While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The federal government spends roughly 80 percent of its $80 billion annual IT budget on maintaining legacy systems, federal CIO Tony Scott noted in his 2016 Brocade Federal Forum keynote. Older platforms increase vulnerabilities where vendors have stopped issuing security patches.
As part of President Obama’s Cybersecurity National Action Plan, the administration proposed a $3.1 billion revolving fund to speed up IT modernization. The fund, formally known as the Information Technology Modernization Fund, or ITMF, would have been revolving, allowing participants to pay back funds using savings generated by the new systems, such as increased efficiencies.
In September, the House of Representatives passed the Modernizing Government Technology Act of 2016, which didn’t appropriate any new money, but would authorize working capital funds at the 24 agencies governed by the Chief Financial Officers Act of 1990. The bill, which the Senate did not take up before the last Congress ended, also authorized a governmentwide revolving fund that the GSA would manage, akin to the ITMF.
Still, newer systems aren’t without their share of vulnerabilities, especially in cases where they’re not patched in a timely manner. Timely patching sounds like obvious advice, yet a startling number of public and private organizations fail to follow it.
“Good configuration management continues to be the top defensive mechanism,” says Monzy Merza, director of cyber research and chief security evangelist for Splunk. “But that’s the one thing that a lot of organizations struggle with.”
Research quantifies the fallout: A recent Hewlett Packard Enterprise study found that the top 10 exploits in 2015 were more than a year old; 68 percent were at least three years old. Nearly a third used a 2010 Stuxnet infection vector that has been patched twice.
“The government is beginning to address it,” says Rob Roy, Hewlett Packard Enterprise public sector CTO for security. “They’re larger than an aircraft carrier, and they’re going to take a long time to spin around.
“There’s a recognition out there — everybody knows it, and it comes down from Capitol Hill — that patching is a big problem, and that if you do a good job of patching, you’ll take care of a lot of low-hanging cybersecurity fruit.”
One example is the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which inventories patch levels and other attributes that affect cybersecurity. After that, it’s a matter of finding the time to implement patches and updates. IT staff often have so many other projects on their plate that push patches and updates to the back burner. And that’s precisely why such vulnerabilities persist.
“They need to prioritize the patches,” Roy says. “Figure out what they’re being hit by, what exploits are emerging and prioritize those patches.”
Expanding IT staff pools is another obvious way to implement patches and updates faster, which often is easier said than done to a chronic shortage of not only well-rounded IT professionals but also those with cybersecurity expertise.
“Human resources continues to be the biggest challenge for every single organization,” Merza says. “I haven’t met a single chief information security officer over the last two years who said, ‘I have all the people I need and it’s easy for me to find people.’”
Several federal initiatives could do much to alleviate that shortage. For example, DHS helped to develop the Cybersecurity Workforce Development Toolkit, which provides cybersecurity awareness training that agencies can use to hire and develop their cybersecurity staff. DHS also is expanding the National Initiative for Cybersecurity Careers and Studies training catalog of more than 2,000 courses.
As is the case with replacing legacy systems, staffing up appropriately also requires finding more money. The shortage of cybersecurity expertise means those professionals constantly weigh multiple offers of employment, including many attractive ones from the private sector.
“The government has a really difficult time attracting talent from the private sector and hiring as many folks as they need,” Roy acknowledges. “They can’t pay the rates the private sector pays. Even in the private sector, here at Hewlett Packard Enterprise, we can’t always fill all of the openings we have.”
Contract opportunities with consultants and other outside experts allows agencies to beef up cybersecurity efforts, at least until they can find the budget and qualified professionals to grow their staff. Another option is to find or nurture candidates internally — and not just through heavy promotion of cybersecurity openings.
Some agencies already provide all employees with at least basic information about threats and vulnerabilities to help everyone do their part. Agencies could leverage those awareness campaigns to encourage employees to consider a career in cybersecurity.
“That sometimes inspires someone who’s a database administrator, who may want to work in the security field,” Reid says. “Make sure those paths are open. Have things like brown bag sessions where people who are non-security professionals can be exposed to these topics.”
Still another type of exposure would help federal cybersecurity as a whole. Many federal IT leaders acknowledge that agencies could do a better job of sharing information with one another — even basic things such as lessons learned from a SQL Server or Windows migration.
That mindset is changing, however, and in the case of cybersecurity it could include sharing attack signatures so that everyone understands what to look for instead of having to find out on their own. Such information sharing could also alleviate the effects of staffing shortages, since each agency would require fewer people to keep an eye on emerging attack types.
“As more agencies share and cooperate, they potentially have stronger defenses,” says Reid, whose federal career included a stint a NASA. “Each agency then doesn’t need to recreate that task-heavy wheel.”