Scaling up federal cyberdefenses
Forget about World War III, when it comes to cybersecurity it might just be World War II all over again. Not that anyone wants to go back and fight the bloody battles of the mid-20th Century war, but U.S. cyberdefense may want to take a page from the successes of the Greatest Generation. WWII saw an unprecedented level of cooperation take place between the public and private sectors that enabled American industry to be fully mobilized to help fight its enemies, a model many cybersecurity industry executives feel needs to be replicated if the United States is to build a true defensive network and protect its data.
The U.S. finds itself in a similar position today as it attempts to protect the data in its charge, data that is stored on servers scattered throughout the country whose level of protection ranges from possibly none to very hardened. The sheer scale of the data involved is staggering and almost incomprehensible to the average person. For example, the National Security Agency's (NSA) Utah Data Center, a one-million-square-foot facility, by itself is able to hold a yottabyte (1024) of data.
And it's this scale that will make the task of building a proper cyberdefense so drawn out and difficult, but far from impossible.
“I am fairly confident the government can create a strong cybersecurity plan, but I think it will take huge collaboration with the private and academic sectors to make it effective and sustainable,” says James Beeson, chief information security officer and IT risk leader at GE Capital Americas.
Beeson's thought of a private-public collaboration was the primary theme that industry pros and former and current government officials kept repeating, but it was only one of many steps they felt the U.S. needed to take. The recent naming of retired Gen. Greg Touhill as federal chief information security officer was hailed as a good sign, but there is also a need for a general restructuring of government assets including the possible creation of, at the very least, an organization that will coordinate all these efforts.
“There is hope. Many large companies that do it, but the biggest issue is the government is so large and so many parts are left to their own devices,” says Rebekah Brown, threat intelligence lead at Rapid7, pointing out that one example for the cybertroops in Washington, D.C., to follow would be California's efforts.
“California has had a good approach to this. It had DHS (Department of Homeland Security) support and it stood up a cybersecurity task force.”
Leaving the federal government to figure out the problem is not an option.
John Wethington, vice president of America's for Ground Labs, describes the government's current approach to cybersecurity as a patchwork with most federal agencies running their own show. This will have to stop and be replaced with a set of standards, many of which need to be incorporated from the outside, he says.
“The first step will be to take some lessons from the private sector,” he says, adding that even bringing it outside experts is no simple task because the government currently makes it very hard for cybersecurity vendors to even get their foot in the door.
Many who were asked said history is replete with examples of the private sector working hand in hand and giving needed expertise in an area where the government is challenged. Whether it was NASA bringing in thousands of experts and contracting with outside companies to create the space program in the 1960s, or placing industrialists like Henry Kaiser in charge of American shipbuilding efforts during World War II.
“We need the expertise of the private sector,” says Rep. Ted Lieu, (D-Calif.) who has been not only outspoken on the need for better cybersecurity at the federal level, but with a degree in cybersecurity has the educational chops to know what he is talking about.
Not surprisingly for a man who still serves as a colonel in the U.S. Air Force Reserve, Lieu uses a military analogy to describe the country's current state of defense. When asked to describe a situation in history where a country built the wrong type of defense to oppose the threat it was facing he chose France's Maginot Line.
A quick history lesson. The Maginot Line was built by France after World War I along its border with Germany. French generals had constructed massive, fixed defensive positions capable of defeating the type of large infantry attacks that took place during World War I. Instead, when the Germans again attacked in 1940 they used their new armored formations to circumvent the Maginot Line and quickly defeat France.
“Our defenses are not prepared for the world of cybersecurity,” Lieu says, pointing out that the many angles of attack available to our enemies, or just hackers, make the situation very difficult to rectify.
Much like the French and Allies learned the lesson of the Maginot Line, that fixed defenses do not work, only when a nation was defeated and thousands killed, Beeson believes it might take something similar in cyber to kick the United States into high gear and realize the cybersecurity issue has to be solved, and quickly.
