The federal action plan calls for a new commission, public service campaigns, and funds for replacing old, insecurable government IT.
Hackers are now probing the deepest secrets of every federal agency, according to the Department of Homeland Security's cyber chief. But it's OK: The intruders are from DHS.
It’s part of an exercise the agency is undertaking to test vulnerabilities in federal computer systems full of sensitive data that are prime targets for the actual bad guys.
Agencies recently took stock of IT tools and databases that would upend government operations if tampered with.
“We are now putting those through our red teams, which is people that know how to break in," said Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications.
The authorized hacking is part of a civilian agency cybersecurity strategy precipitated by a real-life breach of an Office of Personnel Management background check system. The attack exposed not only intimate details on 21.5 million U.S. national security professionals and their families, but also vulnerabilities in OPM's IT environment that date back to the Reagan era.
On Tuesday, that strategy was folded into a grander action plan, the Cybersecurity National Action Plan, unveiled earlier this week in conjunction with President Barack Obama's 2017 budget. Among other things, the new plan calls for a commission, public service campaigns, and funds for replacing old, insecurable government IT.
The plan also includes a $19 billion funding request to support cybersecurity activities, on top of the $14 billion sought last year and $59 billion spent on federal agency information security, alone, since 2010.
Last-Ditch or Capstone?
There’s a long, mostly ill-fated history of presidents declaring war on complex, thorny issues, including Richard Nixon’s War on Drugs and Lyndon Johnson’s War on Poverty. This effort may not quite be Obama declaring “war on hackers.” He hasn’t used the phrase and, in today’s jargon-laden Washington, officials mostly refer to this new effort by its official acronym, CNAP (pronounced, unfortunately, “See-Nap.”).
But the new plan does symbolize Obama’s last chance to prove progress in an ongoing effort -- costing $73 billion since fiscal 2010 and counting -- to strengthen the nation’s online security.
This is not Obama's first attempt to defend the nation against organized cybercrime.
During his first year in office, the president commissioned a 60-day Cyberspace Policy Review and appointed the first White House cybersecurity coordinator, aka "the cyber czar."
In 2013, Obama signed a critical infrastructure cybersecurity executive order to shore up the power grid, banking system and other vital U.S. networks, 90 percent of which are owned by the private sector. Late last year, he enacted legislation making it easier for government and industry to exchange threat tips, despite a controversy over potentially exposing the digital footprints of innocent Internet users.
Backers describe the latest cyber initiative as a reaction to a danger that is not letting up, even with everyone's best efforts to address it.
"This is really a capstone effort that had been building for some period of time and what we're really saying is that, in effect, we're doubling down on what we'd been doing and trying to accelerate it because of the growth in the threat," said the current cyber czar, Michael Daniel.
Making Systems More Secure -- By Design
During the latest high-profile strike against federal systems, an unidentified hacktivist allegedly leaked contact information on some 9,000 DHS personnel and 20,000 FBI employees retrieved from a Justice Department computer.
The concept of turning on multibillion-dollar IT systems and security -- at the same time -- only recently became a reality.
For decades, protections were engineered after the fact and checked up on every three years. In March 2010, Vivek Kundra, the first-ever U.S. chief information officer at the time, testified to House lawmakers that it was wrong to "bolt-on security afterward," adding that "security investments are best when they are actually baked in to the systems."
This week's plan proposes Congress spend $3.1 billion on a new pot of money to replace or upgrade antiquated IT. Agencies will vie for a piece of the pie by submitting blueprints for systems that, among other requirements, would be shared across multiple departments.
So-called shared services could help with a cybersecurity talent shortage by allowing agencies to tap the same pool of existing cyber pros instead of "diluting their capability,” Daniel said. He and Schneck, along with other federal cyber leaders, spoke at a Thursday forum in Washington hosted by the New America think tank.
Shared systems also could shrink the network perimeter the government is trying to defend, the officials said.
The very foundation of the World Wide Web needs some retooling in order to support 21st-century protections, officials noted.
The federal government will work on the "security of the same basic fundamental protocols on which the Internet is built -- things like the way that packets [of data] are routed to their destinations, and the way that computers synchronize with each other and agree on what time it is -- these turn out to have very significant security implications," said Edward Felten, the White House’s deputy chief technology officer.
But to skeptics, a new "Commission on Enhancing National Cybersecurity," sounds destined to fail, as most commissions in Washington do.
Daniel, responding to this concern, said the commission is partly aimed at offering advice in the final days of Obama's term to the next administration.
There are questions, too, about expending more money on a governmentwide intrusion prevention and detection system, dubbed EINSTEIN, that could not see the OPM hack as it was happening. The federal firewall was just the subject of a brutal audit that reported the system didn’t detect 94 percent of commonly known vulnerabilities and was incapable of checking Web traffic for malicious content, among other things.
Administration officials want to invest $471 million in EINSTEIN next year.
Schneck, a computer scientist who left McAfee to join DHS in 2013, said she’s aware the system is not cutting edge.
When she arrived at the department, colleagues asked her to "look at this EINSTEIN thing and tell us about it, and by the way, the technology is 10 years old," Schneck recalled. "So I studied it for a long time . . . it basically blocks things that it knows are bad," and that technology, as she informed her coworkers, “is not 10 years old -- in fact, it's about 25 years old."
Still, she characterizes EINSTEIN as a vital part of the government's information security toolkit.
The system captures "all of the traffic," with privacy protections in place, "that comes in and out, day in, day out, 24-7 of every federal agency that we protect."
Based out of a newly christened DHS Silicon Valley outpost, staff soon will consult with startups about novel mechanisms to make EINSTEIN smarter, Schneck said, adding she "launched" the department's first operations employee out there Feb. 2.
Another shortcoming of the action plan, some observers say, is that it does not concentrate on the international aspects of the Internet security problem. Only one bullet point describes an intention to "further bilateral and multilateral commitments" to agreeing on norms of behavior in cyberspace.
The effort, Daniel said, "has a strong domestic focus because that's where we need to put time and effort," adding that the administration is very mindful of the global dimensions of the challenge.
Daniel told reporters after the event that America is at times more at risk in cyberspace than land, sea, air or outer space.
"The adversaries are beginning to learn that it's actually sometimes easier to attack us in the cyber domain than in any other sort of area," he said. "If we want people to take advantage of and really extract the value from electronic health care records, we've got to trust that they're information is going to be protected, not just by the government but by the companies" that store them.
In fact, the national security implications of cyber assaults were referenced by Obama himself on Tuesday, when he released the budget and established the new commission.
"More and more, keeping America safe is not just a matter of more tanks, more aircraft carriers; not just a matter of bolstering our security on the ground,” Obama said. “It also requires us to bolster our security online.”