Experts Offer Fed Infosec Governance PlanStrengthening Government IT Security without New Laws
The line between national security and civil systems is a blurry one, says Franklin Reeder, a former OMB executive, who co-authored a recently issued report identifying ways to cross the line to defend both.
The white paper, issued through the Center for Strategic and International Studies, recommends that the White House Office of Management and Budget update nearly 12-year-old guidance, OMB Circular A-130. One of topics in the paper is identifying ways to cross the anachronistic, bright line established between national security and non-national security systems.
"The line between national security and civil systems is blurry at best," says Reeder in an interview with Information Security Media Group [transcript below]. "It's not obvious to us that a would-be adversary is any less attracted to shall we say our water, power and banking systems than to our weapon systems."
"Exactly what in this day and age really is a system, the destruction or tampering with which would threaten our national security, is a fuzzy answer," he explains.
Reeder says that the recommendations outlined in the white paper aren't intended to do violence to the provisions set forth in the Computer Security Act or the Federal Information Security Management Act. Rather, their aim is to "encourage and perhaps even institutionalize mechanisms that promote cooperation and use of the technical capacity of the defense and intelligence communities to protect what are notionally civil systems," he says.
"We understand the civil libertarian, civil rights concern with respect to matters like surveillance of domestic communications, but we think that those can be observed and those can be taken into account without creating a wall.
The white paper also details steps to require automated continuous monitoring, measurement and mitigation technologies to monitor the behavior of government networks, as well as recognizing the growing importance of the role of the Department of Homeland Security and assigning it responsibility for establishing the priority of security controls to guide agency implementation.
A cofounder of the Center for Internet Security, which operates the Multi-State Information Sharing and Analysis Center, Reeder coauthored the report with Dan Chenok, chairman of the federal government's Information Security and Privacy Advisory Board; Karen Evans, national director of the U.S. Cyber Challenge; James Lewis; senior fellow and director of the CSIS Technology and Public Policy Program; and Alan Paller, founder of the SANS Institute, an IT security training organization.
ERIC CHABROW: The report is the latest of a series of occasional papers from the Center for Strategic and International Studies that followed up on the landmark work of the Commission on Cybersecurity for the 44th Presidency, which the CSIS sponsored. The paper focuses on actions that the federal government can take without legislation and discusses three major steps that government can take to improve cybersecurity: requiring continuous monitoring, recognizing the growing importance of the Department of Homeland Security and identifying ways to cross over what you describe as the anachronistic bright line established between national security and non-national security systems. First off, aren't these things the federal government is already doing?
FRANKLIN REEDER: To a large extent, they are. I guess this reflects the fact that we're as much trying to give impetus to efforts already underway as claiming as Columbus might have to have discovered a new land.
CHABROW: We'll go into each of these areas in a moment. This shouldn't be confused as the statement that I read at the beginning from you to deal with this big controversy going on in Congress now about whether to regulate critical infrastructure, which is 85 percent owned by the private sector. This is really geared to what's going on in the federal government.
REEDER: Yeah. In fact, the same legislation that the Congress has been grappling with ... includes some FISMA reforms that would have given impetus to what we're suggesting here. We think those can be implemented without legislation. This isn't to suggest that legislation is not needed with respect to private-sector technology infrastructure, but there are things the administration of the executive branch can do without new authority, using authority it already has under FISMA to implement many of those reforms.
CHABROW: What would this authority be? It deals with the Office of Management of Budget?
REEDER: It's principally an authority that's under the Office of Management and Budget, both under its general organic statute dealing with the management of government and specifically the Federal Information Security Management Act of 2002, affectionately or sometimes not so affectionately known as FISMA.
CHABROW: Of the three areas that you outline in this paper, one deals with continuous monitoring, which is something that we hear a lot about. And I think as the paper points out, continuous monitoring doesn't mean constant monitoring. Can you back up a bit and tell us what exactly is continuous monitoring?
REEDER: Continuous monitoring, perhaps in contrast to regimes that proceeded it, would replace or supplement to a large extent the periodic reviews, certifications and accreditations of systems that are done on a usually triennial basis, unless, in the words of the guidance, there's a major change to the system. What continuous monitoring would consist of is not a bunch of people sitting at a screen, admiring what is going on, but rather the use of automated tools that are now proven.
This is not a new idea. They have been in use for six or seven years to continuously monitor the security status, the configuration settings of the system, traffic coming into and out of the system, and then flagging potential anomalies because with continuous monitoring we don't mean simply admiring the problem, but rather, as the report says, monitoring, detection and then mitigation steps to prevent attacks or to reduce the effect of an attack.
The notion here is that rather than had been the case in the past, agencies simply engaging someone to do a review from time to time, there are tools now available and OMB has been encouraging their use. Again, this is not something that we suddenly discovered and are calling to their attention. In the process - and this is the other piece of it that I think becomes terribly important - share that information so that the Department of Homeland Security and others who maintain information-sharing capabilities can identify patterns and trends and alert others to potential threats. All of this is intended to make us as agile as the people who are trying to undo us, something that I think, among other things, is the subject of a recent, rather important, speech by the Secretary of Defense.