“Unfortunately it will probably also take ‘Dead People', as Francis Townsend (a former Homeland Security Advisor) would say, before we decide to move fast enough to build a strong plan. In other words, in my opinion, a major event traced back to a cyber failure that causes multiple people to die (for example knocking a plane out of the sky or poisoning a local water system) will take place before we start to move at the pace we need to build a strong defense,” Beeson says.
Lieu and Wethington are hoping that the 2015 Office of Personnel Management breach that compromised the personal information for 21.5 million government workers is government's Maginot Line moment, albeit without physical casualties.
“OPM should have been enough to compel the government to take immediate action. We are at war. Cyberwar. And there are real casualties, like the economy,” Wethington says.
Lieu believes OPM was the low point that spurred some immediate action.
“After that the administration embarked on a 100-day cybersecurity sprint. So we are better off than before,” he says.
One of the first steps to be taken in order to construct a proper defensive framework is simply finding out what is located on federal servers, Rapid7's Brown says.
“The government has a lot of work to do. There are dated servers that are not accounted for well. The process to just ID the data is a massive undertaking, but needs to be done,” says Brown, who previously worked as a NSA network warfare analyst, operations chief of a U.S. Marine Corps cyber unit, and helped organize California's cyber effort.
Beeson agrees, explaining his first steps would be to, “build out a team to do a complete and unbiased assessment of our existing capabilities and the maturity of each. This can be lined up against the new solution to determine where the gaps are and assist with prioritization.”
President Obama also has an important role, Wethington says, “The government needs a presidential shakeup. The administration needs to come in and demand standardized solutions.”
Lieu says even with a federal CISO in place it is not clear who at this time has overall responsibility and that is a mistake as a single point of contact is needed.
So next decision to be made is who, or which agency, will helm the effort. Several existing agencies like the NSA, DHS and Department of Defense were tossed out as possibilities, along with the idea of creating a new, single and overarching entity.
“Better to create a council comprised of [private sector] people whose daily job it is to solve security problems,” Wethington says, “What would be most effective would be to use a smaller agency that does not have a bad reputation and bring in a private [sector] leader to run it. Technologists don't trust the government so it needs to wipe the slate clean with a leader that the tech community will have some immediate respect for,” he said.
GE's Beeson says he would look inward to develop a cyberdefense team, but went on to note that anything created for the feds also has to work on the state, local and international security entities.
“If I were leading the team to construct this system, I would certainly take into account existing frameworks/models (NIST, ISO, COBIT, Gartner, etc..) and work with other nations to understand their strategy and approach, then try to build a hybrid that leverages the best and can be quickly changed as the threatscape changes,” he says.
However, before billions of dollars are spent and new agencies created a few immediate steps could be taken to quickly boost security.
Requiring two-factor authentication for anyone accessing a government computer would “improve cybersecurity by an order of magnitude,” Lieu says. The Department of Defense already instituted this requiring a password login, and card with PIN to turn on any computer.
Next the congressman said the government has to treat every mobile device with access to its system as a very hackable target.
“We spend a lot [of money] on desktops and spend nothing to defend mobile devices,” Lieu says.
The cloud could also offer a quick refuge for the government. Wethington says he has noticed some agencies already beginning to transition to the cloud, which he says has helped the situation.
Brown says simply following some of the standards, such as NIST, that are already in place would boost security along with making sure the operating systems currently in use are supported. Finally, she noted each agency must understand the data it is protecting and then develop a threat models so they can figure out to whom to defend against.
The government has also started moving forward all on its own. In September the House of Representatives passed Modernizing Government Technology Act by a voice vote. The bill combines to earlier bills, the MOVE IT Act and the IT Modernization Fund, and is designed to modernize equipment and eliminate unsafe legacy systems. According to Nextgov.com, 80 percent of the $90 billion budget for information technology goes to support legacy systems.