Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
On the surface, the Homeland Security and Governmental Affairs Committee’s report on the cybersecurity at eight agencies is damning. It highlights systemic and profound problems with how some of the largest agencies are protecting their data and systems.
“During the [investigations] subcommittee’s review, a number of concerning trends emerged regarding the eight agencies’ failure to comply with basic National Institute of Standards and Technology (NIST) cybersecurity standards,” the report states. “In the most recent audits, the inspectors general found that seven of the eight agencies reviewed by the subcommittee failed to properly protect personally identifiable information (PII). Five of the eight agencies did not maintain a comprehensive and accurate list of information technology (IT) assets.”
As one of the investigators told Federal News Network, the report showed fundamental problems with federal cybersecurity that auditors have consistently highlighted and agencies have failed to address for a decade.
Basically, the report makes the eight agencies out to have done little to no work on federal cybersecurity over the last decade.
While the report highlights consistent shortcomings across these eight agencies, current and former federal cyber executives say the subcommittee didn’t capture the entire picture and maybe even does a disservice to all the progress made over the last four years—since the 2015 Office of Personnel Management cyber breach.
“It is a look back in history and it doesn’t capture the responses and things that have changed. We do value the information from all of these reports and it has guided us in some of our actions in response to what they found,” said one federal chief information security officer, who requested anonymity because they didn’t have permission to talk to the press about the report. “When the committee goes back to 2009, we didn’t have our contemporary cyber laws in place. If you start in 2014 or 2015 and look forward, we do have a lot more direction from the Office of Management and Budget and the Homeland Security Department, and a lot more legislative requirements and mandates, which have helped generate guiding principles. What DHS, OMB and GAO are auditing and the areas they have targeted, all produce information on how we can improve, which is an ever evolving and constant thing.”
Response to WannaCry
One example of that progress is the response and lack of impact that the WannaCry malware had on agencies. In 2017, where the virus infected hundreds of thousands of computers around the world, agencies suffered little to no problems.
It goes beyond just the one-off attack. Former executives say the government is leading industry in many areas of cybersecurity and the report fails to acknowledge any of these areas.
A former senior cybersecurity official, who requested anonymity because they didn’t get permission to talk to the press from their current employer, said that from continuous monitoring to the use of the Domain-Based Message Authentication, Reporting and Conformance (DMARC) standards — a protocol that authenticates an organization’s emails to identity credentialing and access management (ICAM) — the government is ahead of the curve compared to most industry sectors.
“I wasn’t surprised by the committee’s findings, but my overall sentiment is that I expected net new finding and recommendations once you aggregate all the information together,” the former federal official said. “If you find that current direction isn’t working or recommendations are not met, what is discernable activity that will move [the] needle versus just saying we will follow through on agency activities? To spend 10 months and write 100 pages, which is a considerable effort, but you are not offering any recommendations to agencies or to OMB that were markedly different than the path they are on was surprising.”
The subcommittee made nine recommendations to OMB, DHS and to the agencies. And to the former official’s point, the only two that are on the realm of new or different are around reestablishing the CyberStat process and for each agency to have a dashboard showing open cyber recommendations from auditors, closure rates, accomplishments and a plan for mitigating these problems. OMB would send the dashboard to Congress twice a year.
Ross Nodurft, a senior director for cybersecurity services at Venable and a former chief of OMB’s cyber office, said initially OMB used the CyberStat process to have more insight on activities on a regular basis. But over the last few years, OMB and DHS have evolved in their oversight.
“As those processes have matured and partnerships between agencies and OMB have grown, the oversight has evolved and grown with it. I’m not sure agencies need to have strict a CyberStat process any more.”
Systemic problems put agencies at risk
The federal CISO agreed. The executive said they talk with DHS and OMB almost daily, if not more often if there is a real or potential threat.
“Everything we are doing right now is a result of all the relationships we’ve built up over the last few years,” the CISO said. “We also have tools and techniques today for cybersecurity that weren’t available even a year or two ago. We are automating a lot of what we are doing, and getting out of the manual processes that made change so much harder. We can do analytics and predictive measures much more now so we are less reactive to threats.”
Nodurft added the work under the continuous diagnostics and mitigation (CDM) program, the focus around protecting high-value assets and the continued implementation of the NIST cyber framework have shifted the scope and elevated the visibility of the security function in agencies. He said that work was not as clearly reflected in the findings and recommendations as he would’ve expected.
At the same time, the subcommittee’s investigators said both OMB and some of the agencies they talked to for their research readily agreed that these are systemic problems that are putting the agencies a risk.
The investigators said even some of the resolutions agencies put in place were in adequate. They pointed to the Education Department as one example where the agency added a capability to restrict unauthorized devices, which had been a problem since 2011, but the tool still took 90 seconds to take effect.
“In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds, but explained that this was enough time for a malicious actor to ‘launch an attack or gain intermittent access to internal network resources that could lead to’ exposing the agency’s data. This is concerning because that agency holds PII on millions of Americans,” the report states.
The investigators said the goal of the report was to demonstrate to these eight agencies and OMB that there are consistent cyber issues across the government, and most issues are fundamental cyber practices like patching, having an IT asset inventory and updating legacy systems that are not getting done.
CIO authorities still key to cyber improvements
The subcommittee plans to continue to follow-up with agencies on their progress in mitigating these cyber vulnerabilities.
Nodruft said he would like to see the subcommittee use the report as a starting point for future investigations or hearings where they dig deeper into the areas where the report fell short in producing a fuller picture of what’s happening across the government.
The former federal cyber official said the subcommittee needs to do more than point out problems that everyone knows exists.
“I hope the report is a precursor to something bigger because I think Congress missed the mark here in some ways. If you look at agencies whether it’s Transportation, or State, or Health and Human Services and look at their appropriations, you have monster components that hinder the CIO’s ability to get the kind of meaningful action we are talking about here. Whether it’s the FAA or Diplomatic Security or the Centers for Medicare and Medicaid Services, lawmakers continue to throw money at these components and there is not a centralized authority to oversee that money. When we can move the conversation to centralizing the CIO’s power, then we can do something about many of these cyber challenges in a real way. And that is where this report missed the mark.”