There's a lot of talk in Washington lately about the need to secure our national cyberinfrastructure following the massive data breach at the Office of Personnel Management.
Lawmakers are under pressure to show progress on anything "cyber," but little has been done. One step in that direction was outlined in President Obama's Executive Order 13691, "Promoting Private Sector Cybersecurity Information Sharing." But this week senators are debating a more formal step known as the Cybersecurity Information Sharing Act (CISA), a bill that could be put to a vote as early as next week.
CISA is a good idea in principle, provided that privacy concerns are addressed. The bill, however, is focused on private sector information sharing, which is only a small part of the problem. Sharing information to protect private businesses is important, but in many cases it will not prevent a breach. In the wake of OPM and other breaches, we should also look at the security at federal agencies.
Legislation that increases the transparency of federal cybersecurity programs would be a welcome addition to the CISA discussion.
Placing too much emphasis on sharing threat information – or indicators, as the industry calls them – could cause the private sector to overlook fundamental cyberhygiene. According to OPM testimony, it was a lack of hygiene – not knowing what devices were on the network, failing to manage and protect user access, and out-of-date or unpatched systems – that lead to their breach. Sharing indicators will never replace a strong security program built on the fundamentals and could easily lead to a false sense of security.
We learned a lot from the OPM breach about the overall shoddy state of federal cyber security, but this isn’t surprising when you look at the numbers. The federal IT budget is roughly $80 billion, with about $13 billion (16 percent) earmarked for security. Sixty-eight percent of that $13 billion goes to the Department of Defense. That leaves just $4 billion to split among all other federal agencies. This is comparable to the average budget allocation for a private company (5 percent), but here that money is split among dozens of agencies across the federal government.
Simply spending more money doesn’t automatically make you more secure, but if the US government wants to keep the nation secure and protect Americans' private data, it must invest more in cybersecurity outside of the DoD.
Agencies must have appropriate procedures in place for testing security effectiveness. They need to do more than just watch the perimeter or share indicators. Agencies should be continuously monitoring and assessing overall network security status in real time.
Success may mean hiring more cybersecurity experts, and/or investing in tools to detect and remediate network vulnerabilities with fewer personnel. The security industry is experiencing a severe talent drought, so competition for top performers is intense. At the same time, good tools cost money; however the return for the right tool is often worth the initial cost.
If the federal government wants to demonstrate a serious commitment to cybersecurity, it should increase transparency about successes and potential improvements. It is not enough to conduct public postmortems and play Monday morning quarterback after a breach. Communication and transparency must be increased around the security status of critical networks and national cyberdefenses. This is an opportunity for the federal government to take the lead and set an example for others by disclosing specific details and the best practices of its cybersecurity programs.
Federal agencies already report some cyberinformation under the Federal Information Security Management Act (FISMA), but this should be looked at as a starting point. The government could share even more information without helping potential attackers. It could reveal the type of technologies it deploys, its strategic goals and objectives, vulnerability patch rates, or antivirus and firewall effectiveness. Such transparency increases accountability and focuses more attention on the techniques, defenses, and controls in place than on chasing threat indicators. Agencies could look to each other for examples of what works and what does not work.
Sharing defensive cybersecurity information is not a danger to national security. Not sharing this information is what the industry calls "security through obscurity" and it is not considered a good security strategy. Sharing defensive cyberinformation is confirmation that taxpayer resources are well spent and deployed effectively. Sharing this information would allow the government to pivot from pointing fingers and focusing on failures to looking at what works and focusing on success. Millions of American citizens have already been harmed; citizens have a right to know more about what is going on inside government agencies that keep them safe.
This is the kind of cybersecurity information sharing legislation we need – real transparency, not the opaque transmission of threat data between big companies and top-secret agencies.
Information sharing can be a powerful tool for cyberdefense, but we need to make sure we are sharing the right information. We are all on the same Internet, how we keep it safe is up to all of us. Transparency strengthens everyone, costs us nothing, and will create a competitive cooperation among federal agencies that will benefit not just the agencies themselves, but also the American public at large.
Ron Gula is a former National Security Agency researcher and intrusion detection specialist turned chief executive officer of Tenable Network Security. Follow him on Twitter @rongula.