FBI senior IT official: Bug bounties still useful, but ‘a little over-hyped’

Manny Castillo, a senior IT security adviser at the FBI, said the bureau does all its penetration testing internally and has no plans on changing that.

In an increasingly connected government, greater ease of access comes with a rise in cybersecurity threats.

Jeanette Manfra, the assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said that was one of the key takeaways from the 2015 Office of Personnel Management data breach.

“We weren’t thinking of all these agencies as a shared enterprise, particularly when you think about shared services, where you have information that one agency is allowing another agency to host. Risk management transfer and decisions that were happening weren’t really being thought through,” Manfra said at GovernmentCIO’s technology forum on Thursday.

But in the years since that watershed moment in cybersecurity, DHS now has a “broader picture” of governmentwide challenges through its Continuous Diagnostics and Mitigation program.

“It’s really giving us tremendous insight into what’s happening across agency networks, both just sort of common vulnerability and exposure issues, but also threats and tactics that are targeting multiple agencies,” Manfra said.

In order to fill some of the security gaps between the public and private sectors, DHS last year launched the National Risk Management Center. Since its launch, the center has huddled with industry partners to identify 14 national critical functions and come up with a strategy to prevent and mitigate cyberattacks on them.

“We were missing connectivity … you’ve got big banks over here, and they have a niche set of IT service providers that are not in the conversation, but we should be talking to them. And we should understand who they are so that our intelligence community can be looking out for threats to those assets,” Manfra said.

EHR modernization offers VA a cyber reset

But for some agencies dealing with legacy IT issues, modernization doesn’t just present cybersecurity challenges. If done right, it offers a chance to build a sturdier foundation for future systems.

Paul Cunningham, the Chief Information Security Officer at the Department of Veterans Affairs, said the agency’s multi-billion dollar move to Cerner’s Millennium electronic health record system will give his team an opportunity to wipe the slate clean on some of the longstanding cybersecurity challenges it’s had with legacy IT systems.

“As we move to Cerner, that’s the big issue. This is a good chance for us to get that fresh whiteboard — to sit down and do security right. A lot of times, we inherit old, legacy systems. We have to bolt the security on and modify the security over the years. Certainly, that’s been the way, over the last 20 years, with our medical records,” Cunningham said.

But efforts to stand up this EHR system, which will be interoperable with the Defense Department’s, remains a methodical process. VA signed the $10 billion, 10-year contract with Cerner last year, and by the March 2020, the agency expects it will complete the system implementation at three VA sites.

“We can’t necessarily go right into top speed. We’ve got to work our way up to make sure we’re doing it in a nice, secure way,” Cunningham said. “And then, what’s the next step, and how are we going to get faster and still be secure and protected?”

‘You have to turn the old systems off.’

DoD, in response to those questions, has turned to bug bounty programs, paying white-hat hackers to flush out systems vulnerabilities that cyber defenders at the Pentagon might not otherwise find.

The Air Force has run its bug bounty program for three years, after the Defense Department launched its “Hack the Pentagon” initiative in 2016 and patched 138 vulnerabilities as a result.

“We found that … when you go through the traditional process of risk management, it’s just not catching all the vulnerabilities that we know are out there,” Air Force CISO Wanda Jones-Heath said, adding that the service has now focused the program on shoring up its critical assets and programs.

“If we can’t modernize it, then perhaps we need to ensure that we are capturing those vulnerabilities and closing those doors,” she said.

Manny Castillo, a senior IT security adviser at the FBI, said the bureau does all its penetration testing internally, and has no plans on changing that anytime soon. Bug bounty programs in government, he cautioned, remain “useful, but sometimes [they’re] a little overhyped.”

Castillo recalled several red team-blue team exercises that uncovered vulnerabilities when detailed to the National Security Agency. But three years out from those exercises, some of those same vulnerabilities, he said, remained unpatched.

“Keep that in mind: When you’re going to do it, fix it … if you don’t know what you have in the machines and you’re not patching and fixing these vulnerabilities, you’re really not doing a favor to [these] organizations,” Castillo said.

As a reminder not to keep legacy IT systems running past their useful lifespan, Citizenship and Immigration Services Chief Information Officer Bill McElhaney keeps a mason jar containing the shredded remnants of a retired hard-drive disk array from the agency’s mainframe.

“He keeps it there as a reminder that you can’t just keep having browned-out systems left on your network. There’s still vulnerabilities [and] as you modernize the critical pieces, you have to finish the job. You have to turn the old systems off,” Adrian Monza, USCIS’s cyber defense branch chief said.

But unplugging, retiring and ultimately scrapping that disk array required a significant culture change within the agency.

“We would create a new system, but the old system would never really go away. We had systems that were 30-years old on the mainframe. We hadn’t done a case on them in 20 years, and we looked into it and they still have 10 active cases. They just never pulled the plug to move 10 active cases,” Monza said.“ Ten active cases was a couple of hours of data entry, and then we could turn the system off. That just required a mindset shift … and we’ve been much more productive in our modernization since.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Army’s first-ever bug bounty finds entry points to sensitive DoD systems

    Read more