Chief information security officers must balance mission requirements against threats to vital data.
From the document leaking website WikiLeaks to the rise of smartphone computing, chief information security officers are confronting ever more threats to the data they are responsible for protecting. The number of attacks against federal networks increased nearly 40 percent in 2010, while the number of incidents targeting U.S. computers overall was down roughly 1 percent for the same period. To manage risks, CISOs are gradually changing the way they watch and respond to intrusions by electronically scanning systems to remotely detect abnormalities in near real time. But they do not have the full picture yet.
For starters: The security settings on those Apple iPad tablets and Android-based smartphones that employees want to use for business and pleasure are hard for network administrators to control. "The adoption rate of consumer devices has presented a significant challenge across the government," acknowledges Jerry Davis, deputy assistant secretary for information security at the Veterans Affairs Department.
But CISOs cannot stop federal officials from conducting business via mobile devices, as President Obama proved when he refused to part with his BlackBerry upon taking office. "The consumerization of the tablets and the smartphones is bringing those devices into the enterprise before the enterprise is really ready for them," says Patrick Burke, senior vice president of the national security sector at SRA International. "There are capabilities that will be able to give them a situational awareness and at the same level they have with intrusion detection . . . the market is trying to deliver these capabilities, but it's not there yet."
Last year, while serving as NASA's deputy chief information officer for information technology security, Davis stepped into the spotlight by issuing a departmentwide memo rolling back requirements for periodically certifying network security compliance so managers could concentrate on automating the process. The Office of Management and Budget required agencies in January to begin electronically submitting monthly snapshots of their security posture to CyberScope, an online application that analyzes the vulnerability of IT assets governmentwide. But not every agency has the tools in place yet to do this digitally. And even agencies capable of computerized monitoring do not have the pulse of every threat vector.
Chief of the Year: Information Security For example, VA can remotely check desktops for the installation of bug fixes, updates to antivirus programs, operating system vulnerabilities and glitches in applications. But not all mobile devices are capable of connecting to the network that performs this surveillance work.
Inspectors general flagged continuous monitoring as one of the weakest performance areas in the White House's latest report on agencies' compliance with the 2002 Federal Information Security Management Act. Of the 24 major departments and agencies, two had no such program and 15 were not compliant with all the proper procedures. Managers at many of those 15 departments were not assessing security controls on an ongoing basis.
For its continuous monitoring program, the Army has scanning machinery in place to collect security stats from most IT assets. But the service is still working on translating those observations into action. "The beauty of the design for continuous monitoring is you get to see, know and do," says Michael J. Jones, chief of the emerging technologies division within the Army's CIO/G6 Cyber Directorate. The "know" elements "give the commander a better understanding of which vulnerabilities are a priority." As for "do," he adds, "that's where the leaders in the Army get paid the big bucks."
Jones expects continuous monitoring to be fully deployed and operational in 2013. "We're doing the best we can right now, as well as knowing the best we can," he says. "What we don't have right now is the ability to do that in an automated fashion."
The knowing part involves, for example, remotely tracking a system's compliance with the Army's standard security settings for PCs. Every weakness that the monitoring application uncovers is given a risk score-the higher the score, the higher the threat. The grades help officers prioritize their responses. Last fall, the Army conducted a pilot for the know component and was successful in scoring more than 20,000 IT assets.
But the pilot revealed that the scores aren't that useful for doing anything without knowing which Army organization is responsible for fixing the vulnerabilities identified. "I couldn't say that these letters, here, are Jones' responsibility versus Margaret's," Jones explains.
Another complicating factor: There's a shortage of cyber experts. According to some outside estimates, the government needs as many as 20,000 more information security professionals. Last year, which marked the first time agencies tabulated IT safeguard costs in their budgets, the figures showed that the most expensive component of cybersecurity is people. Civilian agencies spent 74 percent of their IT security funding on personnel, according to the 2010 FISMA report. Overall, about 16 percent of agencies' IT budgets went toward security, including staff, tools, testing and training. "Making the IT security workforce more productive, more capable and more collaborative offers one of the most significant cost-effective strategies in IT security spending," the report noted.
The Army's test was performed only in the contiguous United States, but the steps should be the same when the service deploys the technology overseas, according to Jones. "What really doesn't matter is the location of these things, what does matter is the bandwidth," he says. "When you're doing things over a satellite link in Afghanistan, it's a little more challenging." In addition, the Army is examining how to keep tabs on the risks posed by iPhones, iPads and other mobile devices, Jones notes.
