It’s not the technology; it’s the culture.
If you work in IT anywhere, you’ve heard that statement — probably a lot, and particularly when it comes to cybersecurity. But “there are big technical issues, too,” cautions Vance Hitch, CIO for the Justice Department. “Technically, there are real challenges.”
Chiefly that’s because the threat is ever-evolving, says Hitch, who is also co-chairman of the CIO Council’s Information Security and Identity Management Committee (ISIMC). Once the government or industry makes an adjustment, the threat changes. Literally hundreds — sometimes thousands — of individuals “react to how we’re reacting to what they have done,” he says.
It is that dance, back and forth (vulnerabilities revealed or exploited and then systems reinforced or replaced), that makes information assurance so tricky, says Input principal analyst John Slye. The attack methods change, but the goals remain the same. “The newer threats tend to be more clever ways of doing the same old things — stealing data, corrupting data or disrupting operations,” he says.
Yet, maintaining connectivity and keeping systems and data secure has become a more demanding task for CIOs and CISOs because there are more ways to get to the data, Slye adds. “As agencies continue to move forward with sharing information, complexity continues to grow at a faster rate than their ability to secure that information.”
This or That
It’s a balancing act for agencies, says Robert “Rocky” Young, a security expert who is an associate professor of systems management at the National Defense University’s IRM College and leader of its Cyber Security Center & Information Assurance Labs. “We need to identify the infrastructure challenges and correct any weaknesses, vulnerabilities or threats we know of while mitigating and/or accepting the risks of those that we cannot correct,” he says. “We will never extinguish 100 percent of our risks; there will always be a bit of risk smoldering and waiting to be fanned into a huge bonfire by a skilled hacker.”
The key is to prioritize those risks, and often that comes down to dollars. Agency contracting for cybersecurity is expected to grow from $8 billion this year to just short of $12 billion in 2014, according to Input research. This spending trajectory shows no sign of tapering off, Slye says.
That may be so, but there are not infinite resources available to funnel into cybersecurity, notes Robert Carey, CIO for the Department of the Navy.
“DOD is spending a lot in this space,” says Carey, who co-chairs ISIMC with Hitch. “We have lots of technology; we have a lot of tools. DOD probably has as many tools as anyone in the world to do network defense, and we’re still often being reactive.”
In Defense, the IT security request for 2010 is $4 billion, or 13 percent of the total IT budget of $33 billion.
Admittedly the government will spend more on cybersecurity than agencies had estimated 10 years ago it would spend, but over the next decade other priorities will arise that will require funding, Hitch says. The upshot is that agencies must focus now on creating a more viable approach to cybersecurity with an investment strategy to keep it going, he says. “It’s a challenge for the entire federal community.”
So where are things headed in the short term? There are organizational and programmatic initiatives, technology deployments, and training and awareness movements in the works.
No ‘I’ in Team
What has to happen is more interaction among agencies, which is one of the reasons that the CIO Council launched ISIMC last year, notes Hitch. “CISOs needed a better way of getting their voices heard.” The committee is bringing all the groups involved in cybersecurity together in one organization to help the government forge a better and more sustainable IA effort, he says. The work in security that agencies have been doing has been good, it just hasn’t always been coordinated, Hitch says.
For its part, the Department of the Navy IT team has created a security road map and is developing an accompanying investment model on IA and computer network defense (CND) that is being vetted by the Pentagon for use as a potential DOD model. But there’s no reason it couldn’t be used more broadly, says Carey. It’s needed because there’s no measuring stick for IA and CND that’s comparable to, say, the software development rubric provided by the Carnegie Mellon Capability Maturity Model. The government needs to create a yardstick that agencies can measure their efforts (and IA/CND investments) against — something they can use to quantify the security programs and tools they implement, he says.
Tighten the Hatches
Slye says Input’s research suggests that cybersecurity programs across government are primarily focused around three areas of IT: monitoring tools and situational awareness applications; anomaly monitoring programs that give organizations data to help them recognize questionable behavior on their networks; and network access controls that rely on role-based logins and identity management.
Hitch agrees and says most realize that they need to radically ramp up basic network security and monitoring. “These are kind of the bread and butter of cybersecurity, and many organizations have really not been doing it because few fully understood the significance and depth of the threat,” he says. But since the Sept. 11 attacks eight years ago, this reality has set in.
At Justice, the Justice Security Operations Center has been created to focus entirely on the development, implementation, and management of network monitoring and traffic analysis tools.
“But setting up a SOC requires cybersecurity skills and tools of the highest order,” Hitch notes. The teams must be able to use these network scouring and reporting tools to identify specific risks, vulnerabilities and patterns so an agency can stop malware or an attack before it hits the desktop. Then, the SOC must have the ability to work with IT to quarantine an incident before it spreads, get rid of it and prevent it from entering new areas. The steps sound simple, but carrying them out is far from trivial, Hitch says.
Likewise, agencies have been confronted with the need to speed their patch management capabilities. Effective and efficient patch management is very different today than it was not that long ago. The window for validating, testing and disseminating a patch has shrunk considerably, Hitch says. It’s sometimes a 24-hour turnaround at best before systems are at imminent threat of breach and exploit. In a large environment, even one that uses patch management software and automated configuration and change management applications, pushing out fixes to literally thousands of systems (or, even more dire depending on the software, rewriting code for large legacy programs) can be an on-the-fly challenge, he says.
It’s endless work, too, points out Young. “As you patch one cybersecurity pothole, another opens in front of you — not to mention that the patch could open a vulnerability or pothole behind you, where you thought you were secure.”
Make Sure Everyone’s in the Game
Getting back to that culture thing — security awareness also remains an issue for federal cybersecurity. The government’s IT shops need to cultivate and position users to be well-informed and conscious of desktop hygiene, Hitch says. They must be taught what to be suspicious of. “You can’t put a value on that, it’s so tremendous.”
From Carey’s perspective, the government has to move to a “new normal” from the “old normal,” and that means brass at the top of Defense and leaders across civilian agencies, not merely the technical staffs, have to understand the threat, get behind what’s required to address it, and push for training and awareness programs for all users. “It’s hard to make users aware and truly raise the security bar,” he says.
From a technology perspective the new norm must include continual inspections of network traffic, an enterprise command and control posture toward IT security, standardized reporting, and the ability to support proactive and automated responses to threats, Carey says.
As to changing the culture on security and educating and converting everyone from regular network users to members of the Senior Executive Service into cybersecurity advocates, Carey contends that offering a slice of reality often does the trick. “When you show an SES who works in financial a threat brief, then they start to get it.”
Young sums it up this way: “Education, education and more education, not — and I repeat — not only training.” And these efforts must be inclusive — essentially anyone that touches the network either physically or electronically.