As a former Chief Security Officer (CSO) at the Department of Homeland Security, I was recently asked the question: “What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?” Any CSO worth his or her salt knows that security, especially programs located within the national security and counterintelligence realms, is a zero-sum game. Security directors and their staffs must win each and every time.
A security program is an ecosystem. Every program area relies on essential contributions from leadership, managers, staff, technicians, and customers. The cybersecurity programs and platforms employed to safeguard all security lines of business are vital to successful security programs within the complex network of interconnected security systems. A gap, breach, or betrayal in any one area, especially cybersecurity, will have substantial national security and/or counterintelligence implications. We saw this presumption play out with the Office of Personnel Management data breach a few years ago.
In June 2015, OPM announced that it had been the target of a data breach involving the records of as many as four million people. The final estimate of the number of stolen records is approximately 21.5 million. This includes records of people who had undergone background checks, but who were not necessarily current or former government employees. The breach has been described by federal officials as among the largest in the history of the United States. Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, as well as addresses.
The data breach consisted of two separate, but linked, attacks. It is unclear when the first attack, which was discovered on March 20, 2014, occurred; the second attack happened on May 7, 2014, when attackers posed as an employee of KeyPoint Government Solutions, a subcontracting company. The second attack was not discovered until April 15, 2015, long after that perpetration.
In the aftermath of the second attack, both Katherine Archuleta, the director of OPM, and Chief Information Officer Donna Seymour resigned, illustrating the consequences for senior government leaders when critical programs fail.
The breaches involved the theft of sensitive security clearance information, employees’ (and job applicants’) personal data, and fingerprints.
OPM officials expressed “with a high degree of confidence” that their “systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel and others for whom a federal background investigation was conducted, may have been exfiltrated.” With respect to personal data, a representative of American Federation of Government Employees stated that “the breach compromised military records, veterans’ status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, and data on age, gender, and race.” As such, both breaches put their victims at risk of identity theft and other financial crimes.
With respect to fingerprints, the stolen data included 5.6 million sets of fingerprints. At the time, a biometrics expert said that “because of this, secret agents were no longer safe, as they could be identified by their fingerprints, even if their names had been changed.”
On Aug. 27, 2017, the FBI arrested a Chinese national suspected of helping to create the malware used in the breach.
So, what has happened since the 2015 OPM cybersecurity breach to correct weaknesses and imperfections in our national cybersecurity structure?
On May 30, the Office of Management and Budget (OMB) published the Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (Risk Report), which the president required under Executive Order 13800.
The Risk Report captures OMB’s assessment of cybersecurity risk management capabilities across the federal enterprise and provides recommendations to address the most mission-critical cybersecurity gaps. As detailed in the report, OMB and the Department of Homeland Security conducted “the most thorough review of federal cybersecurity to date by examining the capabilities of 96 civilian agencies across 76 metrics to determine agencies’ ability to identify, detect, respond, and if necessary, recover from cyber incidents.” Unfortunately, OMB found that “71 of 96 agencies (74 percent) participating in the process had cybersecurity programs that were either At Risk or High Risk.” This was deemed unacceptable and an aggressive action plan was developed to address the issues.
OMB and DHS also found that “agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers they’re facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”
The Risk Report also reveals that “OMB and DHS have taken a series of actions to decrease the risk to federal systems and information since developing this report. In particular, OMB and DHS worked with the interagency community to enhance the Federal Information Security Management Act CIO Metrics to focus on capabilities that directly correspond to mitigating threats identified in the Cyber Threat Framework.”
Additionally, the Risk Report indicates that actions are currently underway to address cybersecurity risks across the government landscape including improved cybersecurity threat awareness capabilities, enhancing information-sharing between agencies, describing and classifying threat activity in a meaningful way, controlling costs, consolidating agency Security Operations Centers to improve incident detection and response capabilities, and improving governance processes, risk assessments, and OMB’s engagements with allied agencies.
DHS has also “put the Cyber Threat Framework into practice via its .gov Cybersecurity Architecture Review (.govCAR) program, which is based on a tool developed by the National Security Agency for the Department of Defense to map defensive capabilities against intelligence-informed threat vectors. Though still in its early stages, the program has already identified existing gaps against certain adversary activities, allowing the government to remediate shortcomings. Both the enhanced metrics and the .govCAR program will help set the direction for Federal cybersecurity for years to come by focusing on the capabilities agencies should be working toward in the future to protect against active threats.”
While progress is being made, the fact remains that the cybersecurity programs at three-quarters of our civilian agencies participating in the cybersecurity process were either “At Risk” or “High Risk,” indicating significant vulnerabilities across the government landscape – which leads back to the original question asked: “What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?”
Federal agencies “are already consolidating their Security Operations Centers to achieve greater enterprise visibility and increase the standardization of cybersecurity tools and capabilities,” which is encouraging. This will afford security directors in agencies with less mature programs to force multiply with more robust programs.
Most government agencies, especially those with intelligence community responsibilities, employ parallel security programs (access control, information security, personnel security, physical security, and insider threat detection and mitigation) requiring increased levels of cybersecurity support. Security directors in these agencies have assorted levels of technical expertise and proficiency, especially in cybersecurity, requiring partnerships with technical cyber experts.
For security directors having no formal education, training, and experience in cyber technology, one worthwhile business decision would be to closely align themselves with the person, team, or organization to whom their cyber-threat detection, response, and mitigation functions have been delegated. Lack of knowledge and expertise about cybersecurity, or the fact that the cyber-threat function may be delegated to others, does not absolve the security director from meeting his or her security program obligations.
Security directors must know who has authority to access their networks and systems, both internal and external to the organization. Directors must ensure that acceptable levels of vetting have occurred for all who have system access and understand the way the networks and systems are monitored for potential intrusion. Additionally, security directors should have a working knowledge of which firewall and detection software is in place to manage intrusion risk.
Finally, security directors would do themselves and their organizations well to educate their employees on emerging cybersecurity dangers and the role employees can play to prevent those threats. Security training and education is often overlooked or abbreviated due to perceived time constraints and work demands. This is an error that impairs the organization and could lead to prospective harm.
Reassuring is the fact that President Donald Trump’s 2019 fiscal year budget request “boosted cybersecurity funding by about 4 percent across the government, including significant hikes at the Homeland Security Department and Pentagon.” The budget also “commits $407 million for a government-wide intrusion detection program called Einstein” and “$238 million for Homeland Security’s continuous diagnostics and mitigation program, which delivers a suite of cybersecurity tools to federal agencies and will eventually track federal computer systems on a governmentwide dashboard.” All of this is very encouraging.
Recall the Fram oil filter marketing catchphrase – “you can pay me now or you can pay me later” – meaning you can pay a little for an oil change and new filter now, or a lot for an engine rebuild later. The cybersecurity analog: security directors can more effectively invest in our cybersecurity engine now, or potentially pay with our national security later.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.