In a joint statement issued January 5, 2021, by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), the Federal Government advised the American public and U.S. Businesses that the recently discovered hack of U.S. Defense Contractor systems through malware planted in a Solarwinds plug-in application will require extensive investigation and the reach of the malware will take many months to determine.
Not lost in this public release relating to the Solarwinds breach reporting was the need for four different Federal agencies to comment on the attack. While each agency may have a role to play, accountability looks fractured when upon examination, all four failed to discover the breach, nor was any of the four willing to accept responsibility.
In a communication from the FBI in mid-December 2020, they made the following statement,
"These actors have been observed on victim networks pursuing several objectives, including achieving full privileged persistent access through trusted, legitimate credentials, accounts, and applications." "These actors" are believed to be Russian assets employed by the Russian government to "…to monitor the DNS beacons to determine if additional targeting of an organization is desired."
Cyber workers are the front-line, tip-of-the-spear organizational assets against cyber threats. Their training and certifications must align with the sophistication of the threat, or all of the technology assisting them becomes meaningless. It has not yet been determined, but in the aforementioned FBI communication, it appears the likely method of intrusion was through a Solarwinds employee, most likely unknowingly. What training did the front-line workers at Solarwinds have, and how does that training align to best practices?
The resources for determining workforce compliance against known and accepted standards used to deter cyber threats adequately is available and provides government and commercial entities the insight they need to know their workforce is certified and trained in the right areas against this growing and malicious threat. The NICE Standards developed by the National Institute for Standards and Technology (NIST) provides the best and most capable roadmap. It has been available for many years now and forms the basis for DoD FISMA/RMF compliance. It should be the starting point for conversations relating to best practices.
The technology in the hands of US-based corporations is also more than adequate to deter threats. What is missing and has always been missing is a better collaborative process between the technology and a trained workforce and a more precise and functional organizational effort to marshal the many disparate activities responsible for cyber threat deterrence and the many national information systems in the U.S.
There are a good number of people who understand the threat, as well as many well-developed technologies and engineers who can mitigate them. But there are very few people who can marry them up in a coordinated fashion and develop a deterrence posture that resonates with both Government and commercial entities, and that can be coordinated in a more precise way during an emergency. It may be time for a Cyber Czar who reports directly to the President and has the authority to direct resources and policy as required to keep America safe.
Any organization's success is based upon hiring talented people, empowering them, and holding them accountable. The accountability piece is the weakness in our nation's cyber deterrence strategy. Now is the time to give the incoming administration what it needs to finally manage our cyber deterrence posture through a single person directly aligned to the President.
Time to Establish Federal Cyber Security Program
Cybersecurity is increasingly regarded as a horizontal and strategic national issue affecting all levels of society. A Federal Cyber Security Program (FCSP) would bring a holistic approach to improving national infrastructures and services' security and resilience to all internal and external threats. It is a high-level, top-down approach to cybersecurity that establishes a range of national objectives and priorities achieved in a specific timeframe. As such, it provides a strategic approach leveraging existing frameworks for a nation's approach to cybersecurity.
The main action points covered by the strategy include:
- Increase cybersecurity of the federal enterprise through improved governance, information security policies, and oversight.
- Implementation of a policy that navigates the global cybersecurity landscape and associated risks at the strategic level to effectively allocate our resources and prioritize departmental efforts to address vulnerabilities, threats, and consequences across our cybersecurity activities.
- Expand and improve sharing of cyber threat indicators, defensive measures, and other cybersecurity information.
- Develop and deploy appropriate best-in-class technologies and practices, including standardized solutions where cost-effective and operationally feasible to secure legacy systems and cloud or shared services.
- Institute the NIST/NICE framework across the government and indemnify commercial infrastructure owners/operators who agree to conform to these Federal Government standards as an enticement to implement best practices.
Time to Rethink Cybersecurity Governance
Cybersecurity governance and risk management programs are not new for the government and should be regularly reviewed to meet the organization's cyber landscape changes. Cybersecurity risks need to be considered at the same level as compliance, operational, financial, and reputational risks with suitable measurement criteria and results monitored and managed.
A properly sized and efficient I.T./cybersecurity governance schema is a crucial enabler of successful protection. I.T./Cybersecurity governance is both preventive and corrective and covers the preparations and precautions taken against cyber threats and attacks and determines the processes and procedures needed to deal with incidents that occur.
The Federal Government needs to take an overarching holistic approach for cyber versus a scattered, solution-centric one. For too long, the government has bought solutions based on the current threats instead of looking to solutions that enforce the policy based on a governance framework.
