significant cuts in funding for #cyber #research.


Trump’s 2019 Budget Boosts Cyber Spending but Cuts Research

Nextgov | By Joseph Marks

President Donald Trump’s 2019 fiscal year budget request boosts cybersecurity funding by about 4 percent across the government, including significant hikes at the Homeland Security Department and Pentagon.

The overall increase includes even larger cyber funding spikes at key agencies, including a 23 percent jump at the Energy Department, a 33 percent jump at the Nuclear Regulatory Commission and a 16 percent hike at the Veterans Affairs Department. The budget, however, includes a massive cut of 18 percent to the government’s main cyber standards organization, the National Institute of Standards and Technology. That cut comes as NIST is working on an update to its cybersecurity framework, which is now mandatory for all federal agencies.

The budget also marks a major shift for cyber research and development funding inside the Homeland Security Department. Cyber research was formerly housed primarily in the department’s Science and Technology Directorate. Going forward, that funding, which totals $41 million in the president’s budget request, will be inside the cyber and infrastructure protection division—called the National Protection and Programs Directorate, or NPPD. The move is another blow for the Science and Technology Directorate, which has faced significant budget cuts since the start of the Trump administration.

The shift was made so “operators on the ground have influence over research and development,” a senior administration official said during a press call. The cyber and infrastructure protection division will work closely with the science and technology division on research priorities, the official said.The budget also calls for a small spike in government-wide information technology spending.

The president’s budget request is as much an ideological document as a budgeting one. The request lays out the executive branches’ funding priorities, but those numbers are only a rough starting point when Congress begins its own budgeting process and they’re often ignored entirely. Funding Hikes at Homeland Security and Defense, Homeland Security cyber spending overall will stay roughly flat at about $1.72 billion.

The cyber division of the department’s cyber and infrastructure protection wing, however, will get a 7 percent spike from $665 million in the 2018 fiscal year to $712 million this year.

In addition to protecting federal civilian government computer networks, that division is also helping states secure their election systems against cyberattacks.

The budget includes $238 million for Homeland Security’s continuous diagnostics and mitigation program, which delivers a suite of cybersecurity tools to federal agencies and will eventually track federal computer systems on a government-wide dashboard. That’s down from $279 million in last year’s request.

The budget commits $407 million for a government-wide intrusion detection program called Einstein. That’s up from $397 million in last year’s request.

At the Pentagon, total cyber funding jumps to $8.5 billion in this year’s request, a 4.2 percent hike over the prior year.

That jump comes as U.S. Cyber Command, which was elevated last year to a unified combatant command, is in the process of reaching full operational capability.

The budget released Monday also:

  • Includes $8 million for the White House Office of Management and Budget’s cybersecurity oversight responsibilities, down from $19 million last year.
  • Includes $25 million for a cybersecurity enhancements account at the Treasury Department, which will help upgrade high-value Treasury computer systems that rely on outdated technology. The fund will also help the department respond more nimbly to cyber incidents. Overall cyber funding at Treasury will drop from about $529 million last year to $500 this year.
  • Raises funding for the Justice Department’s national security division, which prosecutes cyber crimes, from $95 million to $101 million. Overall Justice Department cyber funding is at $721 million, up from $704 million last year but down from $735 during the final year of the Obama administration.
  • Includes $10 million for cyber upgrades at the Transportation Department.
  • Hikes Veterans Affairs Department cyber funding 16 percent from $360 million last year to $418 million this year.
  • Raises cyber funding at the Office of Personnel Management 18 percent, from about $39 million to about $46 million.
  • Hikes Nuclear Regulatory Commission cyber funding 33 percent, from about $24 million to about $32 million.

Hikes Energy Department cyber funding 23 percent, from about $379 million to about $465 million.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.

Third Largest County in U.S. Almost Lost $888K in Phishing Attack

Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.

Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”

The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.

Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.

Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.

Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.

“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”

Shark said local governments are particularly vulnerable after disasters.

Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.

“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”

He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.

An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.

Rosen said he had never investigated such an incident before.

“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”

The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.

Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.

“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”

He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.

Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.

Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.

Some say the changes so far do not go far enough.

Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.

On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.

Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.

“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”

Homeland Security: Data Breach in 2014, Over 240K Workers Affected

The Inspector General for Homeland Security found that the personal information of more than 247,000 employees and others connected with the agency was compromised in 2014.

Data Breach Affected More Than 240,000 Homeland Security Workers, IG Confirms
Nextgov | By Joseph Marks |

Personal information about more than 247,000 Homeland Security Department employees and other people connected with the agency was compromised in 2014, the department’s internal auditor said Wednesday.

In May, the Homeland Security inspector general’s office found a copy of its investigative case management system—and the reams of personal information it contained—in the possession of a former inspector general’s office employee, according to a department statement.

Inspectors found the case management system as part of a criminal investigation but did not say if the former employee is the target of that investigation.

The statement also did not provide details about how the system ended up in the former employee’s possession except to say that it was not the result of a third-party cyberattack and that other employees’ personal information was not the target of the “unauthorized exfiltration.”

USA Today described the breach in November based on leaked documents but Homeland Security did not confirm the breach at that time.

The case management system contained personal information on 247,167 Homeland Security employees who worked for the department when the information was removed in 2014, the department said.

It also contained information about non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014, the department said. The statement does not say how many non-employees were in that group.

The department is “implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns” in the future, according to the statement.

The statement did not describe what personal information was compromised. Personal information can range from less sensitive information, such as names and phone numbers, to highly sensitive information, such as Social Security numbers and financial data.

The department is offering free credit monitoring to employees and other people whose information was compromised. Employees were informed about the breach in a Wednesday letter, but the department won’t directly notify non-employees because of “technological limitations.”

The notice includes a contact number for non-employees who were associated with Homeland Security inspector general investigations to request credit monitoring.

Security experts have often said credit monitoring is less effective at preventing criminals from profiting off your leaked information than other steps such as freezing your credit.

“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information [with] which they are entrusted,” the notice states.