Federal Cyber Security: Agencies Progressing on Threat Data, but Still Need the Basics

At the Meritalk Cyber Security Brainstorm event a mix of cyber-minded federal and industry professionals from various agencies and companies gathered to “discuss spotting cyber blind spots, mitigating insider threats, putting actionable data to work, and understanding cyber threat intelligence.” In addition to cybersecurity experts from government agencies and industry, keynote speakers included Allison Tsuimis, Cyber Intelligence Section Chief, FBI, and Vint Cerf, Chief Internet Evangelist at Google. Panelists included participants from the Marine Corps, DHS, NSA, DISA, DIA, GAO, and the State Department. Here are some of the major themes of the day and relevant comments from some of the participants.

Cyber Information Sharing

Tsiumis said the FBI has worked through their National Industry Partnership initiatives to build relationships w/ Sr. executives of corporations from key critical infrastructure sectors. Focus is on communications, transportation, energy, healthcare, banking and financial, information technology … where disruption of CI most harmful to national security. E.g. they produce various unclassified threat intelligence, Flash bulletins are sector specific.

Proposed legislation to aid info sharing has been stalled in Congress, but the general consensus among presenters was that they were still moving forward to declassify and share information from the government side as much as possible. Much of the legislation addresses legal liability issues on the part of industry sharing breach information with others or with government. The FBI and others have already developed conduits for sharing with industry groups. Agencies would like to see real-time sharing of critical threat indicators in a machine readable format as well as new sharing conduits beyond the existing partnerships.

Cyber Threat Intelligence Data

Several agency participants noted that the number of cyber-related intel data feeds and sheer volume of data their cyber security staff are now receiving has increased substantially. However, the key challenge is sifting through which feeds are the highest priority for their individual mission and setting aside the noise.

Brad Nix, Deputy Director of US-CERT at the Department of Homeland Security likes the threat data they have coming in, much of it actionable for them. But Nix admitted that for many agencies that are trying to get past the crawl stage on improving their cyber that all that data can be counterproductive and a distraction from doing the fundamental cyber things. “You have to do the basics before you can effectively leverage more advanced tools.”

Shaun Cavanaugh, Cyber Branch Chief at the U.S. Nuclear Command and Control System Support Staff (NSS) reiterated the point that the best thing agencies can do is define their cyber intel requirements to cut through the fog of all the data.

Renee Tarun, Deputy Chief of the NSA’s Cyber Task Force, stressed the need to increase collaboration among agencies and beyond to raise the overall cyber posture. We also need greater automation in the area of cyber intel in order to free up personnel from the mundane to focus on things that only they can do.

Complexity

Network complexity is a big challenge to improving security. Col. Gregory Breazile from the US Marine Corps alluded to their efforts to consolidate networks and the DoD’s overall JIE efforts to being both a benefit and a challenge. “The changing nature of our networks introduces vulnerabilities. We’re not at a unified network at this point, but working on that.” Breazile also noted how complexity impacts the larger IT ecosystem and requires choosing priorities. “Complexity is a major issue. We can’t hire enough skilled people and buy enough technology. We’re doing it on the fly across multiple programs. So we have to determine what is a priority.

Automation

NSA’s Tarun said that the volume of threat information increased the need for automation. “We need greater automation in the area of cyber intel in order to free up personnel from the mundane to focus on things that only they can do.” Breazile sees a great need for Automation, especially compliance tools on the network that will ensure the compliance of applications, etc. The USMC is looking for auto-compliance tools that enforce "comply to connect" on DoD networks.

Focus on the Basics

Nix from US-CERT noted in the wake of the OPM breach and the following cyber security spring from OMB that they are focused on promulgating security best practices and fundamental cyber security. Practicing the fundamentals are needed before you can leverage threat intel data. CERT is emphasizing the following cyber activities with civilian agencies right now:

• Application directory white-listing
• Patching applications and operating systems
• Restricting administrative privileges, which includes increasing 2-factor authentication
• Network segmentation, which involves disaggregating networks for betters protections.

While progress has been made, it seems that agencies will continue to need the aid of industry experts and practitioners alike to tackle their security challenges for the foreseeable future. Both DoD and civilian participants expressed the need for improved cyber security processes and governance policy, as well as skilled personnel and training services. While overall IT spending may have softened in recent years, the government’s demand for security services and tools should continue to be fairly robust.