President-elect Joe Biden has announced the American Rescue Plan to "build a bridge towards economic recovery," during the coronavirus pandemic. the $1.9 trillion plan aims to create a national vaccination program to contain COVID-19 and safely reopen schools, deliver immediate relief to working families, and support communities that are struggling due to the virus. The American Rescue Plan also includes plans to modernize federal information technology to protect against future cyberattacks.
"The recent cybersecurity breaches of federal government data systems underscore the importance and urgency of strengthening U.S. cybersecurity capabilities," says the plan, which will attempt to launch "the most ambitious" to modernize and secure federal IT and network by:
- Expanding and improving the Technology Modernization Fund. A $9 billion investment will help the U.S. launch major new IT and cybersecurity shared services at the Cybersecurity and Information Security Agency (CISA) and the General Services Administration and complete modernization projects at federal 18 agencies. In addition, the president-elect is calling on Congress to change the fund's reimbursement structure in order to fund more innovative and impactful projects.
- Surging cybersecurity technology and engineering expert hiring. Providing the Information Technology Oversight and Reform fund with $200 million will allow for the rapid hiring of hundreds of experts to support the federal Chief Information Security Officer and U.S. Digital Service.
- Building shared, secure services to drive transformational projects. Investing $300 million in no-year funding for Technology Transformation Services in the General Services Administration will drive secure IT projects forward without the need of reimbursement from agencies.
- Improving security monitoring and incident response activities. An additional $690M for CISA will bolster cybersecurity across federal civilian networks, and support the piloting of new shared security and cloud computing services.
“Seeing these initiatives included in relief plan is a good sign in itself and follows up on statements made earlier by the incoming team. Improvements are needed across all parts of the government’s IT in order to achieve that notion of cyber resilience as stated in the Solarium report. If it is enough to have a better coverage of experienced staff in all the branches of the Government is hard to tell as the funds reserved for that task are roughly covering 2,000 employees plus the needed personal equipment for one, perhaps two years," says Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "Having the specific aspects of security monitoring and incident response as part of the investment plan should be designated also to automate things needed to do the core security stuff like change control and vulnerability scans which will detect the gaps in that resilient cyber security posture the new government aims to achieve.”
This significant investment in cybersecurity makes sense in the current landscape, which is rapidly evolving and having serious impacts on both public and private sector organizations, notes Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions. "The technology we use on a daily basis has evolved more quickly than many cybersecurity strategies. For that reason, securing infrastructure hasn’t been able to keep up. Both the public and private sector are relying heavily on smartphones and tablets to get work done away from their physical office spaces. With the emergence of cloud-based services that are easy to use on mobile devices, there’s now an expectation that anyone can work just as well from their smartphone or tablet as they can from their laptop. Even just a few years ago, mobile devices didn’t have anything close to the level of access to sensitive data that they do now. Threat actors know that mobile devices are an attractive target since they’re often used for both work and personal reasons. Even some federal agencies allow employees to use personal devices for work, which could introduce additional threats into their infrastructure."
Mobile phishing continues to be one of the most difficult issues for organizations, says Schless. "Historically, the only concern was phishing emails being sent to employees on laptops and desktops. But that’s changed. On mobile devices, attackers can execute phishing campaigns across countless channels, such as SMS, iMessage, WhatsApp, and social media platforms. To combat this, organizations need to ensure their training is up to date and that their anti-phishing solutions can accommodate these additional complexities."
Schless adds that the $200 million allocated for hiring experts to support the federal Chief Information Security Officer and U.S. Digital Service could definitely attract new talent into the public sector. "However, looking at it more broadly, the funding allocated to other agencies may be used to contract more with private sector companies. This public-private partnership approach could be more efficient if these agencies want to get modern solutions in place with the oversight of experts rather than trying to build the solutions themselves.”
According to Joseph Neumann, Director, Offensive Security at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, the Department of Homeland Security, specifically [the Cybersecurity and Information Security Agency] was one of the only groups that started differential pay to offset compensation to make it possibly competitive.
Neumann adds, "The revolving door will continue to go the other direction as Private sector looks at and identifies real world experience more than any formal education due to the ability to apply vs hypotheticals. Once individuals get enough real world experience they quickly jump to contractor or private sector positions that are more lucrative and faster paced. Other differentiators to look at are recruiting avenues, work-life balances, remote work, and nice office settings. Government work, a majority of it the time, requires individuals to be in the office setting every day and does not allow for remote work. Free snacks, better equipment, and nicer offices are a norm in the commercial world vs the standard cube-land of government offices. People get tours of Google and Amazon offices and are wow’d. Lastly, agility on all fronts, from promotion opportunities, to general job functions. Promotions require you to find a new job and rarely have different work responsibility that the security workforce craves.”