Using a governance framework, the Federal Government can holistically transform its cybersecurity strategies to mitigate better current and future risks to the high-value assets (HVA). The foundation of a cybersecurity program addresses I.T. risk management and cybersecurity governance at the enterprise level, allowing organizations to identify risks, threats, and vulnerabilities that can impact critical business processes.
A Pro-Security Culture: Security as a Shared Responsibility
Threats to HVAC and cyber-attacks on infrastructure can be significantly reduced by improving user behavior and fostering a culture of shared responsibility for security with vendors who provide those solutions.
The key to addressing the human aspects of security is fostering a vigilant and security-minded culture. Employees and vendors alike are required to follow procedures with real consequences for non-compliance.
A Cyber Czar at the presidential level would emphasize that information security and data privacy are the responsibility of all employees and vendors. The pro-security attitude should come from the top down. Enforcing policy and verifying compliance instills a culture of compliance where everyone must report and respond to any potential or real threats and attacks, significantly improving their cybersecurity posture.
Having a Cyber Czar will create a workforce culture that follows well-established and thought-out system security policies (SSPs) and dramatically enhances the Federal Government's ability to prepare for, respond to, and mitigate cybersecurity incidences. A culture of reporting, responsiveness, and openness rather than a culture of fear and blame and shame can help agencies respond to any potential threats with speed and transparency to mitigate the issue and limit the damage. By placing the Cyber Czar directly under the President, the problem's seriousness will finally be brought to the fore.
Collaboration and Continuous Learning
To complement a solid security foundation, the Federal Government needs to take a holistic approach to cybersecurity that's cross-collaborative rather than siloed. If done right, the process should encompass cross-disciplinary competencies in dealing with data security issues.
We can achieve a stable cybersecurity posture through a combination of multi-layered and integrated security solutions, end-user education and awareness supported by processes, security best practices, governance, and a culture of security as a shared responsibility.
Technology Alone Is Not Enough
The Federal government cannot afford to treat cybersecurity as an afterthought or solely through a theoretical "single plane of glass" mentality.
The average cost of a data breach in 2020 is $3.86 million, according to a new report from IBM and the Ponemon Institute. The report shows a 1.5% decrease in costs from 2019 but still a 10% rise over the last five years.
Adopting a comprehensive approach to cybersecurity puts the federal government in a position of strength, readily able to successfully prevent, mitigate, and remediate attacks. Such a system incorporates people, processes, and technology. It considers the technical and human, social, cultural, and governance factors relevant to the detection, prevention, and correction of cybersecurity vulnerabilities.
This is not to say technology does not have its place in defending America's cyber landscape. Still, it needs to be balanced with people and policy to ensure all areas are addressed and covered efficiently and verifiably.
Technology
The demand for effective security products from reputable vendors is growing, and there is no denying that technology is an essential foundation of a robust cyber defense strategy.
In addition to practicing good basic security hygiene, multiple layers of protection and the selected security tools need to be well-integrated into the overall security architecture. The technology should be manageable, as a secure environment is visible, understandable, and well managed.
Typically for the federal cybersecurity programs, the response to growing cyber threats is to buy more security tools to find themselves overwhelmed by an inability to manage multiple hardware/software solutions.
Disadvantages of having an extensive security toolset
- New or existing security tools becoming shelfware
- Duplicating toolsets leaving other areas vulnerable to unaddressed threats
Ways to improve on this front would be to implement tools that:
- Leverage security tools that utilize real-time threat detection & threat intelligence sharing
- Threat intelligence is a way of looking at signature data from previously seen attacks and comparing it to enterprise data to identify threats. This makes it particularly effective at detecting known threats, but not unknown. Threat intelligence is frequently used in security orchestration, automation and response (SOAR), Network Detection and Response (NDR), Intrusion Detection System (IDS), and web proxy technologies.
- Conducting Threat Hunts
- Instead of waiting for a threat to appear in the organization's network, a threat hunt enables security analysts to actively go out into their network, endpoints, and security technology to look for threats or attackers that may be lurking as-yet undetected. This is an advanced technique generally performed by veteran security and threat analysts.
- Utilize tools that leverage deception technology
- Decrease attacker dwell time on their network.
- Expedite the average time to detect and remediate threats
- Reduce alert fatigue
- Produce metrics surrounding indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP).
As new detection and response technologies are developed, they should be integrated into existing layers rather than creating new ones. Multiple technology solutions should provide end-to-end cybersecurity to improve incident detection, prevention, and response and streamline security operations.
Human Factor
Cybersecurity is a human-centric field. After all, cyberattacks are planned and executed by a person, and most attacks target a person for access. As such, human behavior is key to plugging security gaps. People in the organization can either be the weakest link in the security chain or be the key to strengthening the business's overall cybersecurity posture.
