Archive for month: May, 2017
Mixed response from IT security pros following release of Cyber Security Executive Order
By Greg Masters
In a week filled with controversy surrounding the Trump administration, including the unexpected and abrupt dismissal of FBI Director James Comey, the president’s executive order on cybersecurity has been somewhat obscured in public forums but has drawn immediate, if mixed reactions, from cybersecurity professionals who either praise it for providing much-needed guidance or criticize it for falling short.
The Cybersecurity Executive Order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” meant to bring efficiency, clarity and additional protections to government IT systems, charges the government with reviewing its cyber posture and pins responsibility for cyber risk on those officials who lead federal agencies.
While some praise the directive for its guidance, others say its guidance falls short.
Phil Dunkelberger, CEO, Nok Nok Labs, says his firm appreciates the sentiment behind the EO and the need to understand the current gaps within the cyber capabilities of the government and where the departments are from a budget standpoint. And, he acknowledges there are a lot of good, talented individuals that have been working on these problems for a long time both behind the scenes and in the spotlight.
But, he told SC Media, “There is really nothing new here, it is a continuation of what we’ve already been doing (and in many cases failing).”
He says the industry needs nothing short of a revolution, citing the cyber EO as an evolution and continuation of the same frameworks and reports put forth the last 10-15 years.
“We have made strides, Dunkelberger said. “The question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren’t playing by any rules.”
Mike Kail, co-founder and chief innovation officer, Cybric, told SC that the devil is in the details. “We need to focus on modernization and making smart investments versus trying to protect what’s already there and vulnerable. If we keep trying to put controls around critical and failing infrastructure, that’s not a good strategy.”
Instead, he says, “we should take an offensive approach by investing in the modernization of our infrastructure.”
“While the executive order does address some of the potential issues involved with adequately managing cybersecurity risk, the White House still runs the risk of doing too little too late,” Gidi Cohen, CEO, Skybox Security, told SC Media. “Per the order, while the general cybersecurity framework for each agency and department is based on NIST standards, each group is left to define and manage their own cyber risk, leaving the potential for a fragmented and incomplete point of view of the nation’s overall attack surface.”
Attacks – whether from a nation-state, hacktivist, or commercialized cybercriminal attack – target vulnerabilities that provide the easiest path into a network, Cohen said. “Without visibility into the attack surface as a whole, the government is put in the position of reacting to breaches – relying on strong wall defenses and other indicators of compromise to determine a course of action – rather than avoiding them. What’s more, these exposures could be exploited by different parties than most might think.”
State-sponsored activity gets all the attention, Cohen explained, but there are more pernicious threats out there today. These may initially have a lower impact than those involving international espionage but could eventually have an extremely negative effect on national security, public confidence, and our economy, Cohen told SC.
“As the agencies and departments responsible for protecting critical cyber infrastructure now begin to shift their focus to make sure they are aligned with the official White House perspective, it is unfortunate the executive branch hasn’t decided to take a more holistic approach,” Cohen said. “A centralized focus on government-wide indicators of exposure would empower a proactive, unified cybersecurity program. To accomplish that would be no simple task. Just like in the commercial sector, gaining this deep level of understanding is difficult in the ever-shifting cyber landscape.”
Cohen’s prescription for successfully guarding crucial cyber infrastructure has the government making use of every tool it can – including network modeling, attack vector analytics and threat-centric vulnerability intelligence – to identify the most critical exploitable attack vectors in real time. “Once it has been identified, security weaknesses that could enable the continuation of an attack allowing agencies to proactively find and fix exposed security risks before it can be exploited and potentially sold to the growing network of commercialized cybercriminals.”
Daniel Castro, vice president of The Information Technology and Innovation Foundation (ITIF), said, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.”
Cybersecurity should be a top priority for the Trump administration, Castro said. “The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”
He adds that its incumbent upon the administration to implement its stated goals for cybersecurity. “Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government.”
Additionally, Castro said, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.
He does have praise for the White House including much-needed government IT modernization and consolidation as part of the executive order. “While there are many reasons to pursue IT modernization, the administration is likely to have the most success getting this done as a cybersecurity mandate rather than as a push for efficiency.”
“The President’s executive order does not propose a concrete plan for cybersecurity, it merely calls for a top to bottom review of where things stand,” Sanjay Beri, CEO, Netskope, told SC. “While this is a step in the right direction, kicking the can down the road leaves remaining questions about what exactly the administration’s plans are for tackling what has arguably emerged as the single most existential threat to our livelihood: defending our cyber infrastructure.”
What’s more, Beri said, the administration has yet to fill the federal CISO vacancy, leaving the government without a leader at the helm to help implement and enforce security policies and practices. “For a president so concerned about establishing a positive legacy, this seems an obvious – and critical – area to address.”
