You’ve heard of TechStat and PortfolioStat. Well, for the last few months, the Office of Management and Budget has been doing CyberStat sessions, Dr. Andrew Ozment, senior director of cybersecurity at the White House, said Tuesday at McAfee’s Public Sector Summit presented by FedScoop.
Ozment, speaking April 23 before more than 600 people at the Pentagon City Ritz-Carlton in Arlington, Va., said the sessions, done with an agency’s chief information officer, chief information security officer and performance improvement officer, aim to ensure agencies meet the White House’s cross-agency priority goals for cybersecurity.
“Some agencies have shown great progress, while others, well, have not,” Ozment said. “What these sessions are doing, though, is helping to bring cybersecurity to the attention of the agency’s senior leadership and let them know that the White House sees it as one of its main priorities.”
The CyberStat sessions are part of five cybersecurity priorities set forth by Michael Daniel, national coordinator for cybersecurity, Ozment said. The sessions fit into the need to help defend the federal networks, classified and unclassified.
The other four priorities:
- Protect critical infrastructure: The Cybersecurity Executive Order helps establish that, but Ozment added Congress needs to pass legislation to give the effort more teeth. He said he hopes something will make it through Congress in the next year or so.
- Improve incident response, intelligence and reporting: Ozment said the idea incident is one in which the federal government either knows it will happen in advance or while it is occurring. That visibility can help solve problems before they occur or prevent them from becoming worse.
- Increase engagement globally: That includes creating higher penalties for international behavior and creating norms of behavior.
- Shape the future environment: How can the future of the Internet be structured so those on the offensive do not have the upper hand? Ozment highlighted finding a way to shift the odds in the government’s favor without going against core principles such as freedom of speech.
DOD networks taken for granted
Once upon a time, not too long ago, the Defense Department took its network security for granted, said DOD CIO Teri Takai.
“It wasn’t until the networks became threatened that we began to put the proper emphasis on cybersecurity for our entire information technology architecture,” she said.
And for DOD to help other agencies such as the Department of Homeland Security and the Federal Bureau of Investigation protect the rest of the federal government’s networks, it first must be able to safeguard its own.
Takai outlined DOD’s current cyber-related focus areas:
- Thinking about cybersecurity with the entire infrastructure in mind and looking at how the department is configured — from the data center to the mission level.
- Part of that includes rethinking standards and policies to better integrate information assurance into everything the department does, including the acquisition of new technologies.
- As the infrastructure changes, so do the roles and responsibilities of those doing cyber, Takai said, so DOD is looking to see how those areas operate and who needs access, to ensure the network is secure.
- Information sharing within the department, including through various intelligence organizations that may be collecting different information on threats. “With tighter budgets and sequestration, we need to be more efficient in how we use data,” Takai said.
- Improving the cyber workforce: Takai said DOD needs more cyber expertise and needs to continue grow them from the universities, the National Guard and the military reserve units. Commanders also need to fully understand what cyber capabilities are at their disposal, she added.
- Further collaboration with external cybersecurity partners — including the Defense Industrial Base — on efforts such as the Committee for National Security Systems.
- Continued work with interagency partners such as DHS, FBI and the Commerce Department on securing critically important information.
OMB memo to update FISMA
Jeff Eisensmith, chief information security officer at DHS, said OMB plans to soon release a memo that will relieve some of the legacy elements of the Federal Information Security Management Act.
“The old style of doing FISMA doesn’t have the agility the federal government needs and has become a resource drain that I cannot tolerate,” he said.
As for doing more with less, Eisensmith said that’s not a reality in security. Instead, agencies need to look at “ruthless prioritization.”
“We have to think about what is important to get done today,” he said.
Sophistication of code
The biggest challenge former Central Intelligence Agency CISO Robert Bigman sees? The sophisticated malware he said has jumped in the past 15 months.
“We’re seeing code now that is almost impossible to reverse engineer,” said Bigman, now CEO of 2BSecure.
Bigman also said the federal government is, in general, a pro when it comes to cybersecurity.
“The worst federal agency is better at security than the best private sector company,” he said.
The changing security of consumer devices
As the world’s largest pure play security company and the federal government’s largest cybersecurity vendor, you could say McAfee has a pretty good perspective of what’s going on in the security world.
Michael Fey, executive vice president and worldwide chief technology officer for McAfee, said the cyber world is changing, in particular when it comes to creating mobile devices.
In the good ol’ days – “you know, three years ago,” he said – companies such as Microsoft and Apple built mobile devices with the enterprise in mind, making their use easier for organizations including major corporations and the federal government.
Now, Fey said, the devices are made with the consumer in mind.
“It’s not a bad thing, but it does change our design and what tools are available to use,” he said. “We’re at the point where we have to break licensing agreements just in order to secure certain devices on an enterprise level.”
Continuous monitoring at Commerce
The Commerce Department this year will implement a comprehensive continuous monitoring system, making it the first time the department has real-time situational awareness, CIO Simon Szykman said. Commerce will be able to correlate everything that’s going on at the agency level, and then share it with DHS.
“What I’m expecting to be able to do is have the situational awareness across the department, looking into a dozen different bureaus at once,” he said
Energy Department Associate CIO and CISO Gil Vega said the department has spent plenty of resources to invest in advanced cyber capabilities, particularly in nuclear energy security. That information is only valuable, though, with “unfettered information sharing” used responsibly by those with access.
“The threat, I think, has been reduced because of sharing,” he said. “The key is for people to know what that data is, what it can do and also what it can’t do. That gives decision-makers a clearer picture of the threat and how to combat it.”
Securing the Postal Service supply chain
Chuck McGann, CISO at the U.S. Postal Service, said the agency had a cybersecurity risk in its supply chain, most notably in the mail-processing department where certain vendors had access “right into the backbone” of what the agency does.
Noticing that, McGann worked to clean that environment, setting up more rules and standards and working with the engineering side of the house under the authority of the CIO to tighten that operation.
“That was a real good entryway that brought us vulnerability,” McGann said. “In the past, there was a disconnect in areas like that, but they’ve decreased in recent years as the cyber threat has become more prevalent.”
State looking to the cloud
Bill Ley, State Department CISO, said the department is taking another look at its entire infrastructure from a security perspective. He said security no longer can be bolted on, but it must be built in to effectively protect an agency’s data.
Part of that new look includes working with cloud providers to see how they can accommodate issues including the Homeland Security Presidential Directive 12 and trusted Internet connections.
Effective cyber strategy from NSA
Neal Ziring, technical director of the Information Assurance Directorate at the National Security Agency, highlighted five areas for effective cybersecurity:
- Situational awareness – the ability to view into information operations
- Detect attack – knowing the difference between normal operations and “bad” operations
- Damage assessment – be able to tell which data was compromised, how it was compromised and how it will effect an organization
- Response – How does your organization react to an attack? Can it quickly fix what was compromised and quickly know a bad situation before it gets worse?
- Recovery – Once something has gone wrong, can you quickly fix it and get back to being fully operational?