A United Response to Cybersecurity

A brief overview of current US Federal Government cybersecurity organization, policy, and public resources.

Source: 2022 GAO Report – CYBERSECURITY, Clarity of Leadership Urgently Needed to Fully Implement the National Strategy

National Institute of Standards and Technology (NIST)

An innocuous agency within the Department of Commerce, NIST has become an increasingly valuable and proactive member of the cybersecurity community. In a recent Executive Order from the White House, NIST was mandated to solicit input from experts across all sectors to enable the group to recommend or develop tools to improve the security of the software supply chain for the federal government. These recommendations were intended specifically for federal government agencies but were made available publicly to benefit all US institutions. 

Since that time, NIST has issued a series of recommendations that provide helpful cybersecurity guidance—especially in regard to the software supply chain. With their proactive, comprehensive, research-based approach, NIST sets the standards for best practice in the cybersecurity arena. 

Cybersecurity and Infrastructure Security Agency (CISA)

A newly founded agency (2018) housed in the Department of Homeland Security (DHS), CISA is the nation’s frontline institution in the fight to protect US infrastructure from cyberattacks. Its activities include disaster response, capacity building, partnership development, risk assessment, and other related activities. Though still in its nascency, CISA has rapidly formalized and become an integral component of the national cybersecurity machine. 

With its 2023-2025 Strategic Plan, CISA has now outlined its focus for the coming years. Specifically, CISA will build resilience for critical infrastructure, ensure national cybersecurity, and facilitate collaboration and information-sharing between public and private institutions. 

The Federal Bureau of Investigation (FBI) 

The National Cyber Investigative Joint Task Force (NCIJTF) is led by the FBI and composed of more than 30 law enforcement, intelligence, and defense agencies. The NCIJTF was formed in 2008 to coordinate investigations into serious cybersecurity threats against US institutions and businesses. 

In addition to the NCIJTF, the FBI also operates the Internet Crime Complaint Center (IC3), a first stop for businesses experiencing cyberattacks. The IC3 portal is designed to help businesses and individuals that are actively experiencing phishing, business email compromise, ransomware, or other type of cyberattack. 

Federal Chief Intelligence Officers Council (CIO Council)

The Office of Management and Budget’s Deputy Director for Management chairs the CIO Council and directs its activities. The Council itself is composed of the CIOs of each respective government department (Labor, Interior, Treasury, State, etc). This interagency group works to continually ensure the improvement and efficacy of each department’s IT efforts through monitoring, evaluation, modernization, recommendations, and reviews. 

Additional Defense Institutions 

In addition to the institutions that we have reviewed here, within the Department of Defense, U.S. Cyber Command (USCYBERCOM) and the National Security Agency (NSA) also play key roles in protecting US assets from cyberterrorism and foreign attacks. 

Recent Policies and Legislation

In the absence of comprehensive federal cybersecurity policy, individual states have been steadily pursuing and adopting legislation to protect the businesses and citizens within their states. Though only a few have passed laws at this point, several others are poised to do so. The result of this lawmaking has been a patchwork of policies without any unifying national laws. 

As the pressure mounts for government action on cybersecurity, the federal government has responded through two lawmaking channels: Executive Order and Act of Congress. Actions from the White House and Congress have begun to address some of the most serious issues but are only scratching the surface. 

For the time being, the United States lacks a comprehensive law to orient state and national actions. However, over the past few years, the executive and legislative branches have made some serious strides towards that end. Below, we will look at the most significant recent legislation. 

Executive Order

Issued in May 2021 by President Biden, the Executive Order on Improving the Nation’s Cybersecurity (EO 14028) was the White House’s mandate to the entire federal government to put on its own oxygen mask. This order was issued shortly after several serious cyberattacks, including SolarWinds, Chinese infiltration of Microsoft Exchange servers, and the ransomware ordeal with Colonial Pipelines. 

The Order provoked a number of improvements to national cybersecurity infrastructure. Amongst other actions, the order pressured government institutions to move towards a zero-trust architecture, adopt two-factor authentication at all levels, improve the security of its software supply chain, and improve the recognition, response, and collaborative response of public and private actors to cyberthreats. 

Acts of Congress

The Strengthening American Cybersecurity Act of 2022 directly addresses the threat of malware, ransomware, and other types of data breaches that could affect national security. Amongst other stipulations, the Act will require government offices and entities working in critical infrastructure to report cyberattacks to the CISA within 72 hours of a detected breach. Although this law has still not entered into force, it has provoked a flurry of rapid improvements in cybersecurity amongst affected organizations. 

This law is considered a critical step towards improving national cybersecurity. Many organizations hesitate to report these events, since they may face liability claims or a loss of reputation in the marketplace. The Act will provide the CISA with timely information, which can be used to alert other potential targets and address active threats to national security. 

Though the sweeping bipartisan Infrastructure Investment and Jobs Act was not directly oriented to address cybersecurity, it does include provisions to address cybersecurity weakness in state, local, tribal, and territorial governments. Through grants totaling $1 billion, local governments will have ongoing opportunities to solicit federal funding assistance for efforts to improve cybersecurity resilience and response. 

Summary 

Since the inception of the internet age, the Federal Government has moved slowly towards a comprehensive cybersecurity approach. However, over the past decade, that pace has steadily quickened. The incorporation of the CISA, the elevation of the NCIJTF to its current role, the President’s 2021 executive order, and Congress’s 2022 actions all indicate that the US government is moving towards much-needed comprehensive, coordinated action. 

In our next post, we will look at some of the benefits, resources, and services that these institutions provide to public and private organizations across the country.