A longterm White House strategy for ratcheting up federal computer security is expected to move a lot of product, injecting billions of dollars into the cyber market. But some critics say technology will not be able to handle a weakness at the root of recent high-profile hacks – IT management.
Audits by agency inspectors general and the Government Accountability Office for years have pointed out security program lapses at the Office of Personnel Management, State Department and most of the other agencies that fell victim to cyberintrusions.
Past mistakes at agencies -- not ensuring software updates are installed at least every 30 days, not encrypting data, not requiring multiple ID checks for logging in and failing to modernize decades-old systems -- require managers to fix.
"Unfortunately, the behavior change part is not addressed at all in this plan," said John Pescatore, a one-time National Security Agency employee who is now a director at the SANS Institute, a security training organization. If the Obama administration does not consider "why do we have these fundamental IT administration problems, it's not going to change behavior," he said.
The White House Cybersecurity Strategy and Implementation Plan revolves around:
- Taking inventory of and protecting high-value information and assets;
- Detecting and responding to cyberincidents in a timely fashion;
- Rapidly recovering from incidents and quickly embracing lessons learned from a summer 30-day "cybersecurity sprint" that uncovered security vulnerabilities;
- Establishing "the most highly qualified cybersecurity workforce talent the federal government can bring to bear" and;
- Acquiring and deploying existing and emerging technology
Each goal relies heavily on "continuous diagnostics and mitigation," a suite of sensors and specialists that monitor networks for security weaknesses in near-real time, according to Office of Management and Budget officials.
The new plan explains that the Department of Homeland Security, which entered into a $6 billion contract for the tools, has "developed a plan to accelerate the deployment of CDM phase 2," one of three stages, which focuses on login controls. Under the plan, those protections will be delivered by Sept. 30, 2016.
As OPM was deploying continuous monitoring tools in April, the agency discovered an intruder used a stolen password to compromise the Social Security numbers of 21.5 million individuals and the names of an untold number of references and contacts.
Nice catch. But agencies were told to deploy these controls in 2012 to comply with the Federal Information Security Management Act, Pescatore noted.
"It's good to say that DHS will accelerate it," he added. "But once again, what is going to happen to remove the barriers to why it was going so slowly for the past three years?”
A Blessing for the Cyber Industry
The White House strategy was issued on a Friday afternoon and by the following Monday, government vendors such as Intel Security, Lookout and Tanium were positioning their goods to fulfill its objectives.
"People who sell security products and services would be very happy” with this plan to “sprinkle more security on things,” Pescatore said. “But the best security progress is when you eliminate the vulnerability, not when you put papier-mâché over it.”
One item on the docket involves fixing software flaws faster. "Why haven't government agencies been patching them quickly?" he said. "Well, it turns out, it’s not the security group who does the patching; it's IT operations." Applying more security tools will not alleviate years of neglect, “if we don't fix the problems in server administrations or IT operations."
OPM's technology was avowedly anachronistic when attackers, believed to have Chinese military ties, extracted background check records on millions of national security personnel. 1980s-era databases were written in a programming language called COBOL that mystifies most present-day programmers.
In a move to sense oncoming attacks before hackers get too close, the administration will tweak a network surveillance tool fueled by NSA intelligence that currently only detects known threats. The EINSTEIN system, as it’s called, cannot spot "zero-day attacks" that creep in through software flaws unknown to NSA or even the software's developers.
To enhance EINSTEIN, DHS has begun performing "behavioral-based analytics" on network traffic that might reveal a bad actor is afoot. Testing underway will "extend beyond the current approach of using known signatures and begin identifying threat activity that takes advantage of zero-day cyberintrusion methods,” the strategy states.
The department is eyeing tools from the private sector for the EINSTEIN experiment. "This is an area where I think they can learn from private industry to see what technology and practices they use for better monitoring," Pescatore said.
According to the plan, agency deputy secretaries, who sit on the President’s Management Council, will track progress on follow-through, as will face-to-face "CyberStat" reviews with agency and OMB experts. The OMB Cyber and National Security Unit (OMB Cyber) -- previously called E-Gov Cyber -- is a small but growing workforce dedicated to enforcement of information security policies.
Some congressional overseers welcomed the administration’s vision for heightened attention to computer threats.
“Cybersecurity is one of the greatest challenges we face in the 21st century, one that requires an all-hands-on-deck response,” Sen. Tom Carper, D-Del., ranking Democrat on the Homeland Security and Governmental Affairs Committee, said in a statement. “I am pleased that we are continuing to build on the momentum” of the cybersecurity sprint, and “it is essential that we have a longterm vision to get to an acceptable level of cybersecurity within the federal government.”