Home » The Art of Data Protection » Coming Full Circle: White House Re-sets Cybersecurity Priorities
Coming Full Circle: White House Re-sets Cybersecurity Priorities
April 4, 2012, 10:05 am EDT
Information week recently compiled a few sound bytes from cybersecurity coordinator Howard Schmidt, who has “set an agency-wide goal for agencies to implement priorities to help protect federal IT systems against cyberattack.”
Many have criticized the White House cybersecurity leadership for being slow to ignite positive change in the security posture of the federal government. But lets face it, there are over 1,300 distinct organizations across the three branches of the federal government. This challenge will not be solved over night, nor in a single term of office. This is a multifaceted, budget constrained and red tape laden ecosystem of old and new mindsets and technology. Impacting cultural change will take very distinct mandates with aggressive timelines.
On the surface, it sounds like we are in a very similar place we were nearly four years ago. Reactionary. Focused on fighting battles at the perimeter. Loosing ground to an agile and well-funded adversary.
The article dives slightly deeper into the priorities, stating that by 2014 nearly all of federal organizations would achieve utilization in the following areas:
1.) Consolidating External Connections – a.k.a. Trusted Internet Connection or OMB Memorandum M-08-05 originally issued in 2007. Reducing the attack surface from 4300+ connections down to less than one hundred will enable programs like Einstein (NCSP) to achieve operational relevance.
Anyone in the industry will tell you this is a good idea. The question is: Can you cost effectively monitor the entire federal governments network traffic and identify even a minority of the attacks?
2.) Continuous Monitoring – Overall improvement in situational awareness moving away from static compliance review to dynamic or even real time assessment of controls and operations. Last September, OMB released a memo mandating the use of CyberScope for both manual and automated FISMA reporting.
This is a good start! Through the use of CyberScope, OBM can at least cut the paper pushing. Automation will prepare agencies to exchange information but it is presently limited in scope (no pun intended). At the heart of CyberScope is the Security Content Automation Protocol (SCAP) which is focused on configuration management in primarily windows environments. Hopefully future versions of SCAP will expand to include network devices, storage and other cyber intelligence related data (for example: Malware focused “MAEC” and attack data focused “Cyber Observables” or “CybOX”).
3.) Improved use of Strong Authentication, Digital Signing and Encryption – Implemented properly, these initiatives can dramatically reduce the attack surface. Comprehensive adoption of certificate based authentication, in conjunction with expanded use of digital signing and data encryption establishes a strong security foundation.
This foundation will improve the federal governments ability to guard mission critical and private citizen data while contributing to situational awareness. Correlating access logs, metrics from enterprise key management systems and audit trails from data encryption tools can provide a unique view of user and service level behaviors. This “data centric” monitoring approach could empower analysts to improve security controls, identify insider threat and capture exploits targeting weak applications without the limitations and overhead of processing terabytes of network packet capture.
Imagine the work involved in rolling out just one of these efforts across a single agency, let alone thirteen hundred. The federal agencies, Howard Schmidt and the White House have their work cut out for them. With the budget constraints and limited resources at their disposal staying on target will be critical. Making the 2014 goal is optimistic. The next few years will be interesting to watch. Just keep on target… distinct mandates and aggressive timelines.
Back to The Art of Data Protection blog homepage.This entry was posted in Authentication, Crypto, Cybersecurity, Data Breach, Government and tagged compliance, cybersecurity, Data Encryption, Enterprise key management, multi-factor authentication, strong authentication by Chris Ensey. Bookmark the permalink.
Andrew Gertz May 15, 2015, 04:25 pm UTC
Doron Cohen March 13, 2013, 08:15 am UTC
SafeNet April 2, 2015, 10:30 am UTC