Unless you are inherently fearful, danger tends to live in the realm of abstraction until something bad happens in reality. Recently a couple we know insisted my wife and I go out and try tandem bicycling with them. My wife regularly goes for 60-, 70-, 80-, even 100-mile rides on her own bike. I’m more of an occasional rider, but I’ve owned and ridden multi-geared bikes of one sort or another since about 1970.
The $10,000 bike this couple let us borrow didn’t feel right to either one of us. Custom-made, titanium beauty that it was, it felt hard to tame, even when I tried it myself in a parking lot. Uneasily, we climbed on and plunged out onto Rock Creek Parkway in Montgomery County — a narrow road with plenty of car traffic. I wasn’t comfortable with the shifters. The thing felt wobbly and too tall. We didn’t make it a half mile before crashing, one of us landing on either side of this elongated contraption. Cars stopped, people jumped out to help. Other bikes stopped to see if we were alive. The biggest cost was pride. But my left hand still hurts nearly a month later, as does my wife’s tailbone. And the episode set us back $310 for a new shifter.
Lessons learned: Practice where there’s no traffic and you can weave a lot. Learn to use foreign shifters beforehand. Get your road legs on a cheap, low-slung bike (you can buy a whole new tandem bike for $310). Don’t ignore your misgivings.
If we were a government agency, I’d say we didn’t do a good risk assessment, and we didn’t integrate our software with the hardware very well. We had what could have been a doomsday scenario, literally.
Until now, it seems as if federal cybersecurity has been operating on a wing and a prayer, too. The OPM data breach shattered whatever complacency anyone might have had. As it recedes into the past, the 30-day cyber sprint has left a lasting legacy. Not simply that federal systems are more thoroughly protected than they were. They may well be, but success in cybersecurity is ephemeral. Like a sand castle, you can never stop shoring it up. In one sense, every month should be a 30-day sprint.
And not simply that the sprint got everyone to realize at once how basic cybersecurity is to everything else the government has to do. And how poor the government is at it. That also may have happened.
Read this summary of the Office of Management and Budget’s after-action report from the sprint. Not the one for public consumption, but the internal one, which Federal News Radio’s Jason Miller got to see. It showed:
Some 75 open vulnerabilities identified, two thirds of them festering for more than 30 days. Only 60 percent of them patched, and new ones keep popping up. At least agencies know to look for them now.
Old software running past the end of vendor support, including new patches.
The weakness of two-factor authentication in the face of super-realistic phishing e-mails.
Privileged access rights to networks given out willy nilly.
I think the most important effect of the near-doomsday breach and subsequent sprint was driving home the need for an architectural approach to cybersecurity, taking it down to the storage hardware level. Here’s one example. The White House called this week for ideas pursuant to its Precision Medicine Initiative. The idea is to eventually gather health information on millions of people so it can be mined for trends leading to more personalized medical treatments than people have now. Among the areas for which it seeks suggestions: “Technology to support the storage and analysis of large amounts of data, with strong security safeguards.” Cybersecurity is embedded throughout the call for comments. That’s a good sign.
Industry is starting to offer new approaches. The other week I was talking to people from Seagate, a disk drive and storage subsystem OEM. It’s part of a coalition of network equipment and software companies that contribute to what they call a Multi-Level Security Ecosystem. In the federal market, Lockheed Martin and Vion offer it as a secure storage and file system for high-performance simulation and modeling applications that fuse together large, disparate data sets.
Seagate Federal’s Henry Newman explains, the company built a set of services on top of SELinux to accommodate functions such as network communications, database access and data sharing across parallel file systems. So, for example, a large set of video surveillance could be engineered such that access to individual files can be restricted to certain individuals based on their authorities. Personally identifiable information, compliance information or intellectual property within a system can be made subject to access controls and auditing, while limiting the need for expensive hardware redundancy.
Other contributors to the MLE ecosystem include supercomputer makers Cray and SGI, log analytics vendor Splunk, and Altair, a maker of job scheduling and management software.
Government practitioners like to say security should be built in, not bolted on. But they usually bolt it on. The Multilevel Secure group is just one example, but it shows where systems deployment is heading where security is baked in.