Is the federal government at greater risk of a catastrophic cyberattack if all of its digital systems are run by a single vendor? Or should federal networks have a diverse set of vendors with a range of products?
For years, experts have debated the issue. Advocates of a single vendor often compare the practice to keeping all of the gold reserves at Fort Knox where it can be better protected. More recently, however, we have seen hackers from both the People’s Republic of China and the Russian Federation able to execute debilitating cyberattacks on federal agencies and critical infrastructure because of a vulnerability in a single large scale technology vendor’s systems, raising alarms with government advisors.
The Center for Cybersecurity Policy and Law (CCPL) wanted to look at this question of concentration risk. In order to provide both sides of the picture, CCPL conducted a real-time tabletop exercise in April that saw a group of security experts simulating an attack against two fictional U.S. agencies with varying degrees of IT concentration and diversity. The intent of the exercise was to investigate how these differently constructed systems, between the two government agency targets, influenced the actions, successes and failures of the adversarial team testing such networks. This exercise enables cybersecurity professionals to test their defenses, and similar exercises have been conducted by both government and industry.
The tabletop exercise was conducted in a scenario consistent with the recent real-world attacks. There was an adversarial team, teams representing the two fictional federal agencies, and one representing the executive branch. Each team took turns during the exercise to determine next steps. The adversarial team began the exercise in possession of compromised signing keys for “OmniCorp-Ident,” the core identity and access management suite from OmniCorp that underlies all their products and services. This enabled attackers to gain access to critical systems, exfiltrate data and carry out destructive attacks.
As the exercise progressed, the agency with more technology from OmniCorp had a higher penetration rate as attackers were able to move quickly through the system and cause serious damage. The other agency, with more diversified technology, still saw some damage but sustained much less than the agency with a higher amount of technology from one vendor.
The exercise showed a stark difference between the two agencies and suggested that having a diverse IT environment can help stave off attackers. After analysis of the results, the Center for Cybersecurity Policy and Law drafted a full report that offered the following recommendations:
In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT monoculture and how organizations can measure the potential risk it creates in the context of their purchasing and implementation decisions. Results should be considered for inclusion in the Cybersecurity Framework and other risk management guidance published by NIST.
To better understand the scope and potential risk of IT monoculture in the federal government, the Office of the National Cyber Director should direct the Cybersecurity & Infrastructure Security Agency, the Defense Department, the General Services Administration and other agencies as appropriate, to ascertain the existence of IT consolidation across all departments and agencies.
Congress, specifically the Committee on Homeland Security and Governmental Affairs, should investigate and provide oversight on the risk of IT consolidation across federal government departments and agencies.
Following the study, it is clear that services and citizen information are much better protected using a variety of vendors who utilize resilience in their diversity of products. We urge both government and industry to diversify their systems in order to better safeguard against the next major cyberattack.
Ari Schwartz is coordinator of the Center for Cybersecurity Policy and Law and former special assistant to the President and senior director for cybersecurity on the National Security Council.
Government IT systems in the hands of a single vendor puts agencies at risk
Advocates of a single vendor often compare the practice to keeping all of the gold reserves at Fort Knox where it can be better protected.
Is the federal government at greater risk of a catastrophic cyberattack if all of its digital systems are run by a single vendor? Or should federal networks have a diverse set of vendors with a range of products?
For years, experts have debated the issue. Advocates of a single vendor often compare the practice to keeping all of the gold reserves at Fort Knox where it can be better protected. More recently, however, we have seen hackers from both the People’s Republic of China and the Russian Federation able to execute debilitating cyberattacks on federal agencies and critical infrastructure because of a vulnerability in a single large scale technology vendor’s systems, raising alarms with government advisors.
The Center for Cybersecurity Policy and Law (CCPL) wanted to look at this question of concentration risk. In order to provide both sides of the picture, CCPL conducted a real-time tabletop exercise in April that saw a group of security experts simulating an attack against two fictional U.S. agencies with varying degrees of IT concentration and diversity. The intent of the exercise was to investigate how these differently constructed systems, between the two government agency targets, influenced the actions, successes and failures of the adversarial team testing such networks. This exercise enables cybersecurity professionals to test their defenses, and similar exercises have been conducted by both government and industry.
The tabletop exercise was conducted in a scenario consistent with the recent real-world attacks. There was an adversarial team, teams representing the two fictional federal agencies, and one representing the executive branch. Each team took turns during the exercise to determine next steps. The adversarial team began the exercise in possession of compromised signing keys for “OmniCorp-Ident,” the core identity and access management suite from OmniCorp that underlies all their products and services. This enabled attackers to gain access to critical systems, exfiltrate data and carry out destructive attacks.
Learn how high-impact service providers have helped the government reinvent the way they deliver their mission and services to the public in this exclusive ebook, sponsored by Carahsoft. Download today!
As the exercise progressed, the agency with more technology from OmniCorp had a higher penetration rate as attackers were able to move quickly through the system and cause serious damage. The other agency, with more diversified technology, still saw some damage but sustained much less than the agency with a higher amount of technology from one vendor.
The exercise showed a stark difference between the two agencies and suggested that having a diverse IT environment can help stave off attackers. After analysis of the results, the Center for Cybersecurity Policy and Law drafted a full report that offered the following recommendations:
Following the study, it is clear that services and citizen information are much better protected using a variety of vendors who utilize resilience in their diversity of products. We urge both government and industry to diversify their systems in order to better safeguard against the next major cyberattack.
Ari Schwartz is coordinator of the Center for Cybersecurity Policy and Law and former special assistant to the President and senior director for cybersecurity on the National Security Council.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
When cybersecurity becomes a personal matter
By one count, the cybersecurity job market is running dry
Agency cybersecurity incidents grew by almost 10% last year