Mounir Hahad, senior director, Cyphort Labs, told SC Media that there isn’t much to write home about in this executive order. “It is basically asking for a status report from the various agencies of the executive branch, something that should be taking place on a regular basis if our administration were to establish an adequate maturity level and exercise self-introspection as defined by the Carnegie Melon Capability Maturity Model for organizations.”
However, he said he welcomed the initiative nonetheless and looks forward to what recommendations will be funded from the outcome of all the reports. “I am not sure that the head of any agency has ‘for too long accepted antiquated and difficult-to-defend IT.’ By choice. I hope the reports will shed the light on what regulation has imposed draconian restrictions on the agencies’ freedom to act and stay on top of a threat landscape that changes at neck-breaking speed.”
Philip Lieberman, president, Lieberman Software, told SC that if there is no budget from Congress for the order, it will have little real effect. “All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.”
Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved, Lieberman said. “Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”
Tim Erlin, VP, product management and strategy, Tripwire, said that even with this long-awaited executive order, the essential priorities of cybersecurity remain the same. “We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack,” he told SC. “Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.”
Critical infrastructure must be addressed at the highest level, Erlin noted. “The executive order calls for a number of reports to be produced assessing the current state of information security across agencies. The truly telling results will only come after the production of these reports and be measured by the actions they initiate.”
“This is a good step in the right direction,” Jeff Engle, VP, government sector, UDT, told SC Media on Friday. When it comes to assessing the cyber workforce Engle said he believed the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. “Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
Will Ackerly, co-founder and CTO, Virtru, is glad to see the president focused on bolstering cyber defenses. “It is very reassuring to see the Executive Order call out the need for interagency and international cooperation,” he told SC. “It is also great to see the topic of cloud storage presented so centrally. The cost and collaboration benefits of the cloud are undeniable, and, when combined with data-centric protections, such as strong encryption, government information will be even more secure. Finally, the ‘open and transparent process’ in identifying / promoting action by stakeholders to improve resilience of internet communications is highly encouraging!,” Ackerly told SC.
But there’s a caveat. Ackerly believes that the specific methods outlined in the Order are necessary but not entirely sufficient to protect the nation. “Each department should have an experienced CISO in place who may report day-to-day to the agency chief, but should also have accountability to a cross-agency authority. This would encourage collaboration between agencies and ensure that critical information including threat intelligence, vulnerability assessment, and best practices for cyber-defense are rapidly and completely shared.”
Additionally, Ackerly said the Executive Order is missing any mention of intellectual property protection. “While an EO cannot force companies to do things directly, outlining the need for our businesses to have strong privacy protections in place would speak volumes. Government support for these kinds of endeavors would ensure that the fruits of our economic labors are not appropriated by nation state actors or other hostile parties. Until we focus on specific protections for our business and consumer data, including strong encryption, we will continue to be vulnerable.”
Steven Grossman, VP of strategy, Bay Dynamics, told SC that it is great to see that the President’s executive order supports a risk-based approach to cybersecurity. “That means prioritizing agencies’ most valued assets, such as critical infrastructure, and tackling the threats and vulnerabilities that could compromise those assets first. The order makes references like ‘commensurate with risk and the magnitude of harm,’ which ties to the necessity of measuring the mission impact of an asset at risk were compromised and prioritizing mitigation actions based on those that reduce impact the most.”
Further, the EO uses the NIST Cybersecurity Framework as the core framework agencies should follow, Grossman said. This also supports a risk-based approach. However, he added, it may not be detailed enough in the long run.
“Another great feature is that the order promotes accountability, assessment and remediation of cyber risk across many stakeholders in the agency, those in and outside of security,” Grossman said. “Cyber risk management cannot solely be the IT and security team’s problem. Stakeholders across the business from application owners who govern highly valuable assets to upper management who make investment decisions, must be involved in taking action to reduce risk.”
The order contains many positive steps that, when implemented, should significantly help reduce risk, Grossman said. “However, we would like to see more continuous monitoring requirements instead of just periodic compliance like assessments and remediation. The order should not be viewed as yet another compliance checkmark; it should be a continuous process.”
Finally, Grossman saif that focusing on building up skills and competency in the workforce is a critical activity, but there needs to be a more immediate plan in place for response until that ramp up occurs.
Stephen Coty, chief security evangelist, Alert Logic, agrees that the EO is using a risk-based approach for the U.S. government and its suppliers. “The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure,” Coty explained.
“They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they’ve identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor’s recommendation on patching and configuration guidance. All agency heads will be held accountable by the president for implementing these risk management measures.”
Coty is keen on the move to the cloud, citing the NIST Framework. “Government can now feel assured that cloud computing is a secure option for storage and access of their data.”
