28 July 2016

Secure America’s Cyber Borders

Anne-Marie Chun

4 things every U.S. Government CISO should look for
to make the budget go further

It is Q4 of the U.S. Government’s 2016 fiscal year, and as Congressmen and women enter summer recess, federal agencies have something else on their minds: their remaining FY2016 budget.

While CIO Tony Scott has publicly denounced the year-end shopping spree, the fact of the matter is that agencies, on average, spend one third of their total annual budgets in the last quarter, according to Bloomberg Government analysis. With roughly 33% of a budget left to spend over three months, the multi-billion dollar question is: how should agencies be spending it to have the strongest impact on their year round security?

[bctt tweet=”In 2015 alone, the U.S. government suffered over 77,000 cybersecurity incidents.”]

One area that is surely top-of-mind not only for CISOs but for many CIOs and agency leaders is cybersecurity. In 2015 alone, the U.S. government suffered over 77,000 cybersecurity incidents, according to a recent Government Accountability Office report. That is an average of 211 cyber threats per day. What’s worse, the same attacks occur over and over: unauthorized third parties find a backdoor into a government application, confidential information is exposed, and/or personal records are compromised and stolen.

The U.S. government is by no means an isolated target. The commercial sector suffers cyber breaches regularly. Target’s 2013 data breach affected anywhere from 70 to 110 million customers, leading to a profitability tumble that has left boards all over the world shuddering. Target profit fell almost 50% in Q4 2013 and was down by 30% overall for the year. Now with ransomware and more creative types of theft on the rise, the challenges continue to build.

When it comes to the U.S. government, a cyber attack impacts the entire country. A breach affects not only the government organization itself, but also the millions of Americans that agency is charged with protecting. Securing America’s cyber borders has become a matter of economic, national, and personal security. Consequences include but are not limited to:

  • High Financial Costs: The IRS’s Get Transcript app that was hacked in June 2015 reportedly cost $2.7 million to implement and led to roughly $39 million in phony tax refund claims carried out by the attackers, according to Nextgov research and IRS official statements.
  • National Security Erosion: The July 2015 intrusion into the Office of Personnel management’s systems compromised background investigations into 21.5 million people, as well as the government’s data security and privacy.
  • Citizens’ Lives at Risk: Earlier this year, Hamid Firoozi was charged with hacking into a New York dam control system. This is just one of a growing number of IoT hacks that reveal how truly little control citizens have of their security at home and in public spaces.

As the number of cyber incidents rise, the federal government recognizes a need for a stronger coordinated response both within the government body, and between the federal and commercial sectors, as explained in Tuesday’s Presidential Policy Directive—United States Cyber Incident Coordination. This year, President Obama’s administration proposed a 35% increase to the fiscal year 2017 cybersecurity budget for a total of $19 billion. However, in a tight budget environment, the US government needs solutions that are more effective, not more costly.

The commercial sector offers a variety of cybersecurity solutions and approaches. When considering how to spend their cybersecurity budgets, federal CISOs, CIOs, and Secretaries should consider the following:

1) Effectiveness: Does the solution match and evolve with my threat?
Historically, effective, comprehensive solutions to finding and stopping vulnerabilities in an IT architecture have been hard to find. Hired “hackers” or consultants can provide cyber security assessments of a system, but these static reports do not suit a dynamic organization and dynamic, evolving threat environment. On the other hand, legacy technology products can provide automated scanning but simply cannot think or behave like humans. Today’s best solutions pair man with machine to provide the best of both worlds: the scalability of machine and the flexibility and intelligence of a human crowd.

2) Skill: Does the solution augment and complement our in-house capabilities?
Today, the demand for top talent far exceeds the supply. Currently, the industry is reporting that cybersecurity professionals have a 0% unemployment rate in Washington, DC. Cisco estimated in its 2014 Annual Security Report that the industry as a whole is suffering from a 1 million person shortage of cybersecurity personnel, and the gap is only growing. Crowdsourced security solutions and ethical hackers can provide surge support to agencies in order to scale up red teams or provide an adversarial perspective on how a bad guy might access the system. Every attacker has a different style and approach, and leveraging ethical hackers from around the world provides a diverse set of perspectives on how the bad guys could exploit a system vulnerability.

However, before looking outside for talent, CIOs and CISOs should take a close look at the third party hackers they are hiring. The best-in-class researchers will bring deep technical expertise and a creative approach to vulnerability exploitation, but they should also have a history clear of any unethical hacks, a proven track record of working with reputable employers, and even government experience in order to make them SF-85 compliant. A perfect combination of quality & necessary quantity is critical, so vendors’ resources should be closely vetted before starting a new engagement.

3) Security & Control: Does the solution give me full access, control, and oversight over my system?
Hiring outside vendors should only help, not hurt, system security. Third party bug bounty programs provide third party insight into system vulnerabilities, but they offer little control and little oversight of the process. Private programs and contracts allow agencies to control who enters the system, how they enter, what they research, and how they research it. Every vendor an agency uses should be ISO/IEC 27001 certified and comply with NIST 800-115 for Information Security and Assessment. For cloud-based projects, vendor should also operate in FedRAMP compliant data centers and be available via GovCloud. The stronger the contractor’s federal credentials, the easier the approval and the integration processes will be.

4) Mitigation & Remediation: Is the solution actually a solution?
Today’s adversaries are creative and diverse – they enjoy finding innovative workarounds to circumventing systems. If at first they don’t succeed, they will try again. Agencies must seek to not only discover their system vulnerabilities but also mitigate against future attacks and remediate to ensure the problem has been truly solved. When considering potential vendors, agencies should make sure that their selection does not just provide point-in-time software security testing or a static report of the IT enterprise, but rather digs deeper to find the problems, prioritize them to find those that are most exploitable, and, once a problem has been patched, confirm that the problem was truly solved.

[bctt tweet=”A hacker only needs to be right once to wreak havoc on a system.”]

Procuring a commercial end-to-end solution that is diverse, innovative, and scalable can actually help defenders get better by actively probing and exploiting vulnerabilities and measuring the effectiveness of the defenses. A hacker only needs to be right once to wreak havoc on a system and, in this case, the security of a country and the lives of so many. A third party perspective can help federal agencies think like an attacker and find the vulnerabilities before the bad guys do.

However, while cybersecurity is an urgent issue for the US, it is a problem that we must work smarter, not harder, to solve. Not all security solutions are created equal. CIOs and CISOs must look for those that are as (or more) sophisticated as the threat, complement in-house capabilities, provide full access and control, and truly solve the problem. If they do, then it just might be time for that end-of-the-year shopping spree.