By Stewart Baker
By Stewart Baker
WASHINGTON, D.C. – On Tuesday, Representatives Jim Langevin, D-R.I., and Glenn Thompson, R-Penn., introduced the Cybersecurity Education Integration Act, a bill that would establish a grant program to develop career and technical education (CTE) classes that include cybersecurity fundamentals.
“Whether in our hospitals or our power grid, vital systems are increasingly being connected to the Internet,” said Langevin. “We need to offer better training for the workers who deal with these systems on a day-to-day basis, particularly in safety critical industries where lives can be put in jeopardy by malicious cyber actors.”
The bill includes $10 million to establish a competitive grant program run by the Department of Education to provide grants up to $500,000 to partnerships of educational institutions and employers that commit to include cybersecurity in career and technical education. Applicants would need to describe which sector of critical infrastructure their program plans to train for, the workforce needs of that sector, the work-based learning opportunities available to program participants, and how the program would lead to a recognized postsecondary credential, among other criteria.
“We must ensure we’re protecting sensitive data and critical infrastructure from bad actors, and this bill is one step in the right direction,” said Thompson. “By enabling our next generation of learners to have the most sophisticated and comprehensive educational programs out there, we will be better prepared to protect our most critical systems and assets.”
The bill also requires the Department of Education to consult with the Department of Homeland Security and the National Institute of Standards and Technology to find the most pressing workforce needs in critical infrastructure.
The bill has been referred to the House Committee on Education and the Workforce for further consideration.
By Scott Maucione
With the Democrats taking control of the House starting in January, the likely-incoming chairman of the House Armed Services Emerging Threats and Capabilities Subcommittee is whittling down his priorities for the panel in the next legislative session. The top areas he wants to cover have a common thread that should come as no surprise: cyber.
Rep. Jim Langevin (D-R.I.) was just reelected to his tenth term in Congress, and is poised to take the gavel from current chairman, Rep. Joe Wilson (R-S.C.).
In an interview with Federal News Network, Langevin said cybersecurity, election security and keeping a watchful eye over the Trump administration’s new defense cyber policy are some of the most important topics the subcommittee will face in the coming year.
“We want to make sure they are held accountable and we are properly implementing these new strategies,” Langevin said.
DoD’s new cyber strategy, which was released in September, is much more “forward leaning” than strategies of the past, Langevin said. The strategy focuses on great power competition and also allows DoD to more readily conduct cyber operations in defense of the nation outside of its own networks.
What’s concerning is “the unintended consequences,” Langevin said. “If we are going to be more proactive in cyberspace, I think that can be a good thing, but working with allies and having international coordination is essential.”
To that point, Langevin criticized the administration’s decision to eliminate the cybersecurity coordinator at the State Department and the cybersecurity coordinator role on the National Security Council.
The Trump administration said it got rid of the roles in the NSC and State Department as part of an effort to cut back bureaucracy and streamline decision making.
“Big mistake,” Langevin said. “Cybersecurity is not just a U.S. problem or challenge; it’s an international problem and challenge that we need to work on together. Having an international focus and having someone at the State Department is going to help coordinate those cyber strategies and responses.”
While Langevin thinks international cooperation is imperative to the nation’s cybersecurity, he also thinks the government and private sector need to ramp up their communication about cyber threats.
“We are going to continue to track the implementation of the Cybersecurity Information Sharing Act of 2015,” Langevin said. “It has not lived up to its potential or what I certainly hoped we would accomplish in terms of sharing robust threat information, threat signatures and network speed. That has not happened at all to the level it needs to happen.”
Currently, only six companies are sharing cyber threat information with the government and about 200 are taking the information the government is offering, Langevin said.
“That just seems incomprehensible to that the numbers would be low, but that’s the reality and we have to do better,” Langevin said. He added that it is unclear why the companies are not signing up for the program.
“We need to get our arms around why and how we can incentivize more robust information sharing,” Langevin said. “The only way we are going to really effectively protect ourselves and the government is to properly inoculate ourselves when we know of a threat signature that could pose harm.”
Langevin is also planning on keeping a close eye on the delegation of authorities given to U.S. Cyber Command as it grows in its role as a full combatant command.
The congressman also stressed the need for a law that governs how quickly data breaches need to be reported. Currently each state has its own law about how quickly breaches need to be reported, Langevin wants a federal standard of 30 days.
Numbers around the 2020 Defense budget are already beginning to fly. Langevin said he agreed with Rep. Adam Smith (D-Wash.), who will likely chair the House Armed Services Committee, that the United States needs to specialize in certain areas and leave some slack for allies to pick up. That could have an effect on how big the Defense budget ends up.
Smith said Democrats will look at how they can, within a reasonable budget, manage risk while also prioritizing other factors that make a country “safe, secure and prosperous” like paying down debt and fixing infrastructure.
“The biggest problem I feel that we’ve had is, because we get this ‘Oh my God we have to cover everything [mindset],’ we wind up covering nothing well and that leaves the men and women who serve us in a position where they are not properly trained, properly equipped to meet all the missions we want them to meet,” he said. “It’s a complete impossibility to meet all the missions that we dream up.”
