Imagine someone building a house with only a partial roof and expecting the rain to stay out. Given the clear gaps, this will not be effective.
Federal officials now have a critical chance to make sure that scenario doesn’t play out in government cybersecurity strategy.
At issue are a pair of programs set up to defend federal computer networks and systems from attack, which have been the cornerstone of government cybersecurity efforts for years.
1. The Continuous Diagnostics and Mitigation program (CDM), established by the Department of Homeland Security in 2012 and managed by DHS’ Cybersecurity and Infrastructure Security Agency (CISA), provides tools and dashboards to more than 100 agencies for real-time risk monitoring and defense.
2. EINSTEIN, part of CISA’s National Cybersecurity Protection System, was created in 2003 to analyze the flow of network traffic to and from federal civilian executive branch agencies and detect and block malicious activity.
Both programs have had an important impact on federal cybersecurity through the years, but they have started to show their age and require significant updates to keep pace with a rapidly evolving threat landscape.
The biggest hole involves the kinds of systems and devices that CDM and EINSTEIN typically watch over.
Most agencies are fortunate to have strong technologies in place for protecting “managed” physical and virtual assets – traditional end points like servers and laptops that are controlled by agencies and set up and configured by their IT or security teams.
However, the world has seen an explosion of “unmanaged” physical and virtual assets – employee-owned smart phones and tablets, security cameras, building management systems, and much more that sit outside IT or security’s usual purview.
These technologies have delivered new efficiencies in the way we work, but the flipside is that they have introduced new vulnerabilities and complexities that legacy security technologies are not designed to identify, profile or defend.
Unmanaged assets have turned the once well-defined security perimeter into a dynamic, borderless frontier and have created security gaps that cyber criminals can exploit.
In fact, that is exactly what’s happening. Intrusions outside traditional managed assets are sharply growing, and the convergence of technologies brings with it vulnerabilities and an attack surface that leaves teams in a reactive state.
While the traditional perimeter security function remains important, “it is not sufficient for a cybersecurity program given the current threat landscape and the ability of bad actors to evade many perimeter security mitigations,” Rep. Andrew Garbarino (R-N.Y.), chairman of the House Homeland Security cybersecurity subcommittee, said at a Sept. 19 hearing.
“What’s more,” he added, “EINSTEIN has faced long-standing downsides, including limitations on detecting and preventing encrypted traffic and focusing only on what we already know is malicious traffic.”
CISA’s own Binding Operational Directive (B.O.D.) 23-01, issued in October 2022, articulates where we need to go. “Continuous and comprehensive asset visibility,” it says, “is a basic pre-condition for any organization to effectively manage cybersecurity risk.”
The directive calls for a combination of “asset discovery” (“an activity through which an organization identifies what network addressable IP-assets reside on their networks”) and “vulnerability enumeration” (detecting and reporting suspected vulnerabilities on those assets).
But in reality, CDM practices have been excluding many unmanaged devices. Not only that, but procurement and security teams tend to be siloed and don’t communicate much with each other, so they’re often not even talking about how to do better.
There are positive developments: CISA officials say they intend to revamp and improve these programs.
For example, in an RFP issued in July, CISA acknowledged that “the evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides.” CISA said it “plans to modernize the legacy capabilities used under the EINSTEIN program to detect threats targeting federal networks.”
President Biden’s fiscal 2024 president’s budget proposal includes $408 million for CDM that could be used to modernize the program. It also earmarks a $425 million request for the Cyber Analytics and Data System (CADS), which is meant to restructure EINSTEIN. It is our hope that these efforts match the scale at which attacks are happening. If cloud technologies and agentless deployments are not prioritized, then the legacy programs may not be as effective as they should be. Now is the opportunity to meet the threats of today and tomorrow by implementing innovative technologies.
But the devil will be in the details, and the starting point in these programs’ modernization efforts should be gaining comprehensive intelligence that enables agencies to see, protect and manage all physical and virtual assets. With this, federal security teams can ensure their entire attack surface is both defended and managed in real time.
CISA also should encourage lawmakers to help change procurement processes to expedite purchase and implementation of newer technologies purpose-built for today’s evolving attack surface.
More often than not, legacy contracts and programs with existing providers and solutions are routinely extended. That may save time, but it also prevents the innovation and collaboration needed to address modern threats. Agencies shouldn’t be limited by trying to align to directives by merely turning to legacy vendors who they may have worked with for years, but instead look at best of breed technologies that integrate into the broader fabric of these key programs.
The bottom line is that what may have worked in the past no longer suffices. Cyber criminals are moving faster than ever, and the federal government has to up its game too, and do so immediately. It isn’t enough to say “we are better off today than we were yesterday” – we must be better prepared for tomorrow.
Brian Gumbel is president of Armis, the asset intelligence cybersecurity company.