In-brief: In a 21-page memorandum posted on the White House website, the Obama Administration identified its top cyber security priorities. Among them: identifying high value information and assets on government networks, responding to cyber incidents in a timely manner and finding and keeping qualified information security staff. Its a list that one leading security expert says sounds worryingly familiar to earlier federal nostrums.
The U.S. Government just completed its first ever “30-day cybersecurity sprint” to assess the information security needs of a massive federal bureaucracy. The result? A really long to-do list.
In a 21-page memorandum posted on the White House website, Federal CIO Tony Scott and Shaun Donovan, the director of the Office of Management and Budget outlined the results of a month-long exercise. Their Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. Among the top priorities: identifying high value information and assets on government networks, responding to cyber incidents in a timely manner and finding and keeping qualified information security staff. Its a list that one leading security expert says sounds worryingly familiar to earlier federal nostrums.
The report follows a June announcement by Scott that instructed Federal agencies to take steps to protect Federal information and assets and improve the resilience of Federal networks. The specific instructions to agencies focused on areas like identifying “threat actor Techniques, Tactics and Procedures” (or TTPs, to use industry jargon) and patch critical vulnerabilities in systems “without delay.”
Scott also created a Cybersecurity Sprint Team made up of representatives of OMB’s E-Gov Cyber and National Security Unit, the National Security Council Cybersecurity Directorate (NSC Cyber), DHS and the Department of Defense. Their charge was to lead a 30-day review of the Federal Government’s cybersecurity policies, procedures, and practices. The report, released on October 30, is the end product of that process and represents a roadmap for next steps following the 30 day review period.
Alas, many of the recommendations of the Sprint team have been heard many times before in the context of federal cyber security.
Among other things, the CSIP instructs agencies to “continue to identify their high value assets (HVAs) and critical system architecture in order to understand the potential impact to those assets from a cyber incident.” Federal agencies are encouraged to beef up identity and access management on Federal information systems to “drastically reduce vulnerabilities and successful intrusions.” OMB is charged to work with the Department of Homeland Security and the National Security Council to develop “best practices for use by Federal agencies,” including “lessons learned from past cyber incidents. In terms of accountability the CSIP report suggests that federal CIOs and CISOs have “direct responsibility and accountability for implementation of the CSIP, consistent with their role of ensuring the
identification and protection of their agency’s critical systems and information.
So: better patch management, better identity management, better network visibility and improved hiring? That all sounds like advice that the federal government has been offered before, said John Pescatore, the Director of The SANS Institute. A more useful report would not only map out deliverables but also weigh the bigger question of why past efforts to shore up federal cyber security have fallen short.
As an example, Pescatore notes a part of the CSIP report that directs agencies to patch all critical vulnerabilities immediately or, at a minimum, within
30 days of patch release. “That’s great, but we’ve been saying that forever. A better question might be ‘why hasn’t it happened yet?'”
Pescatore said that root cause analysis of known breaches of federal systems, such as at the Office of Personnel Management, might identify some core problems that have resulted in damaging compromises, or that have impeded progress on past federal information security initiatives designed to head off attacks and breaches. By focusing only on prospective action, the CSIP risks creating the impression that the federal government can “sprinkle more security stuff around” and solve its problems, he said.
Despite a massive IT budget, the U.S. Federal Government is beset by problems including lax controls, legacy systems that are difficult to support and challenges attracting top information security talent away from better paying, private sector jobs. Recent incidents like the hack of OPM, which spilled sensitive, personal information on millions of government employees, underscore the challenges facing the government.
OPM struggled with information security and IT risk management for years leading up to the hack, according to a string of reports from the Government Accountability Office (GAO) stretching back a decade. Among those challenges: a heavy reliance on legacy technology– including mainframe systems running applications written in programming languages like COBOL and a nest of connections between OPM systems and personnel systems at some 400 federal agencies.
In a May, 2013 report describing the OPM’s efforts to modernize federal employee retirement processing systems, for example, the GAO documented failed IT modernization efforts stretching back two decades and concluded that OPM lacked the management capabilities to realize its stated goals.
“Among the management disciplines the agency has struggled with are project management, risk management, organizational change management, cost estimating, system testing, progress reporting, planning, and oversight,” GAO wrote.
No surprise: those shortcomings extended to the realm of information security, as well. OPM systems for performing background checks were the target of hackers in December, 2014, when information on 48,000 federal employees was exposed in a breach of KeyPoint Government Solutions, which conducts background investigations of federal employees seeking security clearances. Notably: that breach was discovered by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), not by OPM staff.
The CSIP report sets an ambitious agenda for delivering on its key objectives, spread across areas like asset identification, protection, incident detection and response, human resources and emerging technologies. Still, Pescatore said that many of the government’s problems boil down to operational rather than technology issues and needs to address those, while also modernizing some of its information security tools to get in front of a fast-moving problem. “IT ops is broken,” he said.
Still, there are bright spots within an otherwise bleak landscape: agencies and departments that have been successful at managing the security of their IT infrastructure and preventing large-scale and damaging incidents. The question, Pescatore said, is why some agencies are better than others and what makes them better. Answering those questions, he said, may help improve the performance of the entire federal government.