Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Federal Agencies Wrestle With Cybersecurity's Harsh Realities

Sophistication of attacks, shortage of resources lead agency IT chiefs to focus less on perfect security -- and more on risk management

WASHINGTON, D.C. -- FedScoop Cybersecurity Leadership Summit -- In a perfect world, U.S. federal agencies would be able to prevent all attacks -- and identify those who launch them. In a perfect world, agencies would comply with all security regulations and provide open access to public information while tightly securing all data that might be important to national security.

There's just one problem: The world isn't perfect.

That was the message here today as top IT executives of several federal agencies -- as well as federal business unit executives of some of the industry's largest vendors -- met in a panel discussion on government cybersecurity programs and the challenges they face. In essence, all of the executives described their efforts to deal with security's realities in a practical fashion, rather than attempting to build impenetrable perimeters.

"The fact is that there is no point of attack that is too obscure to be found, and there is no security perimeter that can't be breached," said Tom Quillin, director of security alliances at Intel. "We need tools and strategies to protect [systems] from attack -- but we also need ways to detect attacks and recover from those attacks when they penetrate those defenses."

Ron Ross, computer scientist and a leading voice on security at the National Institute of Standards and Technology (NIST), agreed. "Even in the case of nuclear attacks, we have 20 or 30 minutes to respond, but cyberattacks move at the speed of light -- there's no time to respond. A defense that's built entirely around boundary protection won't work. Like an army, we have to be able to absorb an attack -- and still be able to move on to complete the mission."

Even the question of what constitutes an act of cyberwar -- and the identity of those who launch it -- remain open questions for the federal government, said Lt. General Jeffrey Sorenson, CIO of the U.S. Army. "How do we know who's conducting an attack? Are we really under attack, or is it just a nuisance? To be honest, the metrics we use to measure these questions are still very fluid."

Even simple compliance with federal government IT policies is problematic, according to Sanjeev (Sonny) Bhagowalia, CIO of the Department of the Interior. "One thing I have learned in government -- we have a lot of regulations," he quipped. "We don't have enough budget to comply with everything. We're also dealing with a major shift in policy -- after the 9/11 attacks, we were in the mode of, 'Secure everything and share what you must.' Now with the open government initiative, it's, 'Provide access to everything and protect what you must.' It's a big change for us, especially in security."

Then there's the problem of identifying and locating sensitive data, noted John Bordwine, CTO of public sector at Symantec. "We have reached the problem of what I call '30 instances of data,'" he said. "If a few of us share an email, then that email appears on our hard drives, in our sent mail folders, on our backup devices, and on the company's backup system. It appears on our smartphones and PDAs. In some cases, the data might end up with a contractor or in a cloud infrastructure. Finding that data and securing it is not easy."

With so many demands on security -- and only limited resources to achieve them -- federal agencies are rapidly reaching the conclusion that the holy grail of secure perimeters must be put aside in favor of a more practical, risk-oriented set of security priorities, the speakers said. The key: identify the highest risks -- both in terms of data sensitivity and likelihood of attack -- and secure that data first.

"We're looking at risk-based approaches, rather than security perfection," Bhagowalia said. "It's more about information assurance than about security. It's more about continuous monitoring than about compliance."

NIST's Ross agreed. "We've developed a structure for enterprise-wide risk management," he said. "How do you monitor risk over time? How much risk can you tolerate? Once you've answered these questions, then you can set up your missions and business processes."

While agencies internally are focusing more on security reality and less on absolutes, that same mentality could be applied to the question of identifying the source of an external cyberattack, noted Lewis Shepherd, director of Microsoft's Institute for Advanced Technology in Government.

"Attribution may not always be possible, but there is the possibility of developing a 'sliding scale' for situations where that's the case," Shepherd said. "We do this in our courts all the time -- we make decisions based on 'beyond a reasonable doubt' or 'a preponderance of evidence.' We measure the probability of culpability and the harm or potential harm that was caused, and we render a decision."

But whether the problem is compliance or all-out cyberwar, the security challenges for federal agencies are not likely to get smaller anytime soon, Ross said. "The way we're handling them now, we can pretty much guarantee that the attacks will continue," he said. "We're seeing exponential growth in the instance of malware. The threat space is increasing a lot. This problem is not going away."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).