Where do agencies go now post-cyber sprint?

For agency managers responsible for cybersecurity, the last few weeks have been challenging. The data breach affecting millions might have been the direct responsibility of the Office of Personnel Management, but the response has been all-of-government — starting with the now-concluded 30-day cyber sprint.

Last Friday, the Office of Management and Budget posted the latest data from the sprint, which federal Chief Information Officer Tony Scott had ordered.

The main metric to come out of OMB’s blog post was that agencies had improved their use of strong authentication for both privileged and unprivileged users. Over the length of the sprint, agencies were able to grow that number from 42 percent to 72 percent.

Alan Paller, director, SANS Institute
Alan Paller, director, SANS Institute

Alan Paller, the director of research at the SANS Institute, told Jared Serbu on the Federal Drive Monday that this measure of performance is both good and bad. It’s good in that agencies have made strides in one area of cybersecurity, but it’s also bad in that more than 25 percent of employees remain in username/password mode.

“What’s most interesting out of that is how quickly they went that far and the reason they did,” he said. “And that was the sort of simple truth of ‘What gets watched gets done,’ and for the last 30 days, that particular metric was being watched. If you come back in a few months, you will see that the change has slowed radically because OMB will go on to other metrics. It’s like the Lazy Susan, pick your metric of the month and they’ll focus agencies on other things, the agencies will stop doing this one.”

The question then becomes: what should agencies be focusing on now that the cyber sprint is over?

Paller sees five steps that agencies should take moving forward:

  • Accountability – In this area, Paller would like to see agencies put the power into the right hands — the inspectors general.  “The reason is that the IGs are very powerful people and what they put down on your report card becomes something you can’t get away from and that’s, ‘What measured gets done’ writ large,” he said. “What the IG measures really gets watched and what gets watched by your bosses gets done.”
  • Measuring the right things – “The first thing you have to measure is the things that federal agencies don’t like to measure, which is the actual successful attacks, how long it took you to find them and how long you it took you to get fully recovered from them,” Paller said. “Those are not measures you’ll see any agency doing, but you’ll see it all over Silicon Valley. They don’t pretend they’re not going to get hacked. They know that their first priority is to stop the damage from any attack, not just try to stop everything.”
  • Spend less – Agencies need to spend the money they have in a smarter way.
  • Giving security staff a chance to modernize their skills – “Federal cybersecurity people have been stuck in the 1990s for 20 years,” Paller said. “It makes them not very valuable outside the federal government. It makes them not very valuable inside the federal government.”
  • Benchmarks – Agencies need to begin benchmarking their cybersecurity efforts against those that can be found in the private sector, particularly at banks and Silicon Valley technology firms, where cybersecurity is considered a priority.

“None of them are really hard,” Paller said, of his five steps. “They aren’t, ‘Go get another $80 billion and do something big. None of them are that. They’re actually small steps, no bigger than what’s been done over the last 30 days. But, they have to be sustained and they have to be constantly measured, not measured for 30 days the way OMB did in its sprint.”

Industry task force offers cybersecurity recommendations

A task force of industry technology experts convened by the IT Alliance for Public Sector (ITAPS) offered its own set of cybersecurity recommendations Monday for federal agencies in the aftermath of the cyber sprint.

“These are cybersecurity experts with extensive experience in the technology and public sectors,” said Trey Hodgkins, senior vice president for the public sector, in a release. “Working diligently, the task force identified steps the government can take immediately and in the months ahead to improve their cybersecurity posture and strengthen the networks our government relies upon.”

The task force identified five broad issues that it said needed to be addressed in order for agencies to improve their cybersecurity.

Issue 1: Establish in broad terms how to do cyber in the federal government

ITAPS recommended the government continue to accelerate its approach to managing cybersecurity in several different approaches to managing cybersecurity.

Using Security Risk Management, for example, agencies would us a tool like the Risk Management Framework developed by the National Institute of Standards and Technology to assess the vulnerability of their systems. They would then develop strategies to update their systems so they were more secure and mitigate potential risks.

In addition, agencies would need to make information security a core principle of their organizational structure. This would mean extending that principle to management areas beyond technology, including  finance and procurement.

Issue 2: Identify the focus for the remainder of this administration

These fixes should begin immediately and then extend beyond the current administration.

“While these efforts should result in immediate enhancements, they will also set the foundation for the government’s future efforts,” the task force report said. “Most importantly these efforts will begin the long process of restoring the American people’s trust in the ability of the federal government to protect its networks and the information that resides in and transits those networks. The actions provided below are intended to serve as a continuation of the many good activities initiated through the Cybersecurity Sprint, and provide a roadmap to implement many of our recommendations.”

Issue 3: Develop a means to identify the good ideas, while culling out the sales calls

The task force called for the creation of an online communication portal between agencies, the public and industry, where information about the latest cybersecurity issues can be exchanged.  This would allow for the sharing of up-to-date information about possible cyber threats and technology that could provide effective countermeasures.

“We recommend the addition or reevaluation of internal, government-wide groups and procedures that allow for acquisition of the best technologies to combat the newest threats,” the report said. “We believe that this combination will provide a well-rounded and balanced measure for finding the best solutions.”

Issue 4: Outline cyber crisis response best practices

The task force considered crisis planning to be crucial moving forward.

“Combined with protection and detection capabilities, appropriate crisis response activities can minimize the impact of an incident,” the report said. “Effective response planning takes place well in advance of an incident and considers a range of scenarios, capabilities, conditions, and environments. Effective planning also requires education, training, and exercises for all elements of a response plan.”

It’s not just enough to make a plan. Equally important is to track the plan’s success and improve it to meet new threats.

Issue 5: Determining responsibility and accountability

The task force criticized the government, saying it had “vague lines of responsibility and accountability.” Like Paller, the task force looked to industry for a solution.

“Understanding how business establishes clear lines of responsibility and whom to hold accountable in a cyber crisis would be beneficial to establishing better cybersecurity accountability in the federal government,” the report said. “The current lines of responsibility and accountability are not getting the desired results across the federal government as demonstrated through recent incidences occurring at federal agencies. Exact lines are blurred and in some cases may even present a potential conflict of interest, such as the CISO [chief information security officer] reporting to the CIO [chief information officer]. There are some key actions that must be taken to improve the responsibilities and accountability for cybersecurity in the federal government.”

The task force said that everyone in an agency should understand their role in maintaining information security and it should become part of the performance review process. Agencies should also increase information security awareness throughout their organizations.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.

Related Stories


Sign up for breaking news alerts