Cybersecurity

What Is It?

Cybersecurity is the protection of all things Internet -- from the networks themselves to the information stored in computer databases and other applications. The concept grew out of necessity as businesses and agencies sent more data and processes online, and it's even more crucial now with the emergence of Web 2.0 technologies, which foster online collaboration and information sharing.

The need for a secure Internet is underscored by the rapid increase in cyberattacks. The number of information security incidents federal agencies reported jumped from 5,146 in fiscal 2006 to 12,986 in fiscal 2007, according to the Office of Management and Budget. In addition, federal agencies noted the number of users who accessed files or databases without the proper authorization increased from 706 in fiscal 2006 to 2,321 in fiscal 2007. While some of this can be attributed to agencies being more aware of tracking unauthorized access, the sharp rise in numbers still concern security professionals.

Cybersecurity is an umbrella term that incorporates different IT strategies that protect networks. Identity management, for example, validates individuals accessing the network to verify they are who they say they are, and then monitors what they do on the network. Risk management identifies network vulnerabilities and threats and determines appropriate countermeasures based on the sensitivity of data. Incident management executes responses when security events threaten the network.

The method for deploying each depends in part on an organization's missions and requirements. Cybersecurity best practices typically include two-factor authentication, which requires users to produce two credentials to access a system or application such as a fingerprint scan and a password or digital signatures, which verify the integrity and origin of a message. Best practices also include encryption, which translates data into a secret code so it is readable only by users who have the key to reassemble the message. These methods must be used in conjunction with customized information security policies and training.

The more sensitive the information, the more important it is that an agency develops a comprehensive cybersecurity plan. For the federal government, cybersecurity is crucial for the defense and intelligence communities, which protect the country's military secrets and strategies. But cybersecurity also is important to civilian agencies, many of which rely on the Internet to communicate with industry to support the national infrastructure -- such as transportation, water and power systems -- and maintain confidential financial and personal records.

Some of the latest network threats that test cybersecurity efforts include phishing, which tricks a user into providing confidential information by sending them, say, an authenticate-looking e-mail from, what looks to be, someone they know or trust. Other threats include malware, which is a general term for software designed to infiltrate or damage a computer system, and botnets, which are groups of compromised computers, known as zombies, running malicious programs that spam or send viruses to other computers on the Internet. Those examples don't begin to encompass the full scope of threats that currently exist, or the new threats that constantly emerge on the scene.

In February 2006, the Homeland Security Department conducted a simulation of a large-scale cyberattack on the nation's infrastructure networks to test how the government and industry would respond. Most information security specialists considered that exercise showed just how ill-prepared government is to protect the security of critical networks and recommended beefing up contingency plans, better and more frequent security training programs, and a more detailed blueprint of the nation's IT architecture.

DHS officials said they tested the changes during Cyber Storm II in March. The exercise included five countries, 18 federal agencies, nine states and more than 40 private sector companies. Participants received "injects" that simulated potential threats launched through e-mails, phones, faxes, in-person contacts and Web sites. They were expected to develop crisis response systems and follow specific policies and procedures to deal with the cyberattacks and determine which were false alarms and which were legitimate. DHS plans to release an after-action report on the exercise this summer.

Cyberattacks often succeed because inadequate cybersecurity programs fail to properly lock down systems and applications, or end users disregard or are unaware of security policies. As one federal chief information security officer said, people are ultimately trusting, even when they shouldn't be.

Why Should I Care?

A quick look at the fallout from high-profile breaches that occurred during the past few years is perhaps the most compelling argument for why federal agencies should stay on top of cybersecurity efforts.

One of the more notorious security breaches occurred at the Veterans Affairs Department in May 2006, when a laptop computer containing unencrypted Social Security numbers for 26.5 million veterans was stolen from a VA analyst's home. Just three months later, in August, a computer containing unencrypted personal information on about 40,000 veterans was stolen but later recovered. Soon after, the department announced a policy to encrypt critical data on every VA laptop and implemented strict policies for managing its IT inventory and requiring security training.

In February, a laptop was stolen from the National Institutes of Health that contained more than seven years' worth of unencrypted data on 3,000 patients, including names, medical diagnoses and details of heart scans.

Cyberattacks also are common and serious. In June 2007, a network intrusion at the Pentagon resulted in the theft of what a top Defense Department technology official called the loss of an "amazing amount" of data. The Office of the Secretary of Defense detected malicious code in various portions of its network infrastructure while consolidating some IT equipment and services. Over two months, the code was used to infiltrate multiple systems, culminating in an intrusion that created havoc by exploiting vulnerability in Microsoft Windows. Spoof e-mails that looked like they were written by real Defense employees were sent to OSD employees. When the messages were opened, they stole user IDs and passwords that unlocked the entire network. As a result, hackers accessed and copied sensitive data stored on Defense systems. Recovery from the cyberattack took three weeks and cost $4 million.

What Are the Latest Requirements?

Various laws and mandates from the Bush administration attempt to convince agencies to follow best practices in information security. Here are a few with the broadest impact.

FISMA

Enacted in 2002, the Federal Information Security Management Act, overseen by the Office of Management and Budget, requires agencies to define and inventory IT systems, determine the sensitivity of information housed on the systems, perform risk assessments to identify potential vulnerabilities, and implement security controls. Agencies then undergo annual audits to certify and accredit systems.

According to OMB's fiscal 2007 report on FISMA implementation, 92 percent of the 10,304 federal information systems were certified and accredited compared to 88 percent in 2006. This marked a milestone for OMB, which set a goal of a 90 percent certification rate.

