The Pentagon’s request for more funding is $800 million more than what the Pentagon wanted last year and includes investments in zero trust architecture and support to the Defense Industrial Base (DIB). This request also includes adding five cyber mission force teams for a total of 142 teams, according to budget documents.
There is no surprise that they are requesting billions of dollars for cyberspace activities in its fiscal 2023 budget. The need for more funding is for various efforts, including increasing cybersecurity support for defense contractors, hardening its own networks, operationalizing zero trust architecture, and for “cyber ranges” much like rifle ranges, but for all things digital. The Pentagon investing to improve readiness in the nation’s cyber force by funding cyber ranges to enable training and exercises in the cyber domain. Finally, the budget lays the foundation for U.S. Cyber Command to have ownership of the mission and resources of the cyber mission force beginning in FY24 as directed in the FY22 NDAA.
The White House on Monday also released budget documents outlining funding for cyber-focused agencies outside of DoD, like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) which is requesting $2.5 billion in FY23.
The White House document states that the funding will maintain critical cybersecurity capabilities implemented in the American Rescue Plan; expand network protection throughout the Federal Executive Branch; and bolster support capabilities, such as cloud business applications, enhanced analytics, and stakeholder engagement. The budget also supports the Office of the National Cyber Director, which would improve national coordination in the face of escalating cyber-attacks on government and critical infrastructure.
CISA has been vocal about potential cyberattacks on the U.S. in the wake of the escalation of foreign threats from cybercriminals “bad actors” and black hat hackers. In February, CISA, along with the NSA and FBI, released a joint cybersecurity advisory claiming hackers targeted U.S. defense contractors for at least two years. Given the sensitivity of information widely available on unclassified (cleared contractor) networks, the FBI, NSA, and CISA anticipate that cyber actors will continue to target cleared defense contractors (CDCs) for U.S. defense information in the near future.
For the last two years hackers backed by the Russian government worked to infiltrate American defense contractor systems, sometimes raiding the companies for months at a time, to steal sensitive, unclassified information, the U.S. government warned today.
The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology, the Department of Homeland Security’s CISA an alert was posted online. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment.
The escalation in funding is not without merit. A cyber-espionage campaign ran from at least January 2020 and through this month, CISA said, targeting contractors working for every military branch as well as the U.S. Intelligence Community, and covering subjects including command and control systems to aircraft design.
During this two-year period, these “bad actors” have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. A good example, during a compromise in 2021, threat actors, exfiltrated from computers hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.
CISA said the hackers generally didn’t use novel techniques to break into the systems, instead relying on old standbys like spear phishing, brute-forcing, and taking advantage of unpatched networks.
In response, CISA urged companies to conduct forensic investigations of their systems to discover evidence of compromise and to harden their defenses against future breaches. The threat, the agency said, is not expected to go away anytime soon.
Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that foreign state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. CISA urged companies to harden their defenses against future attacks.
The DoD Chief Information Officer is correct that there’s a cost to your IP, there’s a cost to the U.S. government and there’s a benefit to our adversaries if we don’t do something like the Cybersecurity Maturity Model Certification (CMMC) program.
Now under an upgraded cyber certification program, the Defense Department’s CIO wants to focus on clarifying requirements and increasing engagements with small to medium-sized companies in hopes of raising the overall “baseline” of the Pentagon’s cybersecurity defenses.
The CMMC version 2.0 means raising the “baseline” of cybersecurity across the Department of Defense to keep foreign countries and other potential adversaries away from our critical data. This is basic hygiene to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary has already stolen key data and technologies that will put them at an advantage.
Earlier this month, Deputy Defense Secretary announced CMMC would be moved under the purview of the CIO of the DoD and out of the office of the Undersecretary of Defense for acquisition and sustainment. The Pentagon has also rolled out a 2.0 version of the program intended to strengthen the cybersecurity of the DIB.
Deputy Defense Secretary indicated the enhanced program aims to simplify the CMMC standard by clarifying requirements, increasing department oversight in the assessment ecosystem, and focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs.
The DoD CIO office is interested in hearing how companies with a couple hundred people or fewer are going to be impacted by the new CMMC and emphasized the importance of the program for DoD. He wants the private sector to know that there’s a cost to not doing something like this.
It’s not the first time the Pentagon has zeroed in on small businesses when it comes to CMMC. In June of 2022, DoD pledged to reduce costs on small businesses as part of its internal review of the program, which began earlier that year in March. DoD is trying to make requirements clearer for contractors to comply with CMMC requirements. Realigning the program under the CIO’s office is a good move that improves the probability of success of the CMMC initiative.
CMMC was announced in July 2019 and here we are, two and a half years later, without a single third-party assessment accomplished or certification earned. The CIO’s office has the expertise, knows the threat, and will act swiftly to bring CMMC to operational status. That benefits DoD by improving the ability of the DIB to resist cyber exfiltration and, if necessary, recover from attacks. And it benefits the industry to know sooner what is sought or will be required of it.
The CMMC program always will be connected to acquisition. It will be defined by regulation and implemented through acquisition measures—contract clauses. The CIO can bring to bear its greater technical understanding both of adversary tactics, techniques, and procedures, and its expertise on how enterprises best can defend, respond and recover. It’s a net positive.