Larry Payne, head of Cisco’s U.S. public sector, told SC Media on Friday that the EO represents a renewed commitment to protecting federal IT networks. “With the NIST Framework as a guide, agencies can improve enterprise risk management capabilities and simplify their approach to security. A key piece of this effort will be continuing the push to modernize government systems, including rooting out unpatchable legacy hardware and better lifecycle management.”
Payne said his company looks forward to working with agency leaders to implement a strategic security approach, rather than deploying project-based solutions in response to incidents or compliance.
The EO is a tall order to accomplish in the timeline set forth, said John Kronick, director ATG Cybersecurity Solutions, Stratifrom, a PCM Company. “Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development,” he said. “That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment.
Kronick listed a number of steps that should be done, including nitiating mandatory CSF training for agency executives, risk managers and cybersecurity staff; developing a uniform method for assessing the effectiveness of the CSF implementation and use; requiring mandatory escalation of critical and high risk issues such that they are resolved in a timely manner; initiating cybersecurity awareness training for all citizens, making it mandatory for all employees and workers of federal agencies and critical infrastructure entities – and require it more frequently than once per year; establishing a cybersecurity training and recruiting program to facilitate short-term and long term staffing within the agencies; requiring budgetary funding for remediation of CSF findings/gaps such that agencies will execute remediation measures with sufficient budget for tools, resources, etc. As well, he said, metrics should be established for centralized tracking of agency CSF risk assessments and centralized risk register to track remediation efforts.
Click here to view full article.
Trump Executive Order Tackles Concerns About Cybersecurity
By Kelly Phillips
On the same day that Daniel R. Coats, Director of National Intelligence, testified in front of the Senate Intelligence Committee hearing committee about the danger of cyber threats to our national security, President Donald Trump signed an executive order intended to “strengthen the cybersecurity of federal networks and critical infrastructure.”
Cybersecurity has been a concern for many Americans of late – not just because of allegations of Russian hacking during the elections – but also because of the increased risk at home. Phishing and identity theft, for example, were #1 and #3 respectively on the Internal Revenue Service (IRS) list of the Dirty Dozen Tax Scams for 2017.
In response to increased concerns, Trump touted cybersecurity as an issue during his campaign. Shortly before taking office, in January, he promised, “I will appoint a team to give me a plan within 90 days of taking office… Two weeks from today I will take the oath of office and America’s safety and security will be my number one priority.”
On his 111th day in office, the President finally delivered. The order focuses on three areas:
- Cybersecurity of Federal Networks
- Cybersecurity of Critical Infrastructure
- Cybersecurity for the Nation
Cybersecurity of Federal Networks.
To address cybersecurity of federal networks, the order requires the heads of each federal agency to use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk. Each federal agency will also be required to provide a risk management report for evaluation within 90 days. The report will include, among other things, “unmet budgetary needs necessary to manage risk to the executive branch enterprise.”
The order also directs federal agencies to show a preference for shared IT services, where allowable and feasible, including email, cloud, and cybersecurity services.
Security of federal agencies has been a concern following hacks which included the theft of more than 20 million records from the Office of Personnel Management (OPM) and attacks on individual taxpayer records at the Internal Revenue Service (IRS).
Cybersecurity of Critical Infrastructure.
When it comes to critical infrastructure (think power grids, water, and telephones), the order calls for a report on those infrastructures which are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The report, which is to be submitted with six months, must also identify how risks to those systems could be mitigated.
The order also requires that strategies be developed to reduce cyberthreats perpetrated by botnets. Botnets can basically “hijack” computers for the purpose of carrying out automated tasks such as stealing valuable information and launching distributed denial of service (DDoS) attacks.
An issue that has been raised multiple times – the specter of a prolonged power outage associated with a significant cyber incident – is also addressed in the order, which calls for an assessment of not only the potential scope of such an outage but also the readiness of the country to manage such an event. The order requires similar assessments be made with respect to a cyber attack on the military, including the supply chain, as well as systems, networks, and capabilities, as well as recommendations for mitigating those risks.
Cybersecurity for the Nation.
Finally, the order calls for developing a strategy for “deterring adversaries and better protecting the American people from cyber threats.” The strategy is expected to include education and training for the “American cybersecurity workforce of the future.” The order also seeks to establish policies that will serve as deterrents for foreign nations targeting Americans, a move some suggested might be a direct response to the allegations of Russian hacking. At a press briefing held earlier today, White House Homeland Security Adviser Tom Bossert downplayed that suggestion, noting “the Russians are not our only adversary on the internet.”
You can read the order here.
Responses have been mixed. Some security experts welcomed the order as a good start while others suggested it was merely “a plan to make a plan.”
