Cybersecurity is one of the most serious economic and national security challenges we face as a nation today and also one that our government, as well as our commercial industries, largely unprepared to thwart attack.
There are certainly numerous federal efforts being attempted to enhance the ability to defend our country. Many forms of digital information still remain highly vulnerable to compromise: communications infrastructure, financial markets, personal data and info—we are in desperate need of a comprehensive approach, as a nation, to secure our infrastructure.
Unfortunately, security has become a saturated sales market nearly overnight. However, it is critical to recognize that security is more than a managed service---it’s a discipline and it originates in various parts to deliver the sum product of a secured environment. The military and the intelligence agencies have executed this discipline effectively for decades. The security discipline at a minimum incudes, dynamic responses, aligned culture, and layered approaches specifically and uniquely designed for the operating nature of the explicit business.
As House Homeland Security Committee Chairman Michael McCaul, introduced legislation to defend federal networks against cyber threats. Let’s take a look at the Cyber Defense of Federal Networks Act of 2015, H.R. 3313, its intent is to “streamline the Federal government’s ability to more effectively identify and prevent cyber-attacks.” We have provided a fair assessment on the H.R. 3313 ‘Cyber Defense of Federal Networks Act’ to protect the .gov domain and it’s information.
Analysis & opinion: DHS is a new organization who has yet to establish a strong cyber security track record, but this new bill is a good start. What remains to be seen is which Federal cybersecurity best practices will be used and to what extent. Most importantly, will all civilian federal agencies be required to support and maintain continuous monitoring of their systems and networks. This aspect alone would have detected and stopped the OPM attack (data exfiltration) much sooner, despite any other advanced tools available.
The existing law makes it unclear whether it's legal for federal agencies to disclose network traffic to DHS. The OPM hacks show that the nation’s federal digital infrastructure currently is not capable of effectively detecting and defending against these current cyber threats.
As in most federal bills, there is a hidden agenda besides the overt intent of the bill. This bill and other related bills will mostly increase funding for back wanted capabilities/technologies, like the DHS’s “Einstein” intrusion detection and prevention system. I might mention there have been plenty of scholarly articles attesting that these Einstein systems are also not effective. The reality is today that malware will, can, and does, penetrate these perimeter defenses. The bill will strengthen civilian agencies' IT security.
However, the use of the Einstein program would not have prevented the OPM breach as the system is not able to decipher the encrypted communications of the attack. What exactly does the HR 3313 propose? Let’s take a look.
H.R. 3313, Cyber Defense of Federal Networks Act
- New DHS Duties – Remote/Onsite Technical Support of Cyber-security, risk assessments to include terrorism, fostering new security technologies andcapabilities, working with defense and national intelligence directors.
- Cyber-Security Plans (Intrusion Detection and Response Plan)
- Mandate Advanced Internal Defenses – (Advanced Security Tools) like: Einstein IDS/IPS, two-factor authentication, encryption for sensitive systems, and appropriate access controls
- DHS initially deployed Einstein in 2004, but it was optional to Federal agencies
- Currently only 45 percent of federal agencies use Einstein
- A separate appropriations bill would have to handle the funding for rolling out Einstein to the federal agencies
- The latest versions: Einstein 3 Accelerated, or Einstein 3A, employs classified information to actively block known malicious traffic
- Improved metrics and reporting
- Federal cybersecurity best practices (does not specify to what extent this will be mandated)
- Assessments and reports:
- Transparency and accountability to OMB (audits – protecting against intrusions and data exfiltration)
- GAO assessment after 3 years of bill enactment
- Congressional Report
The proposed revised FISMA would allow DHS to be authorized to manage IDS/IPS for all civilian federal agencies.
NOTE: The new bill does not mandate Continuous Monitoring which would have detected the OPM attack much sooner.
The measures that this bill is mandating (assessments, strong authentication, encryption, and optimized access controls) are practices that cyber security experts would consider a standard for operations.
Additional Information Sources:
The Cybersecurity Information Sharing Act (CISA) in its current form is not likely to go forward. The bill would have private companies share cyber threat information (logins, emails, etc.) with the Fed gov.