Correction: An earlier version of this story stated how hackers obtained credentials from a KeyPoint Government Solutions employee. It is not known how hackers obtained the credentials.
In the aftermath of the massive cyber breach suffered by the Office of Personnel Management, government agencies weren’t the only ones that needed to look at themselves in the mirror.
Federal contractors also were victims, and held some responsibility for the loss of personal data for 22 million current and former federal employees. OPM suffered the breach after hackers obtained the user credentials from a KeyPoint Government Solutions employee to gain access to the entire network.
Like the government, industry needed to look at cybersecurity as more than just protecting computers.
That means agencies may need the money, the vision to modernize legacy systems and the wherewithal to manage their relationships with industry. And at the same time, industry needs to change how it bids on contracts, provides services to agencies and how it shares information.
“Now more than ever we believe that this is not just an IT issue, it’s not just about computer security,” said Bob Gourley, a former chief technology officer at the Defense Intelligence Agency, and the co-founder of Cognitio. “It’s about risk to mission and the ability of agencies to accomplish their missions, including some of the most important missions of the federal government, which are now at threat, now at risk.”
Follow the leader
While the cyber transformation is happening internally in the government, agencies and industry are slow to adopt new approaches.
“I have not seen any dramatic changes of things being asked from the contractor workforce,” Gourley said. “I have seen government leaders become more aware of security, and I have seen them push for some very important changes.”
He said one example is multi-factor authentication, where agencies increased its use to log into computer networks, reaching 81 percent of all employees after starting at 42 percent in July.
But there can also be slow progress in what industry provides to government, Gourley added, with some companies so loyal to the public sector that they don’t think outside the request for proposal.
“They’re here to follow government rules and reply for government requests for proposals, and work in the same old proposal methodology that they always have,” Gourley said. “So if the government writes an RFP that you will do this the following way, they’re going to propose that, and if the government does not write it in there, they’re not going to propose it. Because the government is also saying we want great services at rock-bottom prices, so you have to be very cost conscious in your proposals. Industry that’s serving the federal government, they’re going to be following government’s lead and do whatever those requests for proposals force them to do.”
Even what’s currently on the market is lacking. Jerry Irvine, CIO and a partner of Prescient Solutions, said right now the primary security tools that exist are ones that are reactive, such as perimeter-based or detection-based tools like anti-virus software. But that software only finds what it knows.
“We need to do more development in proactive types of solutions that are not looking specifically for a footprint or a detection of a solution as much as for the potential for a vulnerability, the potential of a risk and how to mitigate that,” Irvine said. “Vulnerability assessment tools or application scanners, those are the types of things that are proactive and preventative types of solutions as opposed to perimeter and detection-based.”
David Wennergren, senior vice president of technology at the Professional Services Council and a former Defense Department deputy CIO, said there still is a concern in industry about a lack of commercial best practices that can improve government cybersecurity.
“It still takes far too long to get new solutions in place,” Wennergren said. “And there’s still too little reciprocity, the willingness of one federal agency to rely upon the security certification and accreditation done by another agency.”
Even though the Federal Risk Authorization Management Program (FedRAMP) is trying to get faster authorizations for cloud computing services, if an agency isn’t required to accept the work of another agency, that can slow the process down even more, Wennergren said.
Another problem related to commercial solutions is that while there are security controls in place from the National Institute of Standards and Technology (NIST) for both government and industry, sometimes government does a “one-off” and doesn’t stick with the requirements, instead layering on other rules.
Putting out fires
Of course, money runs the federal system. Do agencies have enough funding to change their approach to cyber? Will industry bring the innovation necessary to improve how the government protects its networks and systems based on the existing funding?
Irvine said when you compare the federal budget for cybersecurity with something such as the Defense Department, there is a large discrepancy.
President Barack Obama requested a 35 percent increase in cyber spending for fiscal 2017, to $19 billion from $12.4 billion in 2016.
That’s compared to the roughly $600 billion requested for all of the Defense Department.
“That in itself is telling when you hear the FBI and Secret Service and NSA say the next major risk, the next major attack, will be cyber,” Irvine said. “We need to provide a higher level of budget, a higher level of technology into cyber and we’re still not doing that. There’s direction, there’s statements and executive orders and papers are being written and being discussed. Bills that are being talked about in the House and Senate, but nothing is being done. Money is not being allocated toward the protection of our critical infrastructure from a cyber event, and that continues to be the problem.”
Sharing information about cyber threats and requirements also needs improvement, industry experts say. It’s not only in getting the message across, but wanting to hand over that information in the first place.
But Irvine said that is a double-edged sword.
Sharing information about a response to a breach can help agencies or organizations develop best practices. On the other hand “sharing of that information is scary because there is going to be liability if there was some negligence involved,” Irvine said.
“The other side of it, a bigger concern, is the good will, the after-effects of telling people you’ve been hacked, your clients, your partners, your employees, what are they going to do,” Irvine said. “What’s going to be the impact on your business, are you still going to be around.”
And sharing information comes back to understanding your risks.
Deborah Golden, a principal and federal cyber risk services leader at Deloitte, said she’s seeing agencies starting to make that transition to understanding their cyber risks.
“You get back to the fundamental question of how much is too much, or is enough enough, and I think the only real way to be able to measure some of that is to understand your cyber-risk portfolio or cyber-risk profile, because then you’re making decisions,” she said. “Then you’re making decisions based on the risk that your agency or organization may be faced with.”
Without that understanding of risk, Golden said, an agency or organization might just be making tactical decisions to plug holes and fix immediate problems. That isn’t necessarily a bad thing, she said, because “if the house is burning down you’ve got to put the fire out.”
But at the same time, she said, an agency needs to look through a “risk lens” to understand where and how to focus its resources.
Golden said agencies need to accept that system boundaries go beyond physical walls, and look at more than just internal risks to cybersecurity and apply cyber risk programs to help define impacts of external and internal risks.
“A breach is going to happen … we’re never going to necessarily get in front of them,” Golden said. “Let’s maybe change the question of how do we protect ourselves, so that when an incident does happen, we can not only react to it but we can actually respond to it from a risk perspective. If you can kind of have this risk lens on it, you might be better prepared to react and respond in a much quicker fashion than if you didn’t any of these provisions in place.”
For agencies to have that risk lens, many still must understand some basic details of their IT infrastructure and how they are protecting it today and how they need to change in the future.
Much to be done
Wennergren said looking into the second year following the OPM breaches, government needs to address the “basic blocking and tackling” that take care of standard cyber protections, as well as look to address a threat that’s always changing.
“Many of the cybersecurity challenges are all things we’ve known about for a long time,” Wennergren said, offering up examples like aging IT systems and implementing multi-factor authentication. “The nature of the threat is ever changing, and different threats require different kinds of solutions.”
“We need to move more rapidly to the cloud in addition to modernizing our IT systems and infrastructure, we’ve got to embrace continuous monitoring, we’ve got to embrace secure information sharing,” Wennergren continued. “It’s something we’re all going to have to pay attention to together. If you’re government or industry, particularly government at this moment, there’s much to be done.”