Cybersecurity Balancing Act

Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had "effective" cybersecurity plans.

That's the good news. The other side of it is that threats to government computer systems are more worrisome than ever. Federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) that they experienced 18,050 cybersecurity attacks in fiscal 2008, triple the number from 2006. "Terabytes of data are being exfiltrated out of government networks," warns Greg Garcia, assistant secretary of cybersecurity and communications at the Department of Homeland Security under President George W. Bush.

Government security pros find themselves having to comply with myriad specifications and regulations, compounding the challenges of getting it right. A diagram that used to hang on the wall at the Defense Information Systems Agency detailing every agency with authority over cybersecurity "looked like a bowl of spaghetti," says Vic Maconachy, former director of the National Security Agency's cybersecurity education and training program.

Mandates Galore
Passed in 2002, FISMA requires every federal agency to inventory its information systems, categorize them according to risk, carry out contingency planning and risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

The White House, meanwhile, is carrying out a cybersecurity review, due any day, and new cybersecurity bills are being introduced in Congress. What's more, the government likely will begin releasing over the next few months more details of the still-classified Comprehensive National Cyber Security Initiative created under Bush.

"There's a high level of interest in cybersecurity, and that's a good thing, but for the implementers in the agencies, it can be a bit confusing with all the things being proposed," says Matt Scholl, who oversees several government-wide cybersecurity programs, including FISMA implementation, as security management and assurance group manager at the National Institute of Standards and Technology.

As part of the Comprehensive National Cyber Security Initiative, a multibillion-dollar program introduced 16 months ago, the government hopes to create and enforce security best practices and technology guidance that can be implemented across agencies. First, though, the government has to lay out the program in more detail. "One of the problems with the development of the Cyber Initiative is that it was over-classified, and we couldn't proactively share with the public and the Congress, so there remains a dearth of useful information about it," says Garcia.

Among the CNSCI requirements is implementation of intrusion-detection and -prevention systems. According to a recent InformationWeek survey of 309 government IT professionals, 65% plan to increase use of intrusion detection over the next year. "The private-sector capabilities are very sophisticated now. There's no reason every department and agency shouldn't be using them," says Rod Beckstrom, until recently director of the National Cyber Security Center at the Department of Homeland Security.

Scholl warns, however, that further mandates shouldn't be too far-reaching in mandating specific technologies, given how different various agencies are. "We have wide and unique use cases that really must be considered," he says.

SANS Institute director Alan Paller says "a lot of people are looking for silver bullets, but they're not doing the management it takes to run a secure system." Government cybersecurity needs to be as much about best practices in software development, system configuration, and monitoring as it is about products and specs, he says.

While FISMA-compliance grades are often high enough, critics say the law is more of a check-box exercise than one that promotes operational excellence. The Government Accountability Office has found that while most agencies comply with FISMA, the effectiveness of those efforts isn't clear. The GAO will release a report on that later this year.

Bruce Brody, VP of cybersecurity at the Analysis Group and a former chief information security officer of two federal agencies, is among the critics. While he applauds FISMA's ability to bring cybersecurity to the fore, he notes that 10% of FISMA grades are simply an indication that employees are getting annual cybersecurity training, and that the process for certifying and accrediting systems as secure often ignores legacy systems.

Sen. Tom Carper, D-Del., is working on a bill to revise FISMA by mandating continuous security monitoring and measurement of the effectiveness of agencies' cybersecurity processes, including identification of weaknesses. A similar version was approved by the Senate Committee on Homeland Security and Governmental Affairs during the last session of Congress. Currently, continuous monitoring is mandated by regulations layered on top of FISMA, but there's not much standardization in how the monitoring is carried out, and it's done by regulation rather than force of congressional legislation.

Under the draft bill, agencies would have to "detect, monitor, correlate, and analyze" the security of any network-connected system in an automated and continuous fashion. Any system that doesn't meet security standards would require remediation before being allowed to connect to the network.

Carper's bill may become part of broader legislation that would include proposed legislation from John D. Rockefeller IV, D-W.V., and Olympia Snowe, R-Maine, according to a spokeswoman in Carper's office. Those bills call for, among other things, more government-wide structures to be put in place overseeing cybersecurity, including the creation of a presidential adviser. "Until we have an office where 'the buck stops here,' we're still going to be operating in a spaghetti bowl model," the NSA's Maconachy says.

The Carper bill would give more weight to government-wide standards being developed by NIST, and those efforts could have a secondary effect of creating a more consistent security posture across government. For example, NIST's Security Content Automation Protocol, a standard way of reading security settings and configurations, was used by the Office of Management and Budget to create the Federal Desktop Core Configuration, a recommended configuration for government computers running Windows.

No Secrets
One gap that can't be solved through technology alone is the need for sharing of best practices and threat information. As part of a project called Einstein, US-CERT has begun monitoring traffic on federal networks and reporting attacks and anomalous activity to the agencies. However, without Top Secret-cleared personnel, US-CERT is sometimes unable to share detailed information about attacks coming from classified sources or using classified methods. CNCI will mandate agencies have 24/7 security operations centers with analysts who have security clearances.

5 Security Tips

KEEP OUT CYBERTHIEVES

1. Inventory authorized
and unauthorized hardware and software and enforce software whitelists 2. Implement secure configurations
for hardware and software on PCs and servers 3. Implement secure configurations
for all network devices 4. Carry out boundary defense,
including intrusion-detection systems, authentication, and occasional penetration tests 5. Monitor
and analyze security logs Source: SANS Institute

The new Carper bill, the Rockefeller-Snowe legislation, and the CNCI all encourage stronger public-private cooperation in strengthening government cybersecurity. Maconachy says there are plenty of private-sector practices, such as ISO 27002 and the recently released Consensus Audit Guidelines created with public and private input, that the government could implement. A forthcoming GAO report will recommend some security metrics and controls used in the private sector for government adoption, and NIST is working to revise a set of guidelines called Special Publication 800-53 that align well with the Consensus Audit Guidelines.

The Carper bill explicitly lays out the role of government chief information security officers in enforcing compliance with FISMA. They also will be tasked with documenting security controls, reporting incidents, conducting periodic risk assessments, and, importantly, knocking down silos by directing cybersecurity in any subordinate agency. Today, an agency isn't required to have one CISO accountable for all of its cybersecurity efforts. Carper's bill also would set up a council of government CISOs to share best practices and develop standard performance measurements.

One way to audit the effectiveness of government cybersecurity measures is a "red team approach," where a group of white-hat hackers from NSA or elsewhere are enlisted to penetrate government systems or carry out fake phishing attacks.

According to SANS's Paller, one agency CISO recently did that, asking NSA to identify every place where hackers could break into his networks, and he's now monitoring progress as the holes get fixed. The agency is also implementing the Consensus Audit Guidelines, assigning threat levels to each of its 20 recommended controls.

It's an example of how, even as they keep an eye on new legislation and regulations, government cybersecurity pros can take action. They must, because threats won't wait.