The intelligence community, like every other federal and private sector organization, suffers from the common employee disease of “linkclickitis.”
It’s described by doctors as a condition where the employee has an uncontrollable urge to press the left button on the mouse while hovering over a link sent by email.
But the good doctors, err developers, from the Intelligence Advanced Research Projects Agency (IARPA) may have found a cure or at least a way to isolate the disease so it doesn’t do harm to the rest of the body.
Kerry Long, a program manager at IARPA, said his team is in final testing of an approach, called Virtuous User Environment (VirtUE) that puts email, applications, data and other key functions in separate cloud containers. About two years ago, IAPRA released a broad agency announcement asking for help in solving the spear phishing plague that was, as Long described it, “eating our lunch” across the IC.
“In VirtUE, we created containers that take on different user roles, which could be browsing email or working on a document. Each of those resources have different risk profiles,” Long said at FCW’s cloud security workshop on Feb. 21 in Washington, D.C. “So browsing your email is the riskiest thing you are doing and second is going to the public internet and in the environment we give you today, we combine all those risks and then it surprises and shocks us when bad things happen. The design of today’s environment is basically encouraging that. In many ways, the VirtUE program was designed to combat.”
He said each function has its own container that has all the protections needed for that role, and those containers, which sit in a cloud instance, can be shared and traded as needed.
“Imagine a user has five or six roles that they do during the day and there are five or six virtual machines running in the cloud all separate, doing these different roles so they are isolated from each other. But your interface hides that from you and when you are doing the role, it’s coming back to you in real time,” Long said in describing how VirtUE could work. “When an adversary breaks in now to one of your roles, gets really frustrated because there is nothing else there but email. There is no connectivity that he can ride between the roles.”
By limiting the roles to specific containers, IARPA and its industry partners are solving one of the most challenging cybersecurity problems of stopping network hopping once an attacker gets through the initial set of cyber defenses.
Long said the idea came from the growth of containers, which have revolutionized the way developers work and use the cloud.
In less than a month, IARPA will release the VirtUE approach to the public for review and use.
“Now that VirtUE is nearly completed, it’s about 75 percent successful,” he said.
How TIC 3.0 will support agency modernization plans
Long said the cloud is a big reason why VirtUE can help provide a cure to the link clicking disease.
“The cloud gives us the opportunity to reinvent anything we want. But the lack of imagination because the things I know about, the things we like, the things we are used to are what we all want to see in the cloud. It makes sense, but IARPA’s main mission is to challenge cloud innovation. We keep asking to reimagine what it could be in the cloud. [The cloud providers] can make anything they want in the cloud and they do. Maybe the government needs to be more innovative.”
The success of VirtUE is coming at a perfect time for agencies. Not only does spear phishing continue to plague federal departments, but more and more agencies are moving to the cloud.
Ashley Mahan, the director of the Federal Risk Authorization Management Program (FedRAMP) said her organization has seen a 60 percent increase in the number of CFO Act agencies using the cloud over the last year.
She said the biggest trend is around agencies using software-as-a-service cloud offerings.
This is especially true under the FedRAMP Tailored approach, which is for low-risk cloud services to get through the security process more quickly.
“In 2018, more SaaS has come through the Tailored program than any other year, and 25 percent of in process SaaS offerings are going through the Tailored model,” Mahan said. “Over 20 agencies have expressed interest in working with a vendor through the Tailored model. We’ve had conversations with over 40 cloud service providers who are interested in bringing a product through Tailored. We have 11 cloud services that have achieved FedRAMP Tailored authorizations and we’ve had 10 agencies that have worked with them.”