The federal cybersecurity world has a thing or two to learn from the manufacturing industry, where measuring defects and errors — and the rate at which they fail — is a common practice.
“Cybersecurity incidents are an example, or a form of an example, of a defect or an error,” federal Chief Information Officer Tony Scott said Sept. 9, at the NextGov Prime 2015 event in Washington. “If we measure those in an objective way, we can tell over time whether we’re actually making progress.”
Agencies’ next steps, he said, are focusing on the fundamental design of legacy networks, storage and computing systems — most which were designed and built 10-to-20 years ago — and finding a way to prevent the defects.
The good news, Scott said, is the smart ideas and ongoing conversations he’s having with members of the e-Gov Cyber Unit and stakeholders in the cyber industry.
“The creativity of the technology industry has given us a number of ways to airbag and bubble wrap around that fundamentally insecure environment, but I think the real revolution has yet to come, where we look at the fundamental components, the hardware, the operating systems, the network, the storage, all of the basic building blocks, and we design for a new era,” he said.
Agencies realized just how dire the situation was during the 30-day cybersecurity sprint in June, which Scott ordered after the two major data breaches at the Office of the Personnel Management became public.
But the sprint, which Scott compares to a pilot taking off in a plane, was the easy part. He described protecting cybersecurity as a more of a marathon, and the sprint as a warm-up exercise for the challenges agencies haven’t yet tackled.
“Because of the sequester and other kinds of issues, we’re not replacing and upgrading and transforming the very core of our government at a fast enough rate,” Scott said. “Without some help, without some incentive, I fear that that trend will continue to go the wrong way.”
Bucking the trend comes, in part, from learning from past mistakes.
Many common cybersecurity mistakes are preventable
In many cases, some of agencies’ major mistakes were preventable. Scott said 52 percent of government’s cyber incidents in 2014 could have been prevented with strong authentication, using two-factor and/or smart identity cards to log onto networks and systems.
Agencies already made some progress during the cyber sprint. Overall, the number of privileged and unprivileged users at civilian agencies using two-factor authentication increased by about 30 percent.
But when a cyber attack does happen, agencies often make other mistakes when they evaluate what happened and why.
Ann Barron-DiCamillo, director of the U.S. Computer Emergency Readiness Team (US-CERT), said agencies too often miss out on opportunities to learn more about the adversary and what went wrong during a cyber attack.
Cyber sprint’s before and after picture gives reasons for hope, fear
A common mistake, she said, is when agencies mitigate a system before an incident response team can finish its investigation. Agencies also often tip off an adversary when they they poke around on suspicious domains or reset passwords too quickly.
“It can exacerbate the situation, cause the adversary to change infrastructure and sometimes the investigators become unaware of that, and we lose the little visibility that we might have had,” she told Federal News Radio in an interview after the panel.
But sometimes an intrusion happens on a third-party system. Barron-DiCamillo said agencies should make sure they have some flexibility in their contracts, so that investigators can look at the raw data during an investigation.
“We saw that happen last year in some cases, that we have access, the investigators have access to that data, to ensure that it’s protected from a forensic investigation,” she said. “So making sure your contracting language allows for that is also something that we’ve worked with different entities from GSA and others to ensure those caveats are being added.”
The chance of another major cyber attack that is similar or worse than the recent OPM data breaches is inevitable, said Richard Spires, CEO of Resilient Network Systems and former CIO at the Homeland Security Department.
“Even with the cyber sprint, even with what’s happened, government culture is slow to change,” he said. “I think we’re still quite vulnerable and we’ll remain so for quite a while.”
Adversaries will continue to go after government data, Barron-DiCamillio said. But agencies should not only think about the OPM breaches, but other cases as well.
“Sometimes we focus so much on the last event and making sure we have the protection mechanisms and the checklists, that we’re not thinking about the next way that cyber attacks are going to occur,” she said. “As we are defending and getting better at our defenses, we have also to assume that our adversaries are getting better at countering those defenses. It’s a constant cat-and-mouse game.”