To really understand how far agencies have come over the past six years in understanding the risks to their computers and networks, look no further than the attention it receives from senior federal officials.
Whether it’s Defense Secretary Leon Panetta’s speech on a retired aircraft carrier earlier this month or the fact a cyber coordinator sits on the National Security Council and the National Economic Council, it’s safe to say senior officials at all levels fully comprehend the implications of a cyber attack.
It’s that recognition that is giving agencies the ability to make real progress in protecting their networks.
“You’ve got agency mission leaders understanding how IT and especially cyber, the connection of their information through open networks, and in some cases closed networks, reaches their constituents and how it enables them to accomplish their mission more effectively,” said Dan Chenok, a former Office of Management and Budget official and former chairman of the Information Security and Privacy Advisory Board, a federal advisory committee. “They understand a risk or threat to that is a mission critical threat or risk.”
Silver lining in VA breach
A major reason for that recognition occurred six years ago when an employee of the Veterans Affairs Department had a laptop stolen from the trunk of his car containing the data of 26-million veterans.
The common thought among every agency official was that easily could have been their department.
“That one made it real because it affected so many people and if affected a population that the American people are very fond of, veterans,” said Karen Evans, who was the OMB administrator for e-government and IT during the VA data breach and now is the director of the U.S. Cyber Challenge. “It was a national incident even though it wasn’t something like someone exfiltrated information. But it showed how vulnerable you could be even though you thought you were doing everything right.”
Federal News Radio’s special report, Cybersecurity Rising, explores the impact the VA data breach has had on how agencies view and address cyber threats.
Since that seminal cybersecurity event in 2006, agencies and private sector organizations have created a laundry list of policies, memos and reports. OMB, for its part, has tried to address significant holes in agency networks and computers.
But paper alone hasn’t changed the way networks are protected. It’s that senior leadership comprehension that has made the difference, according to current and former federal officials and other cyber experts.
Chenok, who is now the executive director with the IBM Center for the Business of Government, said the average secretary or deputy secretary may not know how to secure a system or network, but they know if their networks get hacked or if data is lost, it’s very bad.
No longer an IT concern
One of the best and most recent examples of how tightly officials grasp cybersecurity came during the Cyber Storm 3 tabletop exercise earlier this year.
The Homeland Security Department first kicked off the exercise in February 2006. Since then, it has grown to include a larger number of state, local, international and private sector organizations.
“We went through a drill of a cyber attack. We had principles from all the agencies, all the power grids, water, [critical infrastructure] of all varieties and international partners,” said Jeff Eisensmith, the chief information security officer for the Immigration and Customs Enforcement directorate at DHS. “It was really the first time that I saw that level of senior management knowledge about just what a cyber threat could do, what the physical ramifications could be. That brought it home to me that it’s just not an IT concern now, and upper level management knows it.”
Eisensmith said while the cyber exercise showed a strong degree of collaboration and coordination, that wasn’t always the case.
Before the VA incident, senior officials looked at IT security as a back room function. Beyond the Defense Department, many senior leaders only paid attention when their Federal Information Security Management Act reports to Congress were due.
The VA incident, however, opened the door to the threat of cyber attack or the loss of personal identifiable information more broadly. In addition to the most senior officials, CFOs, program managers and most anyone who never worried about technology before began to pay closer attention to cybersecurity.
Eisensmith said that shift is even more pronounced now.
“The old security paradigm was that here are the rules, here are the regulations and if you can’t fit in them, then too bad, so sad. That is not the case today,” he said. “Very much, security is becoming a customer oriented service. What is it that my mission has to do to get the job done? This shop is not here to do security. This shop is here to enhance the mission.”
Eisensmith added the CISO’s office has to figure out the best way to integrate security and mission needs that doesn’t impact either too greatly. This means security has to be more flexible in how it’s applied and be based on how much risk agencies are willing to take on.
To get to this flexible place, OMB laid a lot of ground work over the last six years and continues to address growing areas of security concern such as cloud computing and mobile devices.
16 memos in two years
While at OMB, Evans and then-deputy director for management Clay Johnson issued five memos between May and September 2006 addressing cybersecurity. The following year, OMB issued five more and in 2008 six more cyber-related memos — in all, 16 policies highlighting new or existing initiatives over a two-plus year period.
