Internal Cybersecurity Coordination a Challenge, Officials Say

The “general culture” of a research-oriented environment is problematic for security efforts at the National Institute of Standards and Technology, said Chief Information Officer Simon Szykman. It’s ironic because the agency effectively sets the security standards for the rest of the government. “There’s always a tension” between standardization on secure platforms and the flexibility that research engineers want to use cloud computing, Web 2.0 and social media applications, Szykman said. NIST is moving away from the traditional three-year certification and accreditation (C&A) process toward continuous monitoring, and for the first time it’s working on C&A with the intelligence community, which previously handled its own C&A, he said.

Security vendors are pitching agencies using the China-traced cyberattacks against Google as evidence of a “shift in paradigm,” but the threat of data exfiltration from specific agencies is nothing new, said Alma Cole of Customs and Border Protection, who acts as lead for the DHS Security Operations Center. “Defending against brute-force attacks” isn’t enough when attackers can sneak into information systems and assume a valid user’s identity, a big problem for the use of cloud computing in agencies. The Federal Information Security Management Act, often criticized for creating a “checkbox” mentality at agencies, has “shortcomings” but it can be improved through new NIST standards on “real-time visibility” of networks, Cole said.

"There is no perimeter anymore,” said Devon Bryan, deputy associate chief information officer for security at the IRS: “The endpoint is the perimeter,” with browsers and e-mail the vehicle for most attacks. The agency moved its legacy standalone information technology systems to a “heavily interconnected and Internet-connected” platform that makes its tax administration processes faster and more efficient, but that opens new vulnerabilities, especially to “persistent malware,” Bryan said. It’s the “largest custodian” of personally identifiable information in the world and the 24th most-phished “brand."

Mischel Kwon, a former U.S. Computer Emergency Readiness Team chief at Homeland Security who’s now at RSA, said the different constituencies at Homeland Security and Treasury -- law enforcement users and taxpayers -- showed that they couldn’t necessarily settle on the same cybersecurity standards. Even within big agencies it’s hard to consolidate around IT systems and platforms, NIST’s Szykman said. Commerce includes the Census Bureau, NOAA, Patent and Trademark Office and NIST, all with distinctly different missions, not to mention more than a dozen smaller components, he said. Data-center consolidation is a controversial issue in this context, Szykman said. Treasury has 13 components including the IRS, and Homeland Security has 22.

Though IRS’ Bryan said he was speaking cautiously, after a state official got fired for talking about a security intrusion without permission at the RSA security conference, he cheered the death of what he called the “kill-switch bill.” That refers to a provision in an earlier draft version of the Cybersecurity Act (S-773), scheduled for markup Wednesday, that would have given the president cutoff authority over the Internet in an emergency. Higher-ups at US-CERT “can’t understand the complexities” of what agencies deal with in their own systems, and even agency heads can’t tell what’s “anomalous behavior” on the networks of agency components, Cole said. It’s especially difficult to identify whether any given intrusion came from an outside hacker or an agency insider, Cole said, a process that’s “more art than science."

Not that agencies aren’t trying to get together security officials at every level on a regular basis, Cole said. Officials gather every morning at Homeland Security to go over new security incidents and vulnerabilities, discuss patches and get “status updates on tickets,” but it’s hard to “package” that discussion for the broader agency community, he said. The IRS commissioner is part of security meetings, as are the system administrators, Bryan said. The agency also meets regularly with state and local tax officials and tax businesses such as H&R Block to discuss cybersecurity, but officials are lagging with smaller tax firms, he said.

Authentication is a challenge within agencies because they can’t talk to each other, Szykman said. NIST uses two-factor authentication, a stronger form of security, for remote access to its systems, but other Commerce components can’t use their own two-factor authentication to talk to NIST, for example. Even if Commerce set up an agencywide authentication system it couldn’t talk to other agencies, he said. That’s why open identity frameworks, such as the OpenID system that’s part of a federal pilot program on some government websites, “will certainly become more prevalent,” Szykman said. Public communication with the government won’t go anywhere if agencies can’t verify who’s interacting online, Bryan said.

Security vendors can help agencies most by researching new techniques to protect them, officials said. “Our vendor community really needs to look at what they can do differently,” said Bryan, because “the miscreants are having a field day with us.” Antivirus technology is “largely ineffective” for agencies, who are considering combinations of whitelisting and behavioral methodology, Cole said. Bryan said ISPs “have intelligence that we can harness as a community” and some, including Comcast, have been cooperating to find sources of malware. Bryan said he'd be happy if the IRS could stay, “if not ahead, at least abreast of” the threats.