Heightened consciousness throughout the executive suite, as well as in the Oval Office, about the dangers posed by breaches has helped CISOs, they say. "I do have the buy-in from the department across the board, so when issues do arise we continue to push forward," Justice Department CISO Kevin Deeley explains. "We have the ear of the executives both in the department and the White House." President Obama began his administration by calling for a 60-day review of cyberspace policy governmentwide and appointed the first-ever White House cyber czar, Howard Schmidt. White House Chief Information Officer Vivek Kundra and Schmidt were heavily involved in developing the continuous monitoring metrics, Deeley says.
Security chiefs say their job is further complicated by the proliferation of smartphones and tablet computers popular with employees. Allowing consumer devices into the federal IT environment is tricky because agencies have to ensure security and privacy protocols are followed, yet at the same time, cyber officials understand that staffs need the gadgets to boost productivity and enhance operations. "One of the things we want to make sure is that people don't think we're the ones who are going to say no to everything," says Justice CIO Vance Hitch, co-chairman of the Chief Information Officers Council's Information Security and Identity Management Committee, and Deeley's boss. The committee plans to examine methods of safeguarding government information on the devices in the year ahead.
This iPhone challenge could take time to solve. Malicious applications are expected to proliferate in mobile devices, according to security firm McAfee's annual prediction of the biggest cyber threats. New this year is the projection that perpetrators will infect social media on mobile devices-a means of interaction that agencies increasingly depend on to conduct business.
The societal shift from desk-based email communications to mobile text messaging and Twitter insta-blogging has transformed the threat landscape, according to the report. For example, phishing-the practice of sending scam emails that appear to come from the recipient's bank or from Nigerians-will move to Twitter because email is no longer vulnerable, says Dmitri Alperovitch, the study's co-author and McAfee's vice president for threat research. "Email is a fairly well-protected channel these days, and people are starting to finally get the message that if that they get an email that looks too good to be true . . . it potentially needs to be reported," he adds.
Outside the CISO office, senior executives throughout government woke up to the reality of insider threats last year when a soldier allegedly downloaded reams of digital diplomatic cables and sensitive war documents for public disclosure on WikiLeaks. "It is a very viable threat and we can't sleep on it," Davis says. "WikiLeaks definitely woke up everyone."
But not many agencies have the resources to detect, in real time, internal threats from employees. "I think in a lot of cases people don't know they have an insider threat," SRA's Burke says. "In most cases, they don't have the sensors on their networks, on their PCs and their laptops and their servers to know who's logging in and what permission they have to do that."
Management is more focused on outsiders, such as the culprits who recently walked off with personal information, including passwords and perhaps credit card data from the online profiles of 77 million users of Sony's online gaming console and digital entertainment service. Applications exist that would empower CISOs to see which files their employees are accessing, "but the insider threat hasn't gained the same glamour, I guess, as the Sony PlayStation [threat]," Burke says.
After agencies get the hang of continuous monitoring, their next move could take the term "proactive" to a whole new level. "Eventually this game will have to move to the offensive side," Burke says. "We've been on the defensive side for too long." At least one agency already has started playing hardball. He notes that in April the FBI, in a first for the U.S. government, shot down a botnet-an organization that hijacks computers via remote servers to unleash malicious software. Law enforcement officials accomplished this feat by programming the offenders' servers to send stop commands destroying the malware.
Coreflood, which infiltrates only Microsoft Windows-based computers, had been used to monitor its victims' keystrokes as they typed, so intruders could steal their personal information such as bank personal identification numbers, FBI officials say. Now, even if a computer is still infected with the worm, the personal data it attempts to send the servers will trigger a kill command and inform the user's Internet service provider. Coreflood's mastermind compromised as many as 2 million computers and swiped hundreds of thousands of dollars through fraudulent wire transfers before the FBI moved in. The Justice Department obtained the servers, located in Georgia, Ohio, Texas, Arizona and California, through search warrants, and filed a civil complaint against 13 unnamed thieves.
Risk is inevitable. Fulfilling agencies' missions is the foremost goal, CISOs say. "As we try to weight operational capabilities versus security, at the end of the day, what we're trying to do is manage risks," Jones notes. "Risk is a part of our environment. You always have to keep the operational mission in mind."