CybersecurityBudget cuts force DHS to scale back cybersecurity programs

Published 22 July 2013

Sequestration-mandated federal budget cuts are beginning to have an effect on DHS cybersecurity efforts. Since March, the department has been forced to cancel two conferences and three training sessions for utility companies on how to defend against cyberattacks.Security experts are concerned that the budget cuts are affectingimpacting cybersecurity efforts at a time where more money needs to be put into securing critical infrastructure.

Sequestration-mandated federal budget cuts are beginning to have an effect on DHS cybersecurity efforts. Since March, the department has been forced to cancel two conferences and three training sessions for utility companies on how to defend against cyberattacks.

The Wall Street Journal reports that One of the cancelled conferences, which was due to take place next month, was for the Industrial Control Systems Joint Working Group (ICSJWG), a unit established to facilitate information sharing and reduce the risk to the U.S. industrial control systems.  

“I was amazed they cancelled the [spring conference] because they had probably already spent a lot of money,” Dale Peterson, founder and CEO of Digital Bond, a control systems research and consulting firm said.

The Journal notes that the cancelled conferences were important for establishing public-private partnerships for cybersecurity defense of critical infrastructure

“Those two conferences [in May and August] are the main places where they can establish those partnerships,” Peterson told the Journal

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently sent a memo to the CEOs of electric companies telling them to be vigilant about cybersecutriy threats. The memo was sent  after an alert in early May warning about “increasing hostility against U.S. critical infrastructure organizations,” according to a memo obtained by the Journal.

The memo outlined several rules that should be established by private critical infrastructure companies to shield themselves better against cyberthreeats:

  • Password strength improvement and enforcement by companies
  • Strengthening firewall rules between zones on the network to prevent attackers from moving laterally within networks
  • Implementing detection mechanisms to detect the presence of malicious tools and monitoring network and user logs to identify suspicious behavior
  • Isolating the operational control system networks from the corporate network and establishing restrictive access policies

Security experts are concerned that budget cuts are affecting cybersecurity efforts at a time where more money needs to be put into securing critical infrastructure.

“Everyone seems to think this is a tremendously important issue and nobody seems to be able to find the money to fix it,” Patrick Miller, founder of the nonprofit Energy Sector Security Consortium and a managing partner at The Anfield Group, a security consulting firm, told the Journal. He noted that over the years, ICS-CERT has struggled for funding.

Miller said the sequester is forcing training programs at ICS-CERT to be dropped, a move which will have negative consequences because the trainers at the agency “are some of the best in the business,” and as the programs are cut, the agency could lose the trainers.