Regardless of how advanced and effective security technology tools become, successful deployment and seamless implementation of the technology is not possible without competent people and support processes within the context of an overarching cybersecurity strategy. Technology alone is not the solution. People and processes are just as important.
An integrated cybersecurity approach considers the human, cultural, and social factors in an organization. For this reason, the Department of Defense recently adopted the NIST NICE framework for implementation across DoD (DoDD 8140.01) as the baseline set of standards to which their cyber workforce should adhere. When proper vetting of skills required to perform cyber-related work happens, it lessens professional errors due to incompetency or inadequate training. Additionally, it is easier to implement an accountability process when the right people are placed in the right positions to deter the threat.
To successfully deploy cybersecurity strategies and programs, multi-disciplined security professionals are needed.
Security professionals need to understand advanced threat vectors and recognize, respond to and mitigate threats to information assets and associated infrastructure. They also need to do so in the context of the social environment of people, enterprises, and related processes.
Cybersecurity demands specialized security skills, intelligence-led risk assessments, and state-of-the-art forensic analysis skills. Ideal candidates are well-rounded and have a solid foundation in networking, operating systems, web technologies, incident response, and understanding the threat landscape and risk management. The NIST/NICE standards provide this.
Policies and Procedures
Proper I.T. governance procedures within an organization are critical. Implement a formal risk assessment process and develop policies to ensure that systems are not misused and ensure that applicable policies are continually reviewed and updated to reflect the most current risks. This includes developing incident response policies and procedures to respond to appropriately, account for, and help mitigate the cost of a potential breach.
Keys areas that need to be better addressed in the future:
- Update legacy software and systems
- Conduct continuous security audits that do not just look at software and hardware techniques you have to protect security but also at remote site personnel habits and compliance with security policies. DoD is presently evaluating this capability through the Cyber Maturity Modeling Capability (CMMC). If feasible, the Federal space should institutionalize this program.
- Demand audits from vendors and business partners whose policies require regular security audit reports from vendors they consider before contracts are signed. After that, as part of their SLAs, vendors should be expected to deliver security audit reports annually.
- Secure information assets that address physical/virtual location as well as the transit of information
- Leverage threat intelligence platforms to better focus policy on threats and risks based on international and domestic sources.
Conclusions and Recommendations
With continually emerging and evolving cyber threats, the United States Government would greatly benefit from a program at the federal level that's flexible and dynamic capable of executing cybersecurity strategies to meet new, global threats. The international scope of threats makes it essential to focus on strong international cooperation and focus on securing the home front.
We make the following recommendations:
- Adopt the NIST/NICE framework across the whole government
- Place the Cyber Czar within the National Security Council team and brief POTUS monthly on the current cyber risk profile.
- Develop, re-evaluate, and maintain a Federal Cyber Security Program and action plans within the program's framework.
- Clearly state the scope and objectives of the strategy and the definition of cybersecurity used in the strategy.
- Ensure that input and concerns from across government departments and national security authorities are heard and addressed.
- Ensure the input and engagement of industry, academia, and subject matter experts.
- Collaborate with U.S. allies to ensure that the global nature of cybersecurity is addressed coherently.
- Recognize that cyberspace's constant development and evolution and cybersecurity issues mean that the strategy will have to be a living document.
- Be aware that the above point does not just mean emerging threats and new risks but also opportunities to improve and enhance the use of information and communication technologies for government, industry, and the general public.
- Ensure that strategies recognize and take account of the work done to date in improving the security level by the DHS by avoiding duplication of effort and concentrating on new challenges.
About the Authors
Robert Riegle, J.D. has served as a Senior Executive in Industry and Government for the past two decades. He is a National and International Security expert with proven results in cyber threat mitigation, counter-insurgency, and counter-terrorism operations. He has authored and co-authored numerous seminal national security-related policy and operational documents and briefs.
Mr. Al Sample has a wealth of senior-level management experience, both within the Federal and Private Sectors. He had a 22-year career in the United States Air Force, including high-level management and operational tours of duty worldwide. His military expertise was diverse and spanned across various career disciplines, including military operations, communications and information systems, information management, contract management, budget management, and business process re-engineering.
Peter Franklin is an accomplished information security professional and Navy Veteran. His technical skills extend into many cyber-related areas. They include Remedy, Tenable Security Center, Rapid7 Metasploit, VMWare, Telecommunications Fundamentals, STIG/SCAP, Kali Linux, Metasploit, Trustwave AppScanner Office 365, Microsoft Server Administration, Windows Desktop, AWS, Azure, pen testing, and forensics investigations.