“This is a good step in the right direction,” said Jeff Engle, VP, Government Sector, UDT in response to the order. “When it comes to assessing the cyber workforce I think the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, issued a statement which began, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.” The statement went on to say, “We’ll have to wait to see how well this administration can implement its stated goals for cybersecurity. Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government. Moreover, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.” ITIF concluded, however, that it is “a good sign though that the White House included much-needed government IT modernization and consolidation as part of the executive order.”
(Author’s note: The article has been updated to include a statement from Jeff Engle, VP, Government Sector, UDT.)
Click here to view full article.
As Fafsa Tool Outage Continues, Lawmakers Investigate Why It Happened
By Adam Harris
The Internal Revenue Service’s data-retrieval tool will be back online for borrowers in income-driven repayment plans by the end of the month, James W. Runcie, chief operating officer of the Education Department’s Federal Student Aid office, told a U.S. House committee on Wednesday. But he offered no respite to those who would like to use the tool to fill out the Free Application for Federal Student Aid, the Fafsa, as it will continue to be offline, for them, until October.
The tool mysteriously and abruptly went offline on March 3. It was later revealed that the tool’s absence stemmed from a breach that may have affected the data of up to 100,000 people. The IRS estimates that 8,000 potentially fraudulent claims led it to issue tax refunds amounting to more than $30 million. Wednesday’s hearing, of the Committee on Oversight and Government Reform, sought to uncover how the breach of the tool had occurred, but ultimately, it raised more questions than it answered.
Lawmakers in both the House and the Senate have pushed the IRS and the Education Department to hasten the process of getting the tool back online for both Fafsa applicants and people in income-driven repayment plans.
On Monday, Sen. Lamar Alexander, Republican of Tennessee, and Sen. Patty Murray, Democrat of Washington, requested weekly staff briefings on the status of the tool in a letter to Betsy DeVos, the education secretary. The two senators, who serve as the chair and ranking member, respectively, of the chamber’s education committee, also asked that the department create an action plan to reinstate the tool before the previously stated deadline of October.
“It’s definitely a good sign that they are working to put the … tool back online as quickly as possible,” said Clare McCann, a senior policy analyst at New America, in an interview with The Chronicle. But it’s bad news for the millions of Fafsa filers who won’t be able to use the tool — which makes the process much easier because it imports existing tax data — to file the student-aid form, she said.
The Path Not Taken
Some legislators on the committee argued a different point, echoing the written statement of Justin S. Draeger, president of the National Association of Student Financial Aid Administrators. “Perhaps most troubling” about the current status of the tool, he argued, “is the fact that this situation could have been avoided with better decision making in September 2016, when the potential for abuse of the DRT was first identified.”
Why, they asked, was something not done sooner?
Gina Garza, chief information officer at the IRS, told the committee that her agency “took immediate action” and that no data was lost in September, when an attempt was made to view the tax data of an individual using the tool. The IRS began working with the Department of Education in October to strengthen authentication measures in the system.
The Federal Student Aid office “sought to determine the best approach to minimize the vulnerability” — that the IRS had identified — “without causing major disruption to students, parents, and borrowers,” Mr. Runcie wrote in his prepared testimony.
The agencies agreed to keep the tool in use while the IRS increased monitoring to detect suspicious activity. In February an IRS employee told the agency that the data had been compromised. The tool was eventually taken offline in March, when there was clear evidence that the tool had been used for criminal activity.
“The problem is that people don’t understand where to start in terms of securing their platforms, and what to protect,” said Mike Sanchez, a cybersecurity expert who was part of the initial team that investigated the Office of Personnel Management’s breach, in 2015. “They want to protect against everything,” which is impossible for technical and logistical reasons. Instead, agencies should zero in on specific problems as opposed to letting them build into major incidents, said Mr. Sanchez, now chief information-security officer at UDT.
“We did not take lightly the decision to disrupt the DRT,” said Ms. Garza, adding that she believes the IRS made a sound decision, and that protecting taxpayer data is the agency’s highest priority.
“While the IRS was able to identify 100,000 individuals impacted by the data theft, it may not be possible to measure the impact of the DRT outage on students who may have missed a financial-aid deadline or never even completed a financial-aid application because of this issue,” wrote Mr. Draeger.
At the conclusion of the hearing, some legislators said they were upset that Congress had not been alerted to the breach sooner, and with the winding responses of the people who testified. “It has been extraordinarily difficult to get any kind of specific answer out of any of you,” said Virginia Foxx of North Carolina, chair of the House education committee.
In a memo issued on Wednesday, the Education Department said it would provide further details about a solution and its impact on students and borrowers in the “coming weeks.”
Click here to view full article.