But money talks: While the Trump administration is spending on today’s cybersecurity challenges, it’s not preparing for tomorrow’s.
The president’s budget request last week boosted overall cybersecurity spending by about 5 percent, including a whopping 10 percent hike for military cybersecurity. But most government offices that tackle emerging challenges in cybersecurity would see cuts to their research and development budgets under the plan.
The biggest cut — an incredible $219 million — is to the Homeland Security Department’s science and technology wing, which does much of the long-range research aimed at making technology fundamentally more secure. That budget, if it’s approved by Congress, would cut the division to slightly less than two-thirds of its 2019 funding.
The committee charged with the moonshot project, meanwhile, recommended in a draft report in November that government, industry and academia surge investments in a broad set of cybersecurity research and development priorities, including research focused on next-generation encryption, artificial intelligence and biometrics.
“If you want to fund a moonshot, you have to fund foundational research and development,” Ari Schwartz, a former senior director for cybersecurity on the National Security Council, told me. Schwartz is now director of cybersecurity services at the law firm Venable.
The ultimate victim of the research cuts, which are spread across DHS, the Commerce and Energy departments, and the National Science Foundation, will be the cybersecurity of U.S. companies and citizens, experts told me.
“These are problems that don’t manifest themselves in two to three years, but 10 years down the road,” Bruce Potter, founder of the annual hacker conference ShmooCon, told me.
The problem, in a nutshell, is that the Internet was never designed with security in mind, and all the money government spends on network defense or fighting back against adversaries in cyberspace won’t change that fact. But, new investments in research and development might.
Historically, the pace of cybersecurity developments has lagged behind the pace of technological innovation, said Potter, who is chief information security officer at the cybersecurity firm Expel and was also senior technical adviser to an Obama-era commission focused on improving the nation’s cybersecurity.
Industry is prepped to make major technological advances during the next decade — including connecting myriad more devices to the Internet and conducting more tasks with artificial intelligence and machine learning — which will create many more targets for hackers and increase the amount of damage they can do, Potter said.
And we’ll be in a lot of trouble if security doesn’t catch up with those innovations.
“That’s burned us historically and it’s just going to continue to burn us,” Potter told me.
The Trump budget also proposes a $75 million research budget cut to the Commerce Department’s National Institute of Standards and Technology, which has set basic cybersecurity standards that are followed throughout the world. A new Energy Department cybersecurity office would also see a $13 million research budget cut. And the National Science Foundation would get a $605 million across-the-board research budget cut, though only a portion of that would hit cybersecurity research.
DHS’s cyber operations wing would have its research budget approximately doubled to $31 million under the proposal, but that hardly makes up for the loss elsewhere.
The cuts are part of a trend the past three years in which the Trump administration has recommended cybersecurity research cuts along with increases to cybersecurity operations. But those cuts are typically pared back by Congress.
All of that stands in stark contrast to the moonshot report, in which members of the President’s National Security Telecommunications Advisory Committee predicted “more severe and physically destructive cyberattacks” over the next decade and described the nation’s digital vulnerabilities as “an existential threat to the American people’s fundamental way of life.”
Fixing that problem “will require strong national leadership, political will, and a sustained whole-of-nation investment over an extended period,” the report warned.
In other words: You can’t be the moonshot guys if you don’t want to pay for NASA.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: A coalition member in the fight against the Islamic State in Syria is crowing about hacking operations that allegedly shut down the extremist organization’s ability to communicate online, recruit new members and spread propaganda.
During one 2017 operation, Australian government hackers shut down Islamic State communications right before ground troops attacked the group’s positions, Mike Burgess, director general of Australia’s top digital spying agency, said at a Sydney think tank.
“[Islamic State] communications were degraded within seconds. Terrorist commanders couldn’t connect to the Internet and were unable to communicate with each other. The terrorists were in disarray and driven from their position — in part because of the young men and women at their keyboards some 11,000 kilometers or so from the battle,” Burgess said.
That echoes a story from top British spy Jeremy Fleming last year. Fleming described a similar operation after which the Islamic State “found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications,” the BBC reported.
The statements are among just a handful of public descriptions government officials have given of how the Unted States and its allies are integrating digital attacks into their military operations.
Former defense secretary Ashton B. Carter announced in 2016 that the United States was targeting Islamic State fighters with cyberattacks — the first such acknowledgment about offensive digital operations from a U.S. official. But the Pentagon has provided few details about those operations.
PATCHED: A bill introduced Thursday would create a private-sector cybersecurity advisory board within the Department of Homeland Security. The board would include “highly-skilled cybersecurity professionals responsible for protecting enterprises from every major business sector,” according to a release from Rep. John Katko (N.Y.), a sponsor of the Cybersecurity Advisory Committee Authorization Act and the ranking Republican on the Homeland Security Committee’s cyber panel.
Katko said in a statement the board would “facilitate a vital dialogue between public and private partners” and improve the government’s cybersecurity. Other sponsors are Reps. Dan Lipinski (D-Ill.), Dan Newhouse (R-Wash.), and Brian Fitzpatrick (R-Pa.).
PWNED: A former NSA contractor accused of carrying out one of the largest breaches of classified data in history pleaded guilty Thursday.
Harold “Hal” Martin III was accused in 2017 of taking thousands of classified documents home over several years — including a trove of data about secret hacking weapons that may have been stolen and released by an online group called Shadow Brokers.
Here are inside-the-courtroom details from Cybrscoop’s Sean Lyngaas: “Appearing solemn and weary in federal court in Baltimore, Harold T. Martin III, 54, seemed to embrace his fate, telling the judge more than once, ‘It’s time [to] close … Pandora’s Box.’ ”
Under a plea deal, Martin, “a former Navy lieutenant, faces nine years in prison and another three years of supervised release,” Cyberscoop reported.
Here’s background from the Wall Street Journal’s Aruna Viswanatha and Dustin Volz: “Mr. Martin’s case reflects the enduring struggle U.S. intelligence agencies have had in preventing the theft of government secrets by employees and contractors since Edward Snowden’s high-profile leak in 2013 of classified files about the NSA’s domestic and international surveillance operations. Despite efforts by both the Obama and Trump administrations to prosecute leaks and invest in technology to detect so-called insider threats, senior counterintelligence officials say the problem hasn’t subsided.”
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: