No-Brainer: How Agencies Can Secure IT
Former Air Force CIO Jim Gilligan Explains HowBy Jim Gilligan
Why is it so difficult to provide security for our government computer-based systems?
To understand the answer to this question, it is important to examine the enormous complexity of the problem. Cyber attacks focus on vulnerabilities that can and do exist in every hardware and software component. Each federal department has hundreds of thousands or in some cases millions of these hardware and software components. The actual vulnerabilities that become the avenues for cyber attack are contained in the logic statements that comprise each and every one of the hardware and software components used by each government organization.
Also, each of these components has an enormous number of logic statements. For example, there are well over a million of logic statements in even a simple operating system. To achieve a fully secure system, one must ensure that all of these hardware and software logic statements are both perfectly correct and that they cannot be manipulated to compromise security. This requires correctness of many trillions of logic statements. It is important to know that a single logic error can become the entry point and the pathway to successfully attack against an entire enterprise.
We must recognize and deal with the situation that there are many thousands of vulnerabilities that exist in our fielded hardware and software systems that can be exploited by a range of adversaries ranging from malicious individuals and criminals with modest skill levels, to organized crime and nation-state actors who in many cases have greater skill levels.
The Federal information Security Management Act of 2003 was a positive step in improving security within the government. The law established the imperative for federal managers to put strong emphasis on cybersecurity. The bill highlighted the need to use a risk�based approach to identify and implement the minimum controls and to establish an independent review process.
While FISMA has many positive elements, the implementation of FISMA has been less than fully effective. For example, rather than focusing on minimum controls as required in FISMA, the Office of Management and Budget policy guidance to federal agencies has been to implement the entire catalog of controls - over 300 separate controls - published by the National Institutes of Standards and Technology. This is not possible for any government agency of any size and has resulted in a "scatter shot" approach to improving security.
Moreover, the strong desire to measure and grade federal agencies has resulted in placing emphasis on characteristics that could be easily measured rather than on controls and activities that best reflect effective security.
FISMA: The Treadmill Effect
In general, the required FISMA metrics were manually generated, had little correlation to actual security, and were costly to produce. In addition, the areas emphasized in the metrics did not encourage investments or improvements that would have long lasting improvement in security. The implementation of FISMA has been like getting on a treadmill as a means to go to a destination, such as to go to the store or school or church. A treadmill is great if all you want is exercise, but it is not the way to reach a destination. In the implementation of FISMA, the federal government has certainly burned a lot of calories, but we are still a long way from reaching our destination of dramatically improved security for federal systems.
While total security is beyond our current reach for the foreseeable future, there are many things that we can and should do to dramatically reduce our vulnerability to attacks, especially from those attackers who are relatively unsophisticated. Studies have shown that the relatively unsophisticated attackers group constitutes the majority of current attacks - about 80 percent of all attacks as assessed by the National Security Agency.
Despite spending literally billions of dollars spent each year to improve security of cyber systems in the federal government, we have not been able to implement the basic safeguards that can address what has been assessed as the majority of the threat, the relatively unsophisticated attacker. The root causes for this failure in my view are the following:
- We have not provided sufficient focus for our government security investments preferring instead to let individual organizations determine where to make investments. Given the complexity of the cyber problem just described and the enormous difficulty of assessing cyber attack risks, it is not surprising that this approach has resulted in well intended but poorly focused efforts in most government agencies.
- The government has been slow to take advantage of available automation in a coordinated manner. Sure the government has bought lots of tools, but their usage is poorly aligned and not integrated. This has resulted in major gaps in security that have become the avenue for attacks.
- We have relied far too heavily on manual methods to monitor and evaluate technical aspects of cybersecurity when the complexity of the government cyber environment makes these manual methods ineffective.
While we don't have the ability to produce totally secure systems, we do have the ability to implement the basic safeguards needed to protect our cyber systems from the relatively unsophisticated attacker� the 80 percent portion of the threat. Recent collaborative efforts among government and the private sector have resulted in guidance for organizations to help focus on the top priority security control areas and to make effective use of automation. This collaborative consensus effort among these experts produced a guideline entitled 20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines. This document describes the 20 most frequent cyber attack patterns and the controls that are needed to protect against these attacks.
While these so�called "good hygiene" control areas will not ensure that the trillions of logic statements are absolutely correct, they provide a solid foundation level of security needed to thwart relatively unsophisticated attackers: the 80 percent of the problem. The 20 critical controls are not intended to provide absolute security, but implementing them has proven to dramatically improve the ability of complex systems to withstand the majority of attacks.
Implementing good hygiene security controls such has additional benefits: When an organization implements an automated capability to register and enforce tracking of software and hardware components, agencies are better able to manage expensive license agreements and to accurately manage their inventory of cyber devices. The bottom line is that a cyber system that implements good hygiene through a solid foundation of controls is a lot cheaper to operate.
The Ultimate "No Brainer"
My experience in the Air Force convinced me that implementing good hygiene has such a positive impact on cost of operations that the security benefits are achieved with cost savings, not additional costs. This raises the question of why any CIO or government manager would not immediately rush to implement these controls. After all, implementing the controls gives you better security, better system availability, and lower cost. This is an example of the "ultimate no brainer" for a CIO.
If this is such a "no brainer", then why have government and industry organizations not been more aggressive to implement these controls? First, all organizations, but in particular in government organizations, are unwilling to deviate from policy mandates.
A second reason for the failure to implement these controls is a bit more subtle. Implementing a disciplined cyber environment such will result in the lessening or elimination of autonomy of individual users as well as local system and network administrators. Local administrators can no longer tinker with the configurations to "optimize" the system. However, removing this autonomy from users and local administrators goes to the heart of the culture surrounding computer technology. Local administrators believe that they know best how to operate and secure local systems to meet their local mission needs. This is not the case of individuals being malicious, nor is this cultural phenomenon unique to government. Very strong leadership is required to counter this cultural resistance in order to implement an organization wide cyber environment that provides the disciplined foundation controls. The most senior officials in government organizations must unequivocally endorse these changes to overcome the cultural resistance.
Proposed FISMA reform legislation does an excellent job in responding to the needs for improving the security of our federal government systems. Putting the focus for coordinating our nation's cybersecurity in the White House, in the National Office for Cyberspace, ensures that we have the focused attention on cybersecurity and leadership from the most senor levels in government to help overcome organizational and cultural resistance. Moreover, the bill's proposed Federal Cybersecurity Practice Board provides the necessary expertise and authority to help the director of the National Office for Cyberspace develop effective policy guidance and standards
What is needed at this point is policy to focus government organizations on how to apply the excellent NIST guidelines. The emphasis in the bill on minimum controls and the use of automation to continuously monitor the controls is properly aligned and much needed. The bill addresses an often overlooked area, the need to leverage the power of the government acquisition buying power to require dramatic improvements in the security and reliability of software and hardware products. As we found with the Federal Desktop Core Configuration initiative, this type of action not only results in improved products for the federal government but more secure products that can be purchased by the private sector as well.
While total security is beyond the state of the art, there are a number of practical and cost�effective approaches that can be taken to mitigate the majority of attacks against our government cyber systems.