Vulnerabilities / Threats
10/22/2012
04:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Possible 'Patch' For Policy On Protecting Government Agency Systems

CSIS report due tomorrow will recommend revising a longtime OMB policy with 'continuous monitoring' of government systems and networks

A new national cybersecurity law may not be on the horizon anytime soon, but there could be a simpler and less politically charged way to shore up security, at least among U.S. government agencies. Former Office of Management and Budget (OMB) officials and others are proposing changes to an OMB policy they say would better protect agencies from today's advanced attacks.

The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program tomorrow will issue recommendations for updating 12-year-old OMB requirements to call for continuous monitoring in federal agencies to help thwart today's attacks. The goal is to replace a current compliance checkbox approach and mentality with a method that automates the monitoring and patching of vulnerabilities in government systems as a way to improve security, according to authors of the report, three of whom are former OMB officials.

"Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs)," the report says.

This would require revising OMB Circular A-130, called Management of Federal Information Resources. "Under the current policy regime, oversight organizations, like the inspectors general and the Government Accountability Office, produce reports on compliance against outdated policies, wasting time and energy and incentivizing exactly the wrong behavior among agencies. There is hard evidence that continuous monitoring, measurement, and mitigation are far more effective in addressing real threats in an environment in which those who seek to do us harm move quickly," the report says.

Federal agencies would still report annually to the OMB and Congress as required by the Federal Information Security Management Act of 2002 (FISMA), however.

"This has been cooking for about six months or so. We were [becoming] pessimistic about the prospect of legislation this year, and believe a lot of things can be done without legislation," says former OMB and White House official Frank Reeder, one of the authors of the report and co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.

"All of us are convinced that legislation is absolutely necessary to deal with privately owned infrastructure ... but the executive branch has ample authority" to address the government side of the infrastructure picture, he says.

Reeder says he hopes the CSIS's recommendations will help encourage a possible executive order for shoring up the cybersecurity of agency networks and systems, but making these changes to FISMA doesn't require an executive order, either. "The OMB has ample authority under FISMA to do what needs to be done. An executive order would give any such guidance more moral weight," he says.

And unlike the partisan split over regulating the security of private critical infrastructure, tightening the security of the government's computing infrastructure has been more of a nonpartisan issue, he says.

[Eighty percent of critical infrastructure operators say they have experienced a large-scale attack. See Cyberattacks On Critical Infrastructure Are Increasing, Study Says. ]

CSIS's new white paper, called "Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work," follows on the themes and recommendations raised by the Commission on Cybersecurity for the 44th Presidency, which was issued in 2008. Continuous monitoring and mitigation of threats also speed response to potential risks and attacks, according to the report. The report also says that the Department of Homeland Security (DHS) would be a major resource for providing agencies with security control priorities, risk and vulnerability reports, as well as mitigation strategies.

Reeder says CSIS has been in conversations with OMB and other players mentioned in the report about the possibility of changing the OMB circular to specify continuous monitoring. "Our next step is to continue to engage in conversations with DHS, OMB, and others in the administration, and to brief folks on the Hill," he says.

It shouldn't be a major undertaking to make the change, he says. "We can't continue to spend money on things that don't work," he says.

The CSIS report also calls for finding a way to bridge the gap between national security and non-national security systems to better protect the nation's critical infrastructure. That means finding a way for the government to work with the civilian side in protecting public utilities, banking systems, or other critical infrastructure. "The threat to infrastructure is not just about weapons systems," he says.

Tony Sager, a former NSA senior official, weighed in on the CSIS recommendations: "The Federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness. This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire Federal enterprise," Sager said in a statement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.