At a House Homeland Security Committee hearing on Wednesday, July 25, to examine findings of the Federal Cybersecurity Risk Determination Report and Action Plan released by the Office of Management and Budget (OMB) in May, lawmakers and private sector witnesses hailed new legislation as a necessary – but on its own insufficient – step to bring down the security risks of three-quarters of Federal agencies deemed in cyber danger.
As a bill to codify the Continuous Diagnostics and Mitigation (CDM) Program makes its way through the House, participants at Wednesday’s hearing said the measure will help to curb systemic cyber risks at Federal agencies but offered remarks suggesting Federal cyber capabilities need to expand beyond CDM, as does the level of accountability on agency leaders.
OMB’s Risk Report, which was produced in conjunction with the Department of Homeland Security, found that 71 of 96 Federal agencies are missing either “fundamental cybersecurity policies” or have “significant gaps” in their cyber programs, and Wednesday’s hearing largely focused on potential means to address those gaps.
Rep. John Ratcliffe, R-Texas, chairman of the cybersecurity and infrastructure protection subcommittee, introduced the CDM legislation on July 18, and on Wednesday said it would ensure that the program adds visibility to the many networks deemed lagging in the Risk Report.
CDM provides network monitoring tools to agencies that could help spot the sort of security shortcomings the report highlighted, and Ratcliffe’s bill would make sure those tools remain current as technology advances.
Ratcliffe said his bill “will require the program to evolve, thereby ensuring that agency CIOs and DHS have the visibility necessary not only to combat threats but also to target modernization resources and efforts where they are most needed.”
But simply shepherding the CDM program along through legislation might be insufficient, according to Ken Durbin, senior strategist of global government affairs at Symantec.
“To avoid detection, attackers are employing what we call ‘living off the land,’ using operating system features or legitimate network administration tools to compromise victims’ networks,” he said. “Using good programs to do bad things is difficult to detect because it is disguised as normal operations.”
He said that the “CDM program needs to be accelerated” and provided an example of possible expansion as well.
“The government’s focus needs to be expanded to include prevention, specifically data loss prevention, or DLP. DLP can discover and categorize sensitive data and can enforce policies about what can be done with that data,” he said. “I recommend that DHS advance the data protection phase of CDM, which would have the added benefit of protecting the high-value assets identified by agencies.”
The Risk Report’s first major recommendation said Federal agencies need to increase their cyber threat awareness, something that CDM helps provide, but also something Ratcliffe said “seems like a ‘too obvious’ of a recommendation.”
Durbin said that the same recommendation indicated “38 percent of Federal cyber incidents did not have an identified attack vector and recommends implementing the Cyber Threat Framework to help categorize cybersecurity risks.”
Durbin was quick to point out how simply categorizing those incidents would not necessarily do much in the way of stopping them in the first place. He said OMB needs to prioritize automated detection and remediation tools to actually root out the problems.
Authority and Accountability
Ari Schwartz, who previously served on the White House’s National Security Council as a special assistant to President Obama and senior director on cybersecurity, testified on agency culture and how it can be reshaped and reprioritized for better security outcomes.
He gave an anecdote of a prior conversation with a Deputy CIO and security expert, who had told him there was no incentive to performing well on cyber evaluations.
“We’re better off failing. We can get resources if we fail,” he recalled the former official saying. “If we use the resources that we’re given, the best we’re going do is a D or D-, so what good is it for us to play to the tests?”
Schwartz also described a diverging viewpoint with the Risk Report that played into provisions in Ratcliffe’s CDM bill.
“OMB suggested in their report that came out in May that the goal should be to empower the CIO,” he said. “This has been done for years and years and has not succeeded. Instead we should do exactly what Mr. Chairman [Ratcliffe], you suggested in your opening statement, which is to make sure we hold the leadership accountable.”
Ratcliffe’s bill charges the DHS Secretary with drafting a plan to ensure CDM’s success, not the CIO or any other IT personnel. Schwartz suggested top leadership needs to be further engaged, and even reprimanded if they don’t actively work toward mitigating cyber risks.
But he did also advocate a shift for IT personnel. Schwartz said CIOs “have many, many jobs to do, and security is only a small part of what they do.” With that in mind, he called for a change that would see chief information security officers reporting directly to agency leadership. Doing so would allow them to influence policy and provide an unbroken line of communication from the Secretary and Deputy Secretaries to those on the front lines of cyber defense.