Cyber attacks are a reality today, and whether small scale or something along the lines of an Office of Personnel Management breach, a collaborative effort is needed among agencies and the administration to put together an offensive strategy.
The National Institute of Science and Technology is issuing on May 4 the second public draft of Special Publication 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, to do just that.
NIST Fellow Dr. Ron Ross said 800-160 will be both a holistic approach and a “grand strategy” to help the federal government in its war against cyber threats.
“I don’t think we’ve armed our professionals with the process they need that’s holistic. If you want to win a war and you’re in the military, you’ve got to have strategy and you’ve got to have tactics. Tactics win battles, strategy wins wars,” Ross said during an April 25 Institute for Critical Infrastructure Technology forum in Arlington, Virginia. “We’re going to have cyber breaches. You can’t use that as a metric for firing people or there’d be nobody working in this town in a couple of weeks. But I think there’s a notion of due diligence. [800-160] it’s an engineering process, but it’s not just a technical set of processes. It goes across the entire organization, from human factors to supply chain acquisition, architecture, it’s the entire spectrum.”
Ross’ panel focused on cyber hygiene in a world post-OPM data breach, in which personal information was stolen from 22 million current and former federal employees, job applicants and their family members.
The breach served as a lightning rod for the federal government’s approach to cybersecurity, notably its aging IT infrastructure, which was put in the spotlight at the forum by federal Chief Information Officer Tony Scott.
“One of the underlying root causes I believe for cybersecurity challenges is aging and out-of-date infrastructure and applications and environment,” Scott said. “As we started looking at what we had as a starting point for improving security … in the federal government, we discovered and uncovered a bunch of really old, aging apps and infrastructure. These are inherently things that are hard to defend. Almost everything one does is sort of the functional equivalent of putting airbags and Band-Aids on an existing environment. It’s just hard to get good cybersecurity when that’s the mode that you’re in.”
Scott is looking to change that mode through the Office of Management and Budget’s new legislative proposal for a $3.1 billion revolving IT Modernization Fund. Scott said the idea behind the fund is a one-time investment for “modernizing critical applications and infrastructure.”
Agencies would come forward with a business case and receive incremental funding as they hit deliverables and milestones, Scott said. Over a five-year period, that agency would pay back to the fund, which would then allow for another round of money to be doled out to help agencies.
“I think we can address $15 billion to $20 billion of applications and infrastructure over a several-year period, all for that one-time investment,” Scott said.
Scott warned the crowd that the government has been sitting on its hands when it comes to upgrading and replacing its IT systems. but the government is still paying for aging equipment with fewer resources like spare parts and people who know how to configure older systems. Not to mention a workforce that is getting older and thinking about retirement.
“This is unfortunately the paradigm for how we think about all too often the critical applications and infrastructure that run the federal government. It is a wait till it breaks kind of model, or wait till there’s some sort of event that then it becomes compelling. I believe in today’s world that’s the wrong way to think about these things,” Scott said. “I think we need to move to a model that’s continuous upgrade, continuous replace, so that you’re never more than a few years out of date.”
Old stack, new stack
Scott also said when it comes to infrastructure, he is interested in research and development related self-awareness. It’s no longer a question of interoperability with other things in an ecosystem, he said, but rather should you interoperate, should you take information from somewhere and is it dangerous.
“These are all critical questions we’re going to have to answer as we build out architecture and infrastructure and ecosystem,” Scott said. “So we need building blocks that are more capable of taking care of themselves, of protecting themselves from bad things.”
But it’s also important not to try to force new technology into an aging system, Scott said, using an analogy of trying to put air bags into a 1965 Mustang, versus a newer Mustang that’s already got the safety features built in without jeopardizing the design.
But whether a new car or new system, it’s also necessary to teach the cyber workforce what to do behind the wheel.
Scott said the problem within the federal government is that a certain number IT systems have been running a long time, but there is also the desire to move to newer platforms and a newer way of doing things.
It’s “old stack and new stack,” Scott said. “There’s no stigma if you’re old stack. That’s the stuff that we run on. It’s our bread and butter every day. But we’ve got to start the conversation and the movement to new stack, and both sides are going to play an important role in that.”
“What you need is a transformation construct,” Scott added. “You need governance, business process, change agents. You need staffing and people resources. You need designers and architects, you need a bunch of talents that you can bring together and really help figure out what the digitization of government really could or should look like. This comes from user-centered design. Then working together, the old stack folks and the new stack folks have to agree on, ‘Here’s the sequence. Here’s how we’re going to go transition.’ Those are the building blocks that we’re trying to put in place.”
Patches for people
As those blocks are put in place, it’s important to fill the gaps in both the infrastructure and workforce.
Greg Wilshusen, director of information security issues at the Government Accountability Office, said what he’s learned from agency audits is that when it comes to cybersecurity, “agencies consistently have not implemented key basic security controls over their systems, in part because they may not have the appropriate staff or the resources available.”
“In some cases it may be that they’ll be acquiring new tools but don’t provide the sufficient training to those with significant security responsibilities,” he said.
Acquisition is one spot Wilshusen highlighted as a problem area for IT security.
Sometimes acquisition officers do not have all the information about the cybersecurity risks associated with that purchase, he said. In other cases, staff might not be trained correctly on a new tool.
“To some extent at federal agencies, there’s a lack of priority given to cybersecurity, or at least a minimal priority,” Wilshusen said. “The main business for many of the organizations is to deliver services to the constituents, whatever agency and service that might be.”
Wilshusen said ensuring systems are operated securely doesn’t always happen in part because information security is a management function.
“It’s incumbent upon management to ensure appropriate resources, practice and accountability measures are in place to ensure that’s being implemented,” he said.
Dan Waddell, an ICIT fellow, said it’s about patching not only the systems, but the people.
“It’s not just educating the cyber workforce, it’s educating the workforce in cyber,” Waddell said. “We need to collectively do a better job to introduce some really innovative methods, to get staff not just in the cyber or the IT vertical, but all across the organization — whether it’s HR, finance, operations, legal — to really embrace what these threats are and really turn the user into the greatest asset, not the greatest vulnerability.”