After SolarWinds and after the Microsoft Exchange attacks, the feds have begun to outline their plans to improve cybersecurity. While there are no silver bullets in this business, it is a nice change to see the feds actively working to improve things.
The way the feds have worked things in the past is to use the federal government’s buying power to create change and it looks like this might happen again.
Modelled after Singapore’s system, one thing that the feds are CONSIDERING is a vendor and product cybersecurity rating system. Details will follow in future executive actions.
It also include adding members of the private sector to the war. After the Exchange attacks, the feds stood up the National Security Council’s UNIFIED COORDINATION GROUP. Legally the UCG could have always included private industry but historically, in a manner that could only make sense to the government, they always knew better – even though the GAO says the federal government security is a disaster and private industry was never included.
The feds also say that they plan to continue “timely alerts” like the warning put out by the national security advisor after the Microsoft Exchange hack – their first ever tweet.
The UCG has been meeting for the last three weeks, handing out assignments and checking homework. Something that CISA has had only modest success in doing in the past. In this case, coming from the National Security Council probably adds the weight of the White House to encourage compliance.
The UCG has also identified “significant gaps in modernization [I think the IRS is using software developed in the 1980s] and in technology of cybersecurity across the federal government”.
The recently signed into law Covid relief bill includes a billion dollars for the feds to modernize technology that they use, $650 million for CISA to improve the fed’s cybersecurity practices and $200 million for the U.S. Digital Service, a tech team in the executive office of the President. There are also other tech related funds in the new law. Credit: The Register