Langevin stated the sequestration caps for both defense and nondefense need to be lifted.
By Joseph Marks
The Pentagon and Homeland Security Department have established a memorandum of understanding that details how the departments will work together on cybersecurity in the future, a Homeland Security official confirmed Wednesday.
That agreement “reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats,” according to written testimony from Homeland Security Assistant Secretary Jeanette Manfra.
It also “clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats and establish coordinated lines of efforts to secure, protect, and defend the homeland,” according to the statement delivered to a joint hearing of the cyber panels of the House Homeland Security and Armed Services committees.
A Homeland Security official confirmed the agreement is completed but did not provide additional details.
Rep. Cedric Richmond, D-La., described the agreement in broad terms during the hearing. Richmond, who is the ranking Democrat on the Homeland Security panel, said he has not read the memorandum yet.
The civilian-military agreement comes as the government is trying to ramp up civilian and military cooperation in cyberspace, especially when it comes to protecting election systems and other critical infrastructure such as banks, hospitals and airports.
In advance of last week’s midterm elections, 11 Pentagon cyber officials came over to Homeland Security’s cyber operations center as liaisons, Manfra told lawmakers during the hearing.
Those liaison officers were there to pave the way for their colleagues in case an election cyber threat popped up that state and local officials couldn’t handle on their own with Homeland Security’s support and the military needed to help out, Manfra said.
Though the departments were prepared, that threat didn’t materialize.
Rep. Jim Langevin, D-R.I., the ranking member on the Armed Services panel, praised the Pentagon and Homeland Security for removing legal and bureaucratic barriers to cooperation in advance of the election.
In the future, it will be critical for the two departments to work together on cyber threats, he said.
“While Congress has been abundantly clear about DHS’ primacy in defending civilian networks in the United States, coordination, collaboration and information sharing with the DOD will be critical to the defense of the homeland,” [Rep. Langevin] said.
Congress officially authorized the Defense Department to send those detailees to Homeland Security in August in a pilot program included in the most recent version of the National Defense Authorization Act, an annual defense policy bill.
The mammoth policy bill also mandated other Defense Department efforts to help the civilian government and critical infrastructure providers, such as banks and hospitals, repel cyberattacks if called upon.
The bill also mandated a study on whether to create cyber components in the military reserves that could assist states during a cyber emergency.
Overall, in the months leading up to the election, Homeland Security, the Pentagon and FBI made more progress on sharing cyber threat information and developing a common cyber operations picture than in the prior decade, Manfra told lawmakers.
By Sean Lygaas
In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.
“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.
In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.
The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.
DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.
The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.
Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.
But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.
“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.
Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.
Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.
“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.
Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.
URI faculty with expertise in storm modelling and mapping, response and resiliency, ocean and civil engineering, and geologic oceanography will participate in the symposium to be held Tuesday, Oct. 16 from 10:30 a.m. to 12: 30 p.m., in Corless Auditorium at URI’s Bay Campus, 215 South Ferry Road, Narragansett, Rhode Island. Registration is at 9:30 a.m.
A 2018 Department of Defense study indicated that more than half of the 3,500 U.S. military’s sites located both in the U.S. and internationally are affected by instances of extreme weather. Storm surge, here in Rhode Island as well as other coastal regions, can be a particular risk, with more than 200 domestic sites alone reporting flooding—an increase of more than 500 percent over the number reported in 2008.
Rear Admiral (Ret.) Jonathan W. White, former commander of the Naval Meteorology and Oceanographic Command, will deliver the keynote address. White has a B.S. in oceanographic technology from the Florida Institute of Technology and holds a master’s degree in meteorology and oceanography from the U.S. Naval Postgraduate School.
He was commissioned through Navy Officer Candidate School in 1983, and has had operational shore assignments at Jacksonville, Florida; Guam; Monterey, California; and Stuttgart, Germany, where his joint duty included Special Operations Command Europe, and strike plans officer for U.S. European Command during Operation Allied Force in Kosovo and Serbia. White commanded the Naval Training Meteorology and Oceanography Facility, Pensacola, Florida, and was the 50th superintendent of the United States Naval Observatory.
White’s sea tours as a naval oceanographer include commander, Cruiser Destroyer Group 12, where he completed deployments on board USS Saratoga (CV 60) and USS Wasp (LHD 1). He was promoted to the rank of rear admiral (upper half) in August 2012 as he assumed his duties as director, Task Force Climate Change, and Navy deputy to National Oceanic and Atmospheric Administration. Rear Admiral White retired in 2015. He presently serves as president and CEO of the Consortium for Ocean Leadership.
Symposium panelists and topics are:
Congressman Langevin, URI President David M. Dooley, and URI’s Vice President for Research and Economic Development Peter J. Snyder will speak at the symposium.
The event is free and open to the public, however, registration is suggested. For more information, and registration link, visit: uri.edu/coastalresilience.