The new Biden-Harris American Rescue Plan includes some cyber and IT related items around modernization and workforce. The plan includes more than $10 billion in funding to boost the nation’s cybersecurity and information technology. Pages 18-19 have the key information. Cyber experts shared their initial reactions to the proposed rescue plan.
Joseph Neumann, Director, Offensive Security at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services:
“Department of Homeland Security, specifically CISA was one of the only groups that started differential pay to offset compensation to make it possibly competitive. The revolving door will continue to go the other direction as Private sector looks at and identifies real world experience more than any formal education due to the ability to apply vs hypotheticals. Once individuals get enough real world experience they quickly jump to contractor or private sector positions that are more lucrative and faster paced. Other differentiators to look at are recruiting avenues, work-life balances, remote work, and nice office settings. Government work, a majority of it the time, requires individuals to be in the office setting every day and does not allow for remote work. Free snacks, better equipment, and nicer offices are a norm in the commercial world vs the standard cube-land of government offices. People get tours of Google and Amazon offices and are wow’d. Lastly, agility on all fronts, from promotion opportunities, to general job functions. Promotions require you to find a new job and rarely have different work responsibility that the security workforce craves.”
Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:
“Seeing these initiatives included in relief plan is a good sign in itself and follows up on statements made earlier by the incoming team. Improvements are needed across all parts of the government’s IT in order to achieve that notion of cyber resilience as stated in the Solarium report. If it is enough to have a better coverage of experienced staff in all the branches of the Government is hard to tell as the funds reserved for that task are roughly covering 2,000 employees plus the needed personal equipment for one, perhaps two years. Having the specific aspects of security monitoring and incident response as part of the investment plan should be designated also to automate things needed to do the core security stuff like change control and vulnerability scans which will detect the gaps in that resilient cyber security posture the new government aims to achieve.”
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
“A significant investment in cybersecurity like this signals that cyber threats are now a priority. This makes sense because the threat landscape is rapidly evolving and is having serious impacts on both public and private sector organizations.
The technology we use on a daily basis has evolved more quickly than many cybersecurity strategies. For that reason, securing infrastructure hasn’t been able to keep up. Both the public and private sector are relying heavily on smartphones and tablets to get work done away from their physical office spaces. With the emergence of cloud-based services that are easy to use on mobile devices, there’s now an expectation that anyone can work just as well from their smartphone or tablet as they can from their laptop. Even just a few years ago, mobile devices didn’t have anything close to the level of access to sensitive data that they do now. Threat actors know that mobile devices are an attractive target since they’re often used for both work and personal reasons. Even some federal agencies allow employees to use personal devices for work, which could introduce additional threats into their infrastructure.
Mobile phishing continues to be one of the most difficult issues for organizations. Historically, the only concern was phishing emails being sent to employees on laptops and desktops. But that’s changed. On mobile devices, attackers can execute phishing campaigns across countless channels, such as SMS, iMessage, WhatsApp, and social media platforms. To combat this, organizations need to ensure their training is up to date and that their anti-phishing solutions can accommodate these additional complexities.
The $200 million allocated for hiring experts to support the federal Chief Information Security Officer and U.S. Digital Service could definitely attract new talent into the public sector. However, looking at it more broadly, the funding allocated to other agencies may be used to contract more with private sector companies. This public-private partnership approach could be more efficient if these agencies want to get modern solutions in place with the oversight of experts rather than trying to build the solutions themselves.”