by Jon Lober | NOC Technology
As a managed service provider for both private businesses and government organizations, we at NOC Technology spend a lot of time thinking about cybersecurity—for ourselves, our clients, our community, and our country.
We believe that the “oxygen mask principle” for passengers aboard commercial flights also applies to cybersecurity. In order to help others during a crisis, you need to make sure your own oxygen mask is fitted and functional first.
The US Federal Government struggled to apply this principle to its own cybersecurity. However, over the past few years, policymakers and executives have been making progress in their behemoth challenge. National cybersecurity improvements have been hampered by several factors: the sheer size of the government, the complexity of government institutions, and the diversity of motivations behind the cyberattacks that target the government.
With more than 4 million employees and millions of additional contractors, the US government is the United States largest employer, with a nearly infinite number of potential attack vectors. Tasked with national security, it must not only monitor the security of its direct offices and employees, but also critical infrastructure like utilities and hospitals. Successful cyberattacks on any government office, contractor, or critical infrastructure can threaten the well-being of the nation as a whole.
Although the concept of the “US Federal Government” seems easy enough to understand, the national government is a multifaceted organization composed of myriad components: civilian and military, public and secret, foreign and domestic, elected and bureaucratic, specialized and general. From the US Postal Service to the Pentagon, the United States government is exceedingly complex.
Hackers attempt to penetrate US government systems for a wide variety of reasons. In addition to the run-of-the-mill, financially motivated hackers all of us confront on a daily basis, the federal government faces a myriad of other sources of cyberattacks: malicious internal actors, foreign governments, terrorists, and ideologues.
To understand how the United States federal government currently confronts cybersecurity, in this post we’re going to take a quick look at a few of the structural and legislative components that will shape the future of national cybersecurity policy. In a future post, we’ll look at a few resources available from some of the key players below.
A 2022 US Government Accountability Office (GAO) report determined that at least 23 government agencies have been tasked with cybersecurity. We will not review each of these entities in this post but will highlight those that have especially important roles in the nation’s cybersecurity infrastructure.
Source: 2022 GAO Report – CYBERSECURITY, Clarity of Leadership Urgently Needed to Fully Implement the National Strategy
An innocuous agency within the Department of Commerce, NIST has become an increasingly valuable and proactive member of the cybersecurity community. In a recent Executive Order from the White House, NIST was mandated to solicit input from experts across all sectors to enable the group to recommend or develop tools to improve the security of the software supply chain for the federal government. These recommendations were intended specifically for federal government agencies but were made available publicly to benefit all US institutions.
Since that time, NIST has issued a series of recommendations that provide helpful cybersecurity guidance—especially in regard to the software supply chain. With their proactive, comprehensive, research-based approach, NIST sets the standards for best practice in the cybersecurity arena.
A newly founded agency (2018) housed in the Department of Homeland Security (DHS), CISA is the nation’s frontline institution in the fight to protect US infrastructure from cyberattacks. Its activities include disaster response, capacity building, partnership development, risk assessment, and other related activities. Though still in its nascency, CISA has rapidly formalized and become an integral component of the national cybersecurity machine.
With its 2023-2025 Strategic Plan, CISA has now outlined its focus for the coming years. Specifically, CISA will build resilience for critical infrastructure, ensure national cybersecurity, and facilitate collaboration and information-sharing between public and private institutions.
The National Cyber Investigative Joint Task Force (NCIJTF) is led by the FBI and composed of more than 30 law enforcement, intelligence, and defense agencies. The NCIJTF was formed in 2008 to coordinate investigations into serious cybersecurity threats against US institutions and businesses.
In addition to the NCIJTF, the FBI also operates the Internet Crime Complaint Center (IC3), a first stop for businesses experiencing cyberattacks. The IC3 portal is designed to help businesses and individuals that are actively experiencing phishing, business email compromise, ransomware, or other type of cyberattack.
The Office of Management and Budget’s Deputy Director for Management chairs the CIO Council and directs its activities. The Council itself is composed of the CIOs of each respective government department (Labor, Interior, Treasury, State, etc). This interagency group works to continually ensure the improvement and efficacy of each department’s IT efforts through monitoring, evaluation, modernization, recommendations, and reviews.
In addition to the institutions that we have reviewed here, within the Department of Defense, U.S. Cyber Command (USCYBERCOM) and the National Security Agency (NSA) also play key roles in protecting US assets from cyberterrorism and foreign attacks.
In the absence of comprehensive federal cybersecurity policy, individual states have been steadily pursuing and adopting legislation to protect the businesses and citizens within their states. Though only a few have passed laws at this point, several others are poised to do so. The result of this lawmaking has been a patchwork of policies without any unifying national laws.
As the pressure mounts for government action on cybersecurity, the federal government has responded through two lawmaking channels: Executive Order and Act of Congress. Actions from the White House and Congress have begun to address some of the most serious issues but are only scratching the surface.
For the time being, the United States lacks a comprehensive law to orient state and national actions. However, over the past few years, the executive and legislative branches have made some serious strides towards that end. Below, we will look at the most significant recent legislation.
Issued in May 2021 by President Biden, the Executive Order on Improving the Nation’s Cybersecurity (EO 14028) was the White House’s mandate to the entire federal government to put on its own oxygen mask. This order was issued shortly after several serious cyberattacks, including SolarWinds, Chinese infiltration of Microsoft Exchange servers, and the ransomware ordeal with Colonial Pipelines.
The Order provoked a number of improvements to national cybersecurity infrastructure. Amongst other actions, the order pressured government institutions to move towards a zero-trust architecture, adopt two-factor authentication at all levels, improve the security of its software supply chain, and improve the recognition, response, and collaborative response of public and private actors to cyberthreats.
The Strengthening American Cybersecurity Act of 2022 directly addresses the threat of malware, ransomware, and other types of data breaches that could affect national security. Amongst other stipulations, the Act will require government offices and entities working in critical infrastructure to report cyberattacks to the CISA within 72 hours of a detected breach. Although this law has still not entered into force, it has provoked a flurry of rapid improvements in cybersecurity amongst affected organizations.
This law is considered a critical step towards improving national cybersecurity. Many organizations hesitate to report these events, since they may face liability claims or a loss of reputation in the marketplace. The Act will provide the CISA with timely information, which can be used to alert other potential targets and address active threats to national security.
Though the sweeping bipartisan Infrastructure Investment and Jobs Act was not directly oriented to address cybersecurity, it does include provisions to address cybersecurity weakness in state, local, tribal, and territorial governments. Through grants totaling $1 billion, local governments will have ongoing opportunities to solicit federal funding assistance for efforts to improve cybersecurity resilience and response.
Since the inception of the internet age, the Federal Government has moved slowly towards a comprehensive cybersecurity approach. However, over the past decade, that pace has steadily quickened. The incorporation of the CISA, the elevation of the NCIJTF to its current role, the President’s 2021 executive order, and Congress’s 2022 actions all indicate that the US government is moving towards much-needed comprehensive, coordinated action.
In our next post, we will look at some of the benefits, resources, and services that these institutions provide to public and private organizations across the country.
Contact us
Existing Customers
IT Support Near Me
IT Support based in Franklin County, MO | 1816 Hwy A, Washington, MO 63090