While memos alone don’t make agencies more secure, initiatives such as the Trusted Internet Connections or the Federal Desktop Core Configuration, started to stick and turn the government’s cyber posture for the better.
Evans said agencies have been moving in the right direction albeit more slowly than she and many would have liked.
“You now are at that next stage where it really needs to hit the applications,” she said. “I really believe, for example TIC in combination with proper implementation of Homeland Security Presidential Directive-12, which is really controlling access and authorizing people to what they should have access and saying these people are who they say they are, it’s the combination of those two things together which will turn the tide, so to speak, in the cybersecurity world.”
Others experts pointed to the move to continuous monitoring as a way to meet FISMA as the biggest change over the last six years.
Alan Paller, the research director of the Sans Institute, has been an outspoken critic of the paperwork compliance aspects of FISMA.
He said agencies have spent more than $2 billion since 2006 on filling out FISMA reports.
But over the last few years a couple of agencies had, what he called an “a-ha moment” when it came to securing their systems. Paller said the idea of how to really secure their networks has spread across the government.
“What [John] Streufert, NASA and these other guys did was say, ‘Wow, if I handed the guy with administrative privileges on a machine the list of two or three things he has to do first, he might just do it. If I give him a list of a thousand things, which is what I used to do at the end of a vulnerability test, then he’ll just ignore me,'” he said. “They saw they had a lever and they didn’t need power. A lot of security people think they can’t get anyone to act without power. But these guys said ‘Oh wow, if I show them what to do and grade them on doing it, they’ll do it.'”
It’s focusing on those few areas, as Paller described, that has made a difference.
Doing the little things
Paul Nicholas, a senior director in Microsoft’s Trustworthy Computing division and a former White House cyber director under the Bush administration between 2002 and 2004, said he thinks the changes to FISMA and the implementation of the Federal Desktop Core Configuration were important initiatives. But it’s something as simple as paying attention to patch management that has greatly improved agency security.
“The faster patches can be deployed, the shorter the risk window is,” he said. “There was a time in the federal government where it could take 60 to 90 days to get a critical patch deployed, so getting that cut down to a matter of hours is a dramatic reduction window of risk for government agencies.”
In fact, Paller said the Air Force used a standard configuration to cut its patch time from 57 days to 72 hours and saved $100 million per year in patch testing.
Nicholas said each of these initiatives has built on each other to create a patchwork of cyber defenses, or what many are calling defense in-depth.
Eisensmith said ICE is testing this defense in-depth concept in several ways.
One of the pilots is changing the way it runs its security operations center. He said ICE used a “cat and mouse game” where the agency had a large attack surface and the bad actors had to find any one weakness.
Now Eisensmith said ICE is borrowing a DoD approach, called a kill chain.
“What it says is every time you get tripped over, there are multiple layers in your defenses, where did they get in and at what point did you find it? So you begin to refine the process and begin to look at every single intrusion you have and find out what the source is. You keep plugging the source of those weaknesses,” he said. “You eventually create a body of knowledge and a layer of defenses that is fairly robust. At this point, if an opponent wants to get in, they have to defeat every one of those layers. We change the way we do defense so that it becomes a lot harder for the offense than it does for the defense.”
Eisensmith said this approach takes time, but the payoff is well worth it because it makes your agency more secure.
Workforce is the next big challenge
Improvements around patch management or testing innovative approaches to security has helped agencies make significant progress over the last six years, but experts say plenty of cyber holes remain.
Paller said the biggest challenge for many agencies is with their workforce.
“The demand for advanced cyber skills has sky rocketed,” he said. “There is no more critical need. We now have national programs that are getting off the ground to build a pipeline of advanced talent.
Paller is referring to DHS’ creation of 11 task forces based on recommendations by the Homeland Security Advisory Council’s task force on cyber skills.
Paller and others say getting the right workers with the right skills is a big part of fighting the advanced and persistent cyber threat agencies will continue to face.
“The next evolution of management is around services,” Evans said. “It shifts the risk a little bit so it’s not so much on the agency, but it’s also on the providers. At that point, an agency has to decide the level of risk associated with the information and whether they keep it internally or work with a cloud provider and add additional layers of security because they can distribute my costs.”
Tom Temin is the host of The Federal Drive, which airs from 6-8 a.m. on 1500 AM in the Washington, D.C. region and online everywhere. Tom has 30 years experience in journalism, mostly in technology markets. Before coming to Federal News Radio, he was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines.