In the wake of recent intrusions into government systems, it is difficult to identify anyone who believes defenders have the advantage in cyberspace. Digital adversaries seem to achieve their objectives at will, spending months inside target networks before someone, usually a third party, discovers the breach. Following the announcement, managers and stakeholders commit to improving security, yet offer few reasons to justify their optimism.
It is time for governments at all levels to embrace a new strategy for defending information. That strategy should focus on finding and removing intruders already in the network, not shoring up defenses against adversaries assumed to be waiting to attack.
To understand why this strategy change is needed, consider history. In 2007, the public learned of a serious 2006 intrusion at the United States Department of State. The fallout is familiar: outrage over an intrusion affecting government systems, China suspected as the culprit, and questions regarding why the government’s approach to security does not seem to be working.
Following that breach, the State Department hired a new chief information security officer (CISO), who pioneered the Continuous Monitoring (CM) program. CM later became Continuous Diagnostic Monitoring (CDM), later renamed Continuous Diagnostics and Mitigation.
CDM is at heart a find-and-fix-flaws-faster program. The key idea was to move from a paperwork-centric exercise called certification and accreditation, or C&A. This program essentially relied on a survey of security practices taken at three-year intervals. CDM, in contrast, involves active scanning of agency computers, looking for software flaws, vulnerabilities, and misconfigurations. The goal is to scan systems within a set period, preferably 72 hours, report the results centrally to the Department of Homeland Security (DHS), and then patch or close the holes.
The CDM-pioneering CISO eventually left State for DHS in 2012, and championed CDM for the rest of the federal government. He is now retired from federal service, but CDM remains. Years later, we’re reading about another breach at the State Department, as well as the recent intrusions into the Office of Personnel Management (OPM). CDM is not working. Why?
CDM is a necessary part of a security program, but it should not be the priority. CDM is an improvement over C&A, but there is a conceptual flaw to CDM. The CDM strategy is “if we find and fix flaws faster, we will be secure.” Unfortunately, this strategy fails for three reasons. First, it is not possible to eliminate all of the means by which an intruder can achieve unauthorized access. Second, because not all flaws can be fixed, intruders can penetrate agency networks. Third, finding and fixing flaws faster does not have any impact on intruders who are already inside the network.
In brief, security strategy should not prioritize closing and locking a house’s doors and windows while there are intruders inside. Accordingly, I recommend a detect-and-respond strategy first and foremost, with CDM a lesser priority.
Some of the pieces needed for this strategy change are already in place or at hand. In order to identify intruders, government defenders need technical systems to find them. To this end, DHS has been deploying the so-called Einstein platform across federal networks for the last decade. Concurrently with the OPM breach, DHS decided to speed up installation of the latest iteration, called Einstein 3A. Einstein 3A is a combination of government-coded software and private sector offerings operated by the large telecommunications companies that operate networks for civilian government agencies.
Unfortunately, Einstein deployment has been hampered by a combination of challenges—sequestration, privacy worries, and bureaucratic turf battles. In light of the OPM breach, DHS plans to have Einstein 3A in place by the end of 2016, instead of 2018. DHS must accelerate deployment to mitigate the risk, and the platform needs to be updated to match the capabilities of the threat. While Einstein is not the solution to the government’s security woes, it would provide enhanced visibility and situational awareness to government defenders.
Beyond Einstein, however, the government needs a thorough “security checkup.” Specialized defensive “hunt” teams should immediately begin checking federal networks for signs of adversary activity and remove the threats they will inevitably discover. This will be tedious and time-consuming work, but other government components, such as the Department of Defense, routinely conduct these operations. It’s time to realize that civilian networks are just as desirable a target as their military or intelligence community counterparts.
Finally, there is no need to stop the CDM program. It makes sense to find and fix flaws faster. However, that work should proceed in parallel with efforts to enhance visibility and enable network hunters to remove foreign hackers.
The federal government and the citizens it serves deserve a security strategy that works. The approach I offer here aligns with the sort of counter-intrusion campaigns I have personally led, and which my colleagues implement for private sector organizations around the world. It’s time for a change. We do not need any further wake-up calls.