Agencies haven’t figured out how to budget for Biden’s cybersecurity EO

With cybersecurity attacks on government institutions, health care providers and critical supply chain players not subsiding anytime soon, the president’s Executive Order on Improving the Nation’s Cybersecurity issued in the spring has some timely requirements. But implementing them is another story for federal agencies.

The EO calls for changing contracting language to require greater data storage and logging as a way to improve the sharing of threat information between service providers and the FBI, Cybersecurity Infrastructure and Security Agency, or other federal partners. The data can come from app, system and security logs, as well as from network devices, services events, network traffic, and other sources — making it neither easy nor cheap to store for 30 months in most cases, as required by the Office of Management and Budget.

For the Federal Housing Finance Agency at least, Chief Information Security Officer Ralph Mosios said that directive requires money, people and resources which were not accounted for in the agency’s original fiscal 2022 budget.

“You have to have hot and cold logs, if you would, across hybrid environments. So that poses a challenge for us, right,” he said on a virtual panel hosted by ATARC yesterday. “There’s a lot of different logs coming from different places, and what are we going to do with it?”

He asked the group how agencies could use this data proactively, beyond simple storage for investigative purposes after a hypothetical cyber attack, and how they will prioritize this specific requirement along with all of the EO’s other directives. He said FHFA already studies user analytics for signs of suspicious activity, for example.

Allison McCall, chief information officer at the National Technical Information Service, is anxious about the nuances of logging requirements in the EO which go beyond her agency’s existing practices. She said they already help other federal agencies with their data, and apply artificial intelligence, machine learning or predictive analytics to logs to make them more meaningful.

“Because even if you have two or three analysts looking all day at this stuff, that might not be enough. So you have to pare it down, you have to be able to hone in — it’s work, it’s not easy,” she said. “And, again, the data could be on prem or in the cloud, or legacy or very modern, and usually a mixture. So there are going to be enormous challenges with this. But it’s important.”

As a Cabinet-level agency, the Labor Department is wondering what the increased level of logging will do to their network’s storage capacity, in addition to making that stored data more valuable. Labor CISO Paul Blahusch said agencies need to take time to baseline normal activity on their networks, if they want to detect abnormal activity. He described it as fixing a car that’s already in motion.

“Because you’re going to be collecting all these logs, and at the same time trying to figure out what’s my normal, sort of, activity on my network? So that then I can tell what’s abnormal, as I’m adding more and more stuff in all the time,” he said. “I think it’s going to be a real challenge, until we can get a lid on it.”

Budgeting for the EO will take balancing development work and updating networks, as well as collaboration tools for end users; McCall reiterated the extent to which this is a challenge but necessary. Mosios said that because he relies on fees levied against regulated activities — as opposed to congressionally appropriated funds like most agencies — he “will leverage current events in the world” to write his office’s budget. That speeds up the process a little, he said. Identifying funding sources by the end of 2022 will be a primary goal for Blahusch at Labor, along with planning for the unexpected ripple effects of collecting and moving data.

Related Stories

Comments