When it comes to compliance with federal mandates for more secure IT access procedures, such as two-factor authentication, the Defense Department has led the way in many respects, including by rolling out public key infrastructure (PKI) across most of its systems. But it has not moved fast enough. As a Pentagon report noted last week, DoD “red teams” — performing the roles of real-world cyber attackers — succeeded in using stolen passwords as one of their main entry points into the networks they were testing. Put differently, an awful lot of mission-critical DoD systems still use authentication procedures that are roughly as strong as an average user’s Gmail account.
That needs to change, and soon, Mark Orndorff, the top cybersecurity official at the Defense Information Systems Agency said during a live online chat with Federal News Radio.
Orndorff will retire on Friday after an IT career which included uniformed service in the Army, in the civil service and the senior executive service. He cited DoD’s years-long effort to shore up its authentication mechanisms as the largest cybersecurity challenge that remained unsolved during his tenure.
“We need to make this the year we eliminate passwords,” he said. “We need to use PKI where we can, and use recent innovations such as those available today across industry for situations where PKI isn’t an option. Running a system today that relies on passwords is as reckless as driving a car without brakes or headlights. We’ve been recommending strong passwords as the way to improve security as long as I’ve been in the business — which is a very long time — and it reminds me of the famous quote from Albert Einstein: ‘Insanity: doing the same thing over and over again and expecting different results.'”
Orndorff said PKI has turned out to be a very good and very secure solution for identity and access management on most DoD systems. But when the Pentagon was pressing the government to adopt it as a standard, it didn’t adequately plan for situations in which PKI wasn’t an option — like in systems that needed to offer secure access to non-DoD users or that used technology that’s incompatible with PKI for one reason or another.
“We’ve made great progress with PKI across DoD, however, we still have a few gaps that an adversary or red team can exploit to gain a foothold,” he said. “In DoD, we pushed for PKI as the best identification, but failed to offer ‘good’ solutions for those situations where PKI won’t work. My view is that we need to open the door to innovations that may not be as good as PKI, but are better than passwords.”
In a wide-ranging conversation during the online chat and in a radio interview on Federal News Radio’s On DoD radio show, Orndorff discussed a broad set of issues including DISA’s recent reorganization, the new security procedures the agency is using to approve the use of commercial cloud computing services within DoD, and the interrelationship between DISA’s new risk management center and new Joint Force Headquarters-DoD Information Networks.
On cloud, the new security requirements guide DISA issued this month represents the first fruits of the general philosophy behind the reorganization: DoD must accept more risk in certain areas so that it can apply its cyber resources to protecting the systems which are most critical to its missions.
The revised stance, Orndorff said, acknowledges that “bad things” will sometimes happen as a result of that risk acceptance, but also builds-in plans to quickly bounce back if systems are compromised.
“As we’re working through the security requirements guide (SRG) and applying these risk acceptance tenets to the DoD efforts for commercial cloud, we’re trying to make sure that it’s very clear what level of risk is being accepted under the various paths you can take to leverage the commercial cloud,” he said. “The mission owners are going to be the ones who make the ultimate decision as to what level of risk they’re willing to take for a specific mission. We’ll build out infrastructure, guidelines, security requirements and processes. Based on those standards, mission owners are going to have to draw their own maps from mission requirements to risk acceptance, and we will do our best to keep them informed as to what level of risk they’re accepting as they embrace different options.”
For example, a military service or DoD component might reach the conclusion that the data they want to host or process is entirely unclassified and mostly made up of publicly-releasable information — “Level 2” — in the security lexicon of the new SRG.
“That gives you a lot of flexibility to go in and take advantage of some of the very low-cost options you can get through commercial cloud, but there’s some risk associated with that,” Orndorff said. “You’re essentially accepting commercial- grade security, and there is the possibility that your system would be compromised or defaced without us being able to be able to apply all of our DoD defenses against that system. Once you do that, it’s incumbent on the mission owner to say, ‘I will accept the risk that that might happen, I’ll have the processes in place to recover quickly, and I will take responsibility to go back and inform any other mission partners that might be impacted and what the implications might be.'”
Orndorff said the objectives of the new cloud procedures were three-fold. DISA wanted to make its own security demands less opaque to commercial cloud providers, help its DoD customers decide whether it makes sense to use a commercial cloud versus the military’s own private cloud, and to figure out a way for DoD’s cyber personnel to monitor and defend the data stores it’s decided to open up to the commercial space.
As to the third objective, Orndorff said he has recently come to the conclusion that DoD’s security objectives may have been over-the-top. Recently, DoD and the military services have been experimenting with the concept of building cloud “access points” which would act as interfaces between commercial cloud providers and the military’s own systems, serving as a monitored network boundaries which seek to ensure that no malicious network traffic can cross over.
“But as we’ve tried to do that, I’ve come to the conclusion that we need to make some quick adjustments. I think we’ve got to take a step back,” he said. “We need to take a much better look at how we can leverage the cybersecurity capabilities the commercial companies can quickly provision inside of the commercial cloud, augment that with our own capabilities, and not do more than what’s appropriate on the DoD side of that cloud access point.”