Securing Off-The-Shelf IT
In the first of a two-part interview with GovInfoSecurity.com managing editor Eric Chabrow, Gilligan explains the importance of core configuration, and the challenges the government faces in expanding the program to other types of information and communication technologies.
A primary barrier, Gilligan says, is overcoming the culture of each agency deciding how it deems best to procure and secure its IT. "The term personal computer is just more than a description of a particular brand of machine, but it is really how people think of it. It is my computer, it's my organization, and no one outside will tell me how to operate," Gilligan says.
Gilligan also served as CIO at the Energy Department, and now heads his own consulting firm, the Gilligan Group. But he remains a big influence on government IT. He led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal cybersecurity policy.
ERIC CHABROW: What are the major challenges agencies and departments facing in securing their IT systems and data?
JOHN GILLIGAN: One of our biggest challenges is the fact that we have not been treating security as an integral part of the operations and management of our systems and network. Despite the longtime recognition that security needs to be built in, we still have a tendency to treat security as an adjunct, as an add-on and so let me give you an example.
In the Air Force, we attacked the security in our infrastructure but we did it as an integral part of how we were addressing the need for better discipline and the management of our systems and networks. Out of that grew what eventually became the Federal Desktop Core Configuration, which in one sense is very much focused on trying to improve security. But the operational benefits in terms of reduced cost of ownership, the reduced purchase price, improved operational availability are very, very significant and, in fact, you would do these things if only to get the operational benefits, but there are also pretty significant security benefits.
Often, what we do in security seems to be very focused just on security. What we end of up doing is putting Band Aids on fundamental weaknesses that really need to be addressed in terms of additional discipline, additional rigor. That is the one that I would focus on maybe first. It has enormous benefits and it is sort of foundational.
What you end up with (is a) kind of a well-managed infrastructure against what you can then begin to address the more sophisticated type of security issues and concerns.
Obviously, you need to move into that arena because well-managed infrastructure does not in and of itself make you secure. But it lets you have the opportunity to have a chance to start to address some of the more sophisticated threats because you have dampened out the obvious errors, flaws and misconfigurations, for example, just lack of discipline and how systems are added to your network, etc., they become just gaping security vulnerabilities.
CHABROW: Do you see core configuration moving beyond desktops?
GILLIGAN: In the Cybersecurity for the 44th Presidency Commission report, we recommended that all software and hardware be configured against, call it a lock-down configuration, that removes features that are not necessary for operation, that enable the security controls that one would normally expect in an environment, and that those hardware and software configurations are preinstalled before the systems are put in operation and that there are automated tools to ensure that those configurations are maintained. The desktop and the server were really just the first step.
I give credit to my successors. They had to put in place a governance process whereby they rolled out this lockdown configuration for desktops and servers. They were also testing all of the applications to see what applications had problems in operating correctly against this new configuration. The discipline part of it was then going to the commercial providers of those applications - or in some cases, the in house providers - and requiring that they fix their systems so that they didn't depend on features that were no longer enabled in the lockdown configuration.
Once you start to get that type of discipline and process, you are many steps down the road to taking on the databases and the other software and hardware elements. You start to have a governance process and an expectation that this is how we are going to business. It is not acceptable that you unilaterally develop or assume that applications will be able to be supported and features would introduce security vulnerabilities.
CHABROW: What challenges do you see within government in getting this accomplished?
GILLIGAN:. One is just the will to do it. The back pressure is cultural; it's very strong, I saw it within the Air Force and to those that I have talked to in other government organizations. There is a culture within our IT community that says it is preferable and beneficial to let individual organizations be able to do their own configuration.
As you tighten down discipline and remove the flexibility from individual organizations to be able to modify their configurations, there is a lot of resistance. That is the biggest challenge by far, just getting past what has been the kind of prevailing culture with regard to information technology, which is grown up out of the client server technology. The term personal computer is just more than a description of a particular brand of machine, but it is really how people think of it. It is my computer, it's my organization, and no one outside will tell me how to operate.
In the Air Force, or other parts of the Department of Defense, there is nothing that is so essential to the mission that we delegate to each organization (the) configure of your systems, that you operate and maintain them according to your local prerogatives and customs, We don't do that. The consequences are significantly increased costs, but more importantly, often there is an operational impact in the failure to be able to support the mission.
CHABROW: Is this something that can be handled by the Office of Management and Budget or is this something that needs to have a higher-type of leadership?
GILLIGAN: OMB is in a good position to provide much of the stimulus for this. As there is a lot of discussion now about what is the role of the White House in this, (we should have) someone visible, strong and respected in the White House who would be able to articulate these needs. Our fundamental economic and national security depend on it, helps us get past some of the cultural resistance so it is not just a government bureaucrat to another government bureaucrat with, "I've got another good idea." The objective is not just our government systems; we need to do this exactly the same across our industries, state and local governments. The federal government is not the only objective; this really is a national issue.