While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Come this June, agencies must be well on their way to consolidating their gateways to the Internet, per a new mandate from the Office of Management and Budget.
The government has set a target goal of 50 points of presence, down from more than 1,000. The idea behind using a standard set of Trusted Internet Connections is that the government can then monitor these gateways for malware as an enterprise rather than individual agencies trying to do so.
In January, agencies had to submit their first plans for aligning their network operations with this mandate. Besides whittling down the total number of gateways, OMB plans to deploy Einstein, an intrusion detection tool managed by the U.S. Computer Emergency Readiness Team, to monitor the traffic at what OMB is calling the federal Internet perimeter.
So, how can most agencies make this work?
Agencies’ enterprise architectures provide an immediate first stop for detailed information about links to the Internet, says Karen Evans, administrator for e-government and IT at OMB.
Plus, agencies can identify the systems and contracts that support Internet services using their EAs and can also see what cross-agency services exist for large networking contracts and through Lines of Business initiatives.
It is always difficult to make major change, but with a lot of collaboration, planning and hard work, the Interior Department succeeded in reducing its Internet connections, says Nina Rose Hatfield, deputy assistant secretary of business management and wildland fire.
Interior once had 33 Internet gateways and now has five points of presence. It determined the gateways that could be consolidated, set a timeline and began making the transition, she says.
Greg Garcia, assistant secretary of cyber security and communications at the Homeland Security Department, describes using Einstein as a “handshake of trust between an agency and DHS.” Only through a partnership model can the government expect to get results, he says. A major benefit that Garcia expects from this change is that CIOs won’t have to make difficult business cases for more security monitoring, which he says is a constant refrain of theirs.
In the fall, US-CERT had arrangements with 13 agencies — before OMB had mandated use of the intrusion detection tool. For each gateway, agencies and their contractors will need to set a plan with US-CERT to establish use of Einstein.
In that way, the government will be able to set standard security expectations and service-level agreements, according to OMB.
Agencies should model their TIC efforts on the gateway approaches already established by DHS and the Defense Department, recommends Alan Paller, research director for the SANS Institute in Bethesda, Md.
Paller notes that given the accelerated rate of targeted attacks, only an approach like TIC creates a way to spot tricky malware and to analyze and monitor access points across the government.
Most agencies cannot spend the funds to create the necessary lab and to hire code analysts to focus on the problem, he says. What’s more, why should they, when this task can be centralized and there’s more coordinated analysis of threats, Paller says.