The House Committee on Oversight and Government Reform held a hearing last month to examine the ability of federal agencies to detect and mitigate cybersecurity vulnerabilities. The impetus for the hearing was the December 2015 discovery of potentially devastating vulnerabilities in several generations of Juniper Networks’ software. Juniper Networks is a marketer and developer of networking products used by a number of federal agencies.
Committee Chairman William Hurd (TX-R) explained that the vulnerability may have allowed outside actors to monitor network traffic, decrypt information, and even take control of firewalls. Although the Department of Homeland Security (DHS) worked quickly to notify federal agencies of the breach, some of the agencies were slow to mitigate the threat posed by this vulnerability.
In January, the committee sent letters addressed to the heads of 24 federal agencies requesting an inventory of systems that used Juniper Networks software, as well as the status of their progress in installing the corresponding security patch that would rectify the damage done to the systems.
“Of the twelve agencies affected, three—including the Department of Treasury—took longer than fifty days to fully install patches and mitigate the threat posed by this vulnerability. This is absolutely unacceptable,” said Hurd. “The inability of federal agencies to maintain a comprehensive view and inventory of their information systems and to respond to congress in a timely manner cannot be the status quo.”
Testifying on how federal agencies can improve their overall cybersecurity postures, Rich Barger, Chief Intelligence Officer at ThreatConnect, explained that federal agencies have for years been struggling with a “detection deficit”—the gap between compromise and detection.
“Without closing that gap, we continue to be our own worst enemy, and we cannot expect to be effective in detection, response, and mitigation,” said Barger.
Barger attributes federal agencies’ difficulty responding to today’s threats to fragmentation between an organization’s people, processes, and technologies. The key to solving the fragmentation issue is information sharing.
The Cybersecurity Act of 2015, which President Obama signed into law in December 2015, is a step in the right direction. The legislation created a voluntary cybersecurity information sharing process meant to encourage public and private sector entities to collaborate and share information.
Within DHS, the National Protection and Programs Directorate (NPPD) serves as a hub for cybersecurity information sharing between government and the private sector. NPPD’s customers include federal civilian agencies, private sector companies, and state, local, tribal, and territorial governments.
Testifying at the hearing, NPPD Office of Cybersecurity and Communications Assistant Secretary Andy Ozment explained, “Recent compromises clearly demonstrate the challenge facing the federal government in protecting our systems and networks against sophisticated, agile, and persistent threats. Addressing these threats is an important, shared responsibility."
NPPD plays a vital role in vulnerability detection, response, and mitigation. When it comes to information sharing, their primary tool for immediate dissemination is the Cybersecurity Coordination Assessment, and Response (C-CAR), which allows the DHS to rapidly transmit critical cybersecurity information across the federal cybersecurity community.
After the information about a specific vulnerability is disseminated, DHS will frequently collect information about government-wide remediation progress. The purpose of this information is to understand the prevalence of any one vulnerability and to encourage each agency to implement required mitigations faster. At this time, this process is primarily manual.
Ozment said this approach has several disadvantages. He explained, “IT relies upon agency self-attestation of their vulnerabilities and remediation progress, it imposes a time-consuming data entry requirement on each agency, and it depends on agencies to update their data regularly and accurately.”
However, the Continuous Diagnostics and Mitigation (CDM) program is changing that. The program provides continuous automated diagnostics tools to detect vulnerabilities in near-real time. CDM has three phases:
- CDM Phase 1 identifies vulnerabilities on computers and software on agency networks. It can be summarized as telling operators “what is in your network.”
- CDM Phase 2 detects potentially malicious user behavior and ensures that users’ authorized access does not exceed their assigned role in the organization. It can be summarized as telling operators “who is in your network.”
- CDM Phase 3 assesses activity happening inside of agencies’ networks to identify anomalies that may indicate a cybersecurity compromise. It can be summarized as telling operators “what is happening on your network.”
According to Ozment, Congress can help accelerate the implementation of CDM by passing the President’s FY 2017 proposed budget, which provides more resources for mitigating complex vulnerabilities, as well as more proactive assessment teams to detect vulnerabilities that the agencies may have missed.
Overall, Ozment said the key to successful mitigation is “communication, automation, and resources for remediation.”