Tuesday, April 23, 2013

United State spending on federal cyber security grows in Obama's new 2014 budget (part 1)

Obama's proposed federal budget for 2014 includes broad cuts to a number of departments and programs, including funding cuts of 34.8% for the Department of Homeland Security, 17.7% for the Department of State, and 8% for the Department of Defense.

Despite these cuts, one area the new budget doesn't skimp on is cyber security. The President has consistently called for increased focus on cyber security across both public and private sectors, declaring "The cyber threat is one of the most serious economic and national security challenges we face as a nation".

This policy is reflected in Obama's 2014 budget, the introduction to which states:
"We must also confront new dangers, like cyber attacks, that threaten our Nation’s infrastructure, businesses, and people. The Budget supports the expansion of Government-wide efforts to counter the full scope of cyber threats, and strengthens our ability to collaborate with State and local governments, our partners overseas, and the private sector to improve our overall cybersecurity."

This blog post series will examine the increases in cyber-security spending across each federal agency in the 2014 budget. We will start with the Department of Commerce.

Department of Commerce

The Department of Commerce will allocate $754M (an increase of $131M from the 2012 enacted level) to the National Institute of Standards and Technology (NIST), a good chunk going towards NIST's cyber security mission:
"This funding will accelerate advances in a variety of important areas, ranging from cybersecurity and smart manufacturing to advanced communications and disaster resilience."

NIST's own 2014 budget request contains more details about their cyber-security spending, including the following increases:

When it comes to R&D and Standards (the first line item above), NIST already has well-established role. NIST is the main agency responsible for approving  cryptographic standards used all over the world, including the Advanced Encryption Standard (AES) and the various secure hashing algorithms we've all come to know and love. Much of the rest of the world takes its cue on approved cryptographic practices from NIST.

In addition to its cryptographic mission, NIST is responsible for developing security standards and policies for government agencies through its use of "Special Publications", including most notably:

I recommend that you browse the complete list of NIST's special publications, as there are some good resources there.

NIST runs the NVD (National Vulnerability Database) and the CSRC (Computer Security Resource Center). More information about NIST's computer security initiatives can be found on the NIST Computer Security Division site.

NIST maintains some technical standards related to security automation and the interoperability of security tools like the ones we develop at Rapid7. This family of related standards includes SCAP (Security Content Automation Protocol), OVAL (Open Vulnerability Assessment Language), and XCCDF (Extensible Configuration Checklist Description Format).

In the next part of this series, we will look at the Department of Defense's proposed increases in cyber-security spending.