In addition, 86 percent of systems' security controls and 85 percent of contingency plans -- which agencies follow in case a system experiences an outage -- had been tested, according to the report. Of the systems assigned a high-risk impact rating, indicating they required greater security, 77 percent had tested contingency plans.

But some industry analysts and members of Congress question whether certification and accreditation are true metrics by which to measure information security, given that agencies have no means to determine how well they fight off cyberattacks.

ISS LOB

In March 2005, a year after OMB introduced its five lines of business initiatives, which support the President's Management Agenda goal to use electronic government to consolidate business processes and save costs, a task force was created to identify issues relating to IT security. The result was the Information System Security line of business. Under this initiative, agencies identify potential security risks, propose solutions, and improve information security processes and controls.

A key component of the security line of business is training. By Sept. 30, all agencies are required to migrate security awareness training to shared service centers, which offer common suites of information security training products and services. Agencies providing the training services include the Defense Department, the Office of Personnel Management, and a partnership between the State Department and the U.S. Agency for International Development. A second tier of specialized training currently is voluntary, but likely will become required after the task force finalizes components of the program.

HSPD-12

In 2004, President Bush issued Homeland Security Presidential Directive 12, requiring a common identification card for federal employees and contractors. The smart card, which includes biometrics and other high-tech features to access federal buildings and to log on to government computers, will replace flash badges, so named because federal employees and contractors simply flash the badge in front of a security officer, who rarely checks to see if it is authentic or if the photo matches the cardholder's visage.

Agencies had until Oct. 27, 2007, to complete background checks of employees and contractors who had worked for less than 15 years for the federal government. But most agencies missed the deadline, and placed the blame for this on the technical challenges involved with issuing the cards. For example, agencies had to develop solutions for integrating IDs with support systems that maintain the data and provide an interface with enrollment and issuance functions.

Most technical problems have been resolved, and agencies now are working to meet the Oct. 27, 2008, deadline to replace the flash badges of all employees and contractors. Agencies must conduct background checks and issue smart-card IDs to 4.3 million federal employees and 1.2 million contractors. So far, background checks have been completed for 59 percent of employees and 42 percent of contractors, and 143,260 employees and 36,102 contractors have been issued cards, according to OMB.

The goal of HSPD-12 also is to tighten agencies' cybersecurity efforts by controlling who logs on to computer systems. But once a user is online, critics say, smart card IDs do little to regulate access to drives, files and databases in the network.

FDCC

OMB issued the Federal Desktop Core Configuration mandate in March 2007, requiring agencies to use a standard set of security settings for the Microsoft Windows operating system. This includes more than 700 settings developed by the National Institute of Standards and Technology, DHS and Defense.

OMB decided to issue a standard governmentwide security configuration after it reviewed a similar initiative the Air Force introduced in 2005 for more than 450,000 desktop computers. The policy, according to the Air Force, improved information security, while also lessening the burden to manage desktops and cutting costs.

The standards, which agencies were required to comply with by February, apply specifically to Microsoft's Windows XP, Windows Vista, related firewall software and Internet Explorer 7. The FDCC sets limitations on the use of riskier software applications, including instant messaging and file sharing, and requires wireless capabilities to be turned off.

Statistics on how many agencies are compliant have not been made available.

TIC Program

OMB developed the he Trusted Internet Connections program in November 2007 to reduce the number of Internet connections into federal networks to make security monitoring more manageable. OMB aims to lower the number of connections from more than 1,000 to 50 or less, with the expectation of improving performance, allowing for a standard approach to security and lowering the potential for intruders to find openings into federal networks.

OMB also asked agencies to use the Einstein system. It was developed by DHS to monitor agency networks using an automated process for collecting, correlating, analyzing and sharing computer security information with the U.S. Computer Emergency Readiness Team. The goal is to improve how agencies respond to cyberattacks. As of February, 15 agencies had deployed Einstein. DHS plans to enhance the system to improve its ability to detect incidents and to respond more quickly.

OMB required agencies to send their plans to comply with the TIC initiative to Homeland Security's national cybersecurity division. OMB was scheduled to begin in March 2008 annual assessments of agencies' progress in updating their IT infrastructure to support the initiative.

What's Next?

Most government cybersecurity efforts likely will fall under the National Cybersecurity Initiative, which President Bush signed in January 2008. Formally called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, it places more responsibility on the intelligence community to protect federal networks against attacks. Its costs could be as high as $40 billion, according to some industry analysts. Details about the efforts have yet to be officially released.

In addition, a bill introduced in Congress in May 2008 aims to tighten computer security practices at Homeland Security by requiring the department to test its defenses against known cyberattacks and to set qualifications for cybersecurity positions, including the chief information officer. Rep. Jim Langevin, D-R.I., introduced the 2008 Homeland Security Network Defense and Accountability Act (H.R. 5983) to require DHS to test if systems are compliant with security protocols and to determine if the department and its contractors can defend networks against known cyberattacks. The Homeland Security CIO would be required to hire an incident response team to conduct vulnerability assessments on a regular basis for all connections to the Internet and any external network, and be able to detect and contain security breaches. In addition, DHS would be required to check to make sure contractors' information security policies complied with department requirements.

The bill also lays out specific qualifications for the CIO position at DHS to attract qualified experienced IT managers. Candidates would have to have a demonstrated ability in and knowledge of information technology and information security, and no less than five years of executive leadership and management experience in IT security in the public or private sector.