S 2837 Introduced – FY 2016 CJS Spending

Last week Sen. Shelby (R,AL) introduced S 2837, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2017. As is usual, there is no mention of cybersecurity in the actual bills beyond internal cybersecurity spending. There are, however, some interesting comments in the Appropriations Committee Report.

NIST Cybersecurity

The Committee provides (pg 18) a total of $75 million for cybersecurity activities; including:

• $33 million for the National Cybersecurity Center of Excellence [NCCoE];

• $4 million for the National Initiative for Cybersecurity Education; and

• $38.7 million for cybersecurity research and development

“The Committee recommends that NIST continue to work in concert with its public, State, and county partners to encourage co-location of companies involved in NCCoE activities, which will encourage further innovation by leveraging the development of new applications, business use cases, and technology transfer among all stakeholders.” (pgs 18-19)

 In its cybersecurity grant program, the Committee recommends that (pg 19) “consideration should only be given to institutions of higher education, including community colleges, designated by the National Security Agency as Centers of Academic Excellence for Information Assurance Education and Centers for Academic Excellence for Information Assurance Research”.

Other Science Cybersecurity

The Committee commends the National Telecommunications and Information Administration (NTIA) for its recent request for information (RFI) on federal government role on encouraging the development of the ‘internet of things’. The Committee urges continued work on “its consideration of how to appropriately plan for and encourage the proliferation of network connected devices, including soliciting input from: industry stakeholders; subject matter experts; businesses, including small- and medium-sized businesses; consumer groups; and relevant Federal agencies” (pg 17).

The Committee continued funding for cybersecurity research at the National Science Foundation at FY 2016 levels; noting that that research “will form the intellectual foundations for practical applications that make our information networks safer, more secure, and better able to predict, resist, repel, and recover from cyber attacks” (pg 11).

DOJ Cybersecurity

The Committee is funding Department of Justice cybersecurity related programs at $896 million, a 10% increase over the previous fiscal year.

Throughout this title, the Committee’s recommendation for cybersecurity-related activities for the Department totals $896,325,000 for fiscal year 2017, which is an increase of $82,679,000, or 10 percent, above the fiscal year 2016 level.

The US Attorneys’ Office will receive $58 million (almost 4% above requested) to “able to increase the number of investigations and prosecutions of cyber attacks and cyber intrusions, and provide the high-caliber level of training on cybercrime and digital evidence needed for Assistant U.S. Attorneys to be able to analyze and present digital evidence across all types of criminal case” (pg 65).

The FBI cybersecurity funding is being increased by $17 million with an addition $43 million increase for the Cyber Division to “to strengthen its cyber capabilities and investigations including those into ransomware attacks against institutions such as hospitals” (pg 71).

The Committee is also carving out a new $1 million grant program for a new “Cybercrime and Digital Evidence Resource Prosecutor Pilot Program to provide State and local prosecutors with training and trial experience in cybercrimes and digital evidence” (pg 89).

Moving Forward

There has been a general consensus that we will be seeing a continuing resolution passed this year just before the end of the fiscal year, as has become common, especially in an election year. The unspoken assumption has been that no spending bills would be completed before that continuing resolution passed. With the early introduction of this bill and the THUD bill there is a chance that these two less controversial bills may have a chance to be sent to the President before the summer recess. It will all depend on how fast the Senate can take up an pass the two bills.

Commentary

With the FBI and DHS going around the country warning utilities of a potential for a Ukraine style attack on the it is disheartening to see no mention of control system security, particularly ICS forensics in the DOJ portions of this bill. Unfortunately, I think that it is going to take a high-profile attack on a control system for Congress and the DOJ to understand that the forensics capability to collect and evaluate usable evidence for a prosecution against a control system hacker just does not exist within the criminal justice system.

Almost a billion dollars for cybersecurity investigations and prosecutions sounds like a bunch of money, but once it gets spread around the various programs and agencies, it really is not all that much money. The $49 million for the Cyber Division doesn’t really go that far; the CSI Cyber stars probably pull in close to that in salaries and perks (sorry couldn’t help myself). And, on a more serious note, remember the FBI reportedly spent more than $1 million to access a single encrypted device (and yes they probably got a tool out of it, but only for one specific type phone).