CHABROW: Related to this, and another fascinating point I think that this white paper makes, is the idea of securing the information and not necessarily the systems.
REEDER: As you noted, the report contains what we characterize as three major recommendations, but there are three others. One goes to changing subtly without doing violence to the statute the definition of "the unit that is to be managed or secured." The best analogy I can draw to this is - and I want to be careful about this - the way the Defense Department looks at security. It looks at the sensitivity of information and the characteristics of that information and the measures necessary to protect it.
Clearly this is a technology dimension, to use the simple non-IT example. The Defense Department looks at secure spaces but we think that moving to an information-based, rather than hardware configuration-based, approach to developing security makes a whole lot more sense.
CHABROW: Would that take a lot of work, a whole mindset of people and how they operate now?
REEDER: I think the latter and not the former, and changing mindsets obviously is not an easy thing to do. But certainly it does involve a mindset change.
Growing Importance of DHS
CHABROW: Another area you talk about is recognizing the growing importance of the role of the Department of Homeland Security. Again, this is something that the Obama Administration is promoting. As you mentioned, it appears in the Cybersecurity Act of 2012, the stalled legislation before the Senate. Why is it important to have DHS into this kind of a role?
REEDER: As you note, OMB has already done this. There was a 2010 memorandum that redefined DHS responsibilities, but we think it would be strengthened by moralizing that in statute. In the report we identify four or five tasks that we think ought to be assigned to the Department of Homeland Security. We recognize that in its early and formative years, for years that are understandable, DHS didn't inspire a great deal of confidence. There were folks who were still skeptical about its capacity. We're convinced that in recent years they've beefed up that capability. There was the fact that - and I know the institution, I worked there for a long time and loved it - that OMB on a day-to-day basis can lead. It simply doesn't have the resources or the attention span.
CHABROW: OMB would still have the responsibility of approving the budgets, or at least reviewing the budgets, right? That wouldn't change.
REEDER: And overall policy responsibility, as it's assigned under FISMA. We wouldn't envision that changing.
National, Non-National Security Systems
CHABROW: The other area you talk about is identifying ways to cross over the anachronistic bright line established between national security and non-national security systems to deal with the reality of the world we live in today. What are these differences? I think this is something the administration started moving on, correct?
REEDER: Yes, absolutely. [Here's] a bit of history for those of your listeners who are perhaps a little bit younger than I am. The 1987 act grew in part out of a rather strong reaction to an initiative in the White House led by the president's national security advisor to make all cybersecurity a responsibility of the National Security Establishment. There was a concern and I think it continues to be a legitimate concern that national security and intelligence communities whose responsibility sometimes involves surveillance and intrusion probably ought not to be solely responsible for protecting civil systems.
They created in the '87 Act - in fact what gave it wheels if you will in the Congress - was a concern about the White House National Security Decision Directive 145. For those of you who want to look it up, it split the responsibility so that OMB was responsible for civilian, or non-defense, non-national security, systems, and the Secretary of Defense and the then Director of Central Intelligence, since there wasn't a DNI, were responsible for national security and intelligent systems.
There are two realities that the split sort of flies in the face of. The first is that the line between national security and civil systems is blurry at best. It's not obvious to us that a would-be adversary is any less attracted to shall we say our water, power and banking systems than to our weapon systems. Exactly what in this day and age really is a system, the destruction or tampering with which would threaten our national security, is a fuzzy question. Or the answer to that is fuzzy at best.
The second is that the real competence, particularly the technical competence, in cybersecurity resides in the national security and intelligence sectors. The National Security Agency is a real center of excellence. As a practical reality over the now 25 years since the enactment of the Computer Security Act has been good cooperation between the technical staff at NIST and now DHS and NSA, and in fact there's now a joint taskforce.
The recommendation is really intended without doing violence to the provisions of the Computer Security Act, and now FISMA, to encourage and perhaps even institutionalize mechanisms that promote cooperation and use of the technical capacity of the defense and intelligence communities to protect what are notionally civil systems. We understand the civil libertarian, civil rights concern with respect to matters like surveillance of domestic communications, but we think that those can be observed and those can be taken into account without creating a wall.
CHABROW: Finally, what's the cost of all this or the savings that could come out of this? Announcing this, you quoted former NSA senior official Tony Sager, saying, "The federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness." Where are the savings coming from?
REEDER: My colleague and co-author on this report, Alan Paller, I think coined the term. Maybe it wasn't his originally but he uses it a lot: "security by trigger and binder." We think that agencies are spending a lot of money. In fact, some are estimated in the tens of billions, if not more, doing periodic reviews that, as Tony said, have very little effect on security. We think that would more than cover the cost of implementing the kinds of security automations that universal adoption of continuous monitoring, detection and mitigation would require. I hate to say this as an ex-OMB guy. We have not run the numbers but we don't know of any agency that has needed more money to do continuous monitoring. Our poster child for this is the pioneering work done at state and now the work we've done at CMS and NASA.