Ramping Up Agency Security, Yet AgainFederal CIO Tony Scott's 30-day Cybersecurity Sprint
A new Obama administration cybersecurity initiative isn't placing new burdens on federal agencies; it's aimed at getting them to comply with recommended safeguards they've failed to implement.
Federal CIO Tony Scott is heading up the initiative, unveiled late last week, to require agencies to patch critical vulnerabilities without delay; tighten policies to access systems and applications, especially for privileged users who are delegated with extra levels of control; and accelerate use of multi-factor authentication.
The initiative also would require federal agencies to immediately inform the Department of Homeland Security of malicious activities in their IT systems.
Karen Evans, who held Scott's job in the George W. Bush White House, says government initiatives to get agencies to comply with cybersecurity processes aren't new, but the clock is ticking for the Obama administration to improve security during its remaining months in office.
"This is doubling down," Evans says. "It's the last 18 months of the [Obama] administration, and look at everything that has happened. You have [Scott] who is an operational CIO. He's looking at it and saying, 'You should have these things done.'"
Evans' predecessor, Mark Forman, says the outcome of the initiative could give agencies fodder in making the argument for more money for critical cybersecurity projects. "We're almost three-quarters the way through the fiscal year, so resources are fairly far along in being consumed," Forman says. "But now with having this memo and having all this guidance, the CIOs and the information security officers can go to the budget process and show that this is a priority. It's the unwritten purpose of this memo, if you know what I mean."
Those CIOs and CISOs need help because getting agencies to implement cybersecurity safeguards hasn't been easy for government IT security practitioners. "This is hard; it's not trivial to do this," says former DHS Deputy Undersecretary for Cybersecurity Mark Weatherford, a principal at the security consultancy The Chertoff Group. "And, it's going to take a lot of work. But as long as people can build a remediation plan, and stick to that, and be measured against that, that's best effort, and you can't fault people for best effort. But it's really going to require somebody to hold them accountable and make sure they are doing that."
And who should that person be? Weatherford answers: "Tony Scott. He's the one who put the memo out. He's the one who's leading this effort."
Initiative Preceded IRS, OPM Hacks
The Obama administration has issued over the years a number of programs and directives to improve federal government cybersecurity. Work on this initiative began before the Internal Revenue Service and Office of Personnel Management had been victimized by major breaches in the past month. Scott telegraphed his intentions to pursue such an initiative at his first appearance before Congress in April (see New Federal CIO Withholds InfoSec Judgement). "There is no agency, even the ones that we looked at so far, who we believe is doing a really good job, who would say, 'We're done' or 'we've done enough and, you know, it's the end of job,'" Scott told the House Oversight and Government Reform Committee. "Everyone believes there's more that we can and should do."
Still, the administration is using those breaches to get buy-in to its initiative. "Recent events underscore the need to accelerate the administration's cyber strategy and confront aggressive, persistent malicious actors that continue to target our nation's cyber infrastructure," a White House statement says.
The White House created a "cybersecurity sprint team," led by Scott, to lead a 30-day review of the federal government's cybersecurity policies, procedures and practices. Team members include other cybersecurity experts from OMB, where Scott is based, the National Security Council, Defense Department and DHS. Once the review is completed, according to the White House, Scott will create and implement a set of action plans and strategies to further address critical cybersecurity priorities and recommend a federal civilian cybersecurity strategy.
One goal of the initiative is to compel agencies to identify their respective cybersecurity shortfalls and to get them to develop plans to fix them.
Key principles of the strategy the White House expects to come out of the review are:
- Protecting data at rest and in transit;
- Improving situational awareness;
- Increasing cybersecurity proficiency to ensure a robust capacity to recruit and retain cybersecurity personnel;
- Improving overall risk awareness by all users;
- Standardizing and automating processes to decrease time needed to manage configurations and patch vulnerabilities;
- Controlling, containing and recovering from incidents to identify and resolve events and incidents quickly;
- Strengthening systems lifecycle security to increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner; and
- Reducing attack surfaces by decreasing complexity and the number of things defenders need to protect.
Keeping Up Is Challenging
The failures to implement effective cybersecurity processes among agencies is well-documented in countless Government Accountability Office and agencies' inspectors general audits. "Systems and networks are so complicated and large - and given the priority or their resources - it's sometimes a challenge for agencies to keep up with it," says Gregory Wilshusen, GAO director of information security issues.
Some cybersecurity experts contend that government breaches could have been thwarted, or at least made more difficult to achieve, if two-factor authentication were in place at the time of the attack. OMB requires agencies to use to use a government-issued personal identity verification, or PIV, card along with a password to access government systems. But not all agencies have complied.
According to the latest OMB annual report to Congress on the state of government cybersecurity, 77 percent of users at the 24 largest agencies (excluding DoD, which has its own rules) employ two-factor authentication incorporating PIV cards. However, 11 of those so-called CFO agencies report no users employ PIV-card two-factor authentication.
But numbers can mislead. The OMB report says 93 percent at OPM employees and contractors log on remotely using the PIV card and a password. However, as an OPM inspector general report from last year shows, some challenges exist to implementing two-factor authentication universally. For instance, some devices, such as iPads, were noncompliant. The IG also discovered remote access sessions didn't terminate or lock out after a specified period of time. As of Sept. 30, the end of fiscal year 2014, more than 95 percent of OPM workstations required PIV authentication to access to the OPM network. However, none of the agency's 47 major applications required PIV authentication.
Timely patching of applications with critical vulnerabilities is another challenge for many agencies. Wilshusen says it's not uncommon for software to remain unpatched for months, and in some instances, as long as three years, after vendors issue patches.
Tightening access to critical systems by privileged users also presents. Wilshusen says he often sees systems and network administrators assigning themselves simple passwords and sharing those identities with other administrators. "It always perplexes me that these administrators often use the least secure methods of authentication.," Wilshusen says. "Their primary concern [isn't security but] is to make sure they can [do what's needed] to keep the network and running."
Advice for Those in the Trenches
Weatherford sees the intent of the new initiative as addressing the operational, not policy, aspects of cybersecurity. The initiative could help agencies define specific ways to help IT security practitioners in the trenches to implement basic cybersecurity hygiene, he says.
"Because of the distributed nature of the federal government, and each agency controlling its own destiny without a lot of fairly significant oversight, there are big gaps in federal government cybersecurity," Weatherford says. "This [initiative will be] very specific and very actionable. When people are given very specific paths like this, they'll know what they need to do."