There’s no question that government leaders are sincerely and firmly committed to developing more effective cybersecurity models to thwart ever-proliferating and shifting cyber threats. But a recent report from the Office of Inspector General within the Department of Homeland Security reveals how a variety of complex challenges can stall — if not entirely scuttle — such initiatives.
As is often the case, this particular sequence of events began with a sense of noble purpose: In recognizing cybersecurity as a government-wide priority, the Office of Management and Budget required in 2013 that federal agencies establish an Information Security Continuous Monitoring (ISCM) program to help identify and respond to cyber threats. Through ISCM, organizations maintain ongoing awareness about security risks, vulnerabilities and threats to support effective risk-management decisions.
In working with OMB to oversee the implementation of federal department/agency-level ISCM strategies, DHS launched the Continuous Diagnostics and Mitigation (CDM) program in 2013 to enable agencies to manage security risks on a 24/7/365 basis.
According to the OIG report, DHS has encountered a great deal of difficulties with its own internal CDM effort. It notes that despite spending more than $180 million between 2013 and 2020 to build a department-wide continuous monitoring solution, DHS “has not yet strengthened its cybersecurity posture by implementing a CDM program” due to setbacks.
At first, the department’s Office of the Chief Information Security Officer introduced a “One DHS” approach which would focus on the use of a standard set of CDM tools. But a major roadblock emerged when DHS agencies indicated that they wanted to use their existing tools instead of switching to other software to comply with One DHS. In addition, DHS “wasted” $38 million on a continuous monitoring dashboard solution which crashed shortly after deployment, according to the OIG report.
In 2019, the department shifted away from One DHS to an approach named Dynamic and Evolving Federal Enterprise Network Defense (DEFEND), to allow DHS agencies to use a flexible suite of tools to collect CDM-required data. Still, as of March 2020, an internal CDM dashboard solution reported less than one-half of the required asset management data because the department was struggling to integrate compatible CDM tools with the dashboard. The solution “could not yet handle the required volume of data or report all data to the federal dashboard as required,” the OIG found. “Until the DHS dashboard is fully functional, DHS cannot leverage the intended benefits … to manage and respond to cybersecurity threats.”
Among other shortcomings, the dashboard only contained 40 percent of the needed hardware asset management capability information. The OIG also discovered vulnerabilities on CDM servers and data bases “which were due to DHS not clearly defining patch management responsibilities and not implementing required configuration settings,” according to the report. “Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality and availability of the data could be at risk.”
As the saying goes, mistakes were made. But again, the intentions behind CDM are admirable, and there are valuable lessons learned here — not just for the DHS, but for all government organizations seeking to implement an information security continuous monitoring capability:
Set the tone from the top, from the very beginning. The CDM effort started in 2013, and the department still isn’t nearly where it needs to be. So it’s time for leadership to establish an authoritative voice and set concrete directives/standards for agencies to meet. Yes, these leaders should gather input from the agencies as to what the standards should look like. But ultimately, they must avoid the prior mistakes of conceding too much autonomy at the agency level. After receiving input, they should issue a set of standards and stick to them.
Start with asset management. CDM has organized its continuous monitoring capabilities goals by prioritizing assets first, with the management and control of devices at the top of the list. DHS leaders should define “devices” so their agencies understand what falls under hardware asset management, without ambiguity or confusion. In doing so, they could follow the lead of U.S. Cyber Command which defines “endpoints” in six categories: workstations and servers; network user support devices (ex. printers); network infrastructure (ex. routers, switches); mobile devices; internet of things; and platform information technology (ex. industrial controls systems, medical devices). Establishing a clear definition of what counts as a device will also enhance the data quality and accuracy that is fed to the dashboard, enabling DHS to address data quality issues mentioned in the OIG report. Once DHS leaders deliver clear guidance for the asset management capabilities for CDM, they can move on to do the same for the other data elements that should be reported up to the DHS dashboard such as, software, configuration settings, vulnerability management, etc.
Attempting to develop and execute a program such as CDM is challenging and brings on a vast range of complexities. But government leaders can proactively impart a welcome sense of simplicity and achievable goal-setting from the very start by communicating concrete, achievable directives. It’s equally important that once these directives are established, that DHS leaders follow through on their commitment to meeting data goals to ultimately realize a more secure federal enterprise. With clear definitions, guidance and strong leadership the CDM program is fully capable of overcoming past challenges to meet program goals.
Tamer Baker is CTO for Forescout Technologies Inc.