Homeland Security Wrestles with Defending a Disappearing Network Perimeter

New policy and guidance are coming for agencies to ensure they are using secure network connections. It won’t look like the old Trusted Internet Connection policy but it’s not clear yet what it will look like, according to a top official.

When devices and applications connect to the internet, agencies need to ensure that connection is secured from outside influence and infiltration. As technologies like cloud become more abundant and defined network perimeters disappear, creating hard rules has become more difficult, according to Mark Bunn, program manager for the Homeland Security Department’s TIC initiative

Bunn said his department has been hard at work on an update to the current document, which was released in 2008. As they assess the current landscape, TIC officials have found themselves on the cusp of a sea-change.

“We’ve seen a lot of things change with a stagnant program,” Bunn said during a Sept. 27 event hosted by FCW. “We have the whole concept of boundaries, and now we have technologies that don’t have boundaries. How do you apply a boundary program to try to leverage data and use data when there’s no such thing as a boundary anymore?”

Under the current policy and guidance, agencies are instructed to build strong perimeter defense like firewalls and enclaves “and pretend like it’s a 2008 network,” Bunn said. The new environment is so different, the office even considered renaming the program. For now, they’re calling it TIC 3.

“We’re making progress toward it being unique and different enough that it’ll support what you’re doing, support future technologies” like artificial intelligence and neural nets, he explained. “What do those look like from a security standpoint?”

Bunn had few specifics to share about what that will look like, as he and other TIC officials are on a listening tour of agencies to discover what their environments look like and how their security needs have changed over the years. So far, the conversations have focused more on processes than new technologies, he said.

“Yes, we have a hammer; yes, we’re still hammering nails,” Bunn said. “But now, suddenly, we’re like, ‘What are we making out of these hammers and nails?’”

The hope is to create a flexible document that can be applied to any future technology or threat.

“Technology always outpaces our ability to protect ourselves from that technology. The first time we invented fire, we got burned by that fire. We know that’s going to happen with future technologies, as well,” Bunn said. “How do I compensate for that or how do I recognize that? And now, how do I make sure I have some kind of risk management, some kind of threat management in place where when that happens, I can be resilient to that?”

The program office continues to hold quarterly meetings, Bunn told Nextgov. However, the next step in the process is on the Office of Management and Budget’s plate, in the form of an impending update to the administration’s TIC policy.

Federal Chief Information Officer Suzette Kent said OMB is planning to release a number of policy updates before the end of the year, TIC included. Once that update is finalized, Bunn said his program will be able to start the tangible work on their guidance. While Bunn couldn’t offer a timeline, he said he hopes to be able to move quickly once the OMB policy is released.