NIST Cybersecurity
The Committee provides (pg 18) a total of $75 million for
cybersecurity activities; including:
• $33 million for the National
Cybersecurity Center of Excellence [NCCoE];
• $4 million for the National
Initiative for Cybersecurity Education; and
• $38.7 million for cybersecurity research and
development
“The Committee recommends that NIST continue to work in
concert with its public, State, and county partners to encourage co-location of
companies involved in NCCoE activities, which will encourage further innovation
by leveraging the development of new applications, business use cases, and
technology transfer among all stakeholders.” (pgs 18-19)
In its cybersecurity
grant program, the Committee recommends that (pg 19) “consideration should only
be given to institutions of higher education, including community colleges,
designated by the National Security Agency as Centers of Academic Excellence
for Information Assurance Education and Centers for Academic Excellence for
Information Assurance Research”.
Other Science Cybersecurity
The Committee commends the National Telecommunications and
Information Administration (NTIA) for its recent
request
for information (RFI) on federal government role on encouraging the
development of the ‘internet of things’. The Committee urges continued work on “its
consideration of how to appropriately plan for and encourage the proliferation
of network connected devices, including soliciting input from: industry stakeholders;
subject matter experts; businesses, including small- and medium-sized businesses;
consumer groups; and relevant Federal agencies” (pg 17).
The Committee continued funding for cybersecurity research
at the National Science Foundation at FY 2016 levels; noting that that research
“will form the intellectual foundations for practical applications that make
our information networks safer, more secure, and better able to predict,
resist, repel, and recover from cyber attacks” (pg 11).
DOJ Cybersecurity
The Committee is funding Department of Justice cybersecurity
related programs at $896 million, a 10% increase over the previous fiscal year.
Throughout this title, the Committee’s recommendation for
cybersecurity-related activities for the Department totals $896,325,000 for
fiscal year 2017, which is an increase of $82,679,000, or 10 percent, above the
fiscal year 2016 level.
The US Attorneys’ Office will receive $58 million (almost 4%
above requested) to “able to increase the number of investigations and
prosecutions of cyber attacks and cyber intrusions, and provide the high-caliber
level of training on cybercrime and digital evidence needed for Assistant U.S.
Attorneys to be able to analyze and present digital evidence across all types
of criminal case” (pg 65).
The FBI cybersecurity funding is being increased by $17
million with an addition $43 million increase for the Cyber Division to “to
strengthen its cyber capabilities and investigations including those into
ransomware attacks against institutions such as hospitals” (pg 71).
The Committee is also carving out a new $1 million grant
program for a new “Cybercrime and Digital Evidence Resource Prosecutor Pilot
Program to provide State and local prosecutors with training and trial
experience in cybercrimes and digital evidence” (pg 89).
Moving Forward
There has been a general consensus that we will be seeing a
continuing resolution passed this year just before the end of the fiscal year,
as has become common, especially in an election year. The unspoken assumption
has been that no spending bills would be completed before that continuing
resolution passed. With the early introduction of this bill and the THUD bill
there is a chance that these two less controversial bills may have a chance to
be sent to the President before the summer recess. It will all depend on how
fast the Senate can take up an pass the two bills.
Commentary
With the FBI and DHS going around the country warning
utilities of a potential for a Ukraine style attack on the it is disheartening
to see no mention of control system security, particularly ICS forensics in the
DOJ portions of this bill. Unfortunately, I think that it is going to take a
high-profile attack on a control system for Congress and the DOJ to understand
that the forensics capability to collect and evaluate usable evidence for a
prosecution against a control system hacker just does not exist within the
criminal justice system.
Almost a billion dollars for cybersecurity investigations
and prosecutions sounds like a bunch of money, but once it gets spread around
the various programs and agencies, it really is not all that much money. The
$49 million for the Cyber Division doesn’t really go that far; the CSI Cyber
stars probably pull in close to that in salaries and perks (sorry couldn’t help
myself). And, on a more serious note, remember the FBI reportedly spent more
than $1 million to access a single encrypted device (and yes they probably got
a tool out of it, but only for one specific type phone).