The Federal government is working on improving its inter-agency information sharing process during cyber threats, but Greg Touhill, former Federal CISO, said that information sharing is useless if recipients of the information don’t act on it.
“You can share all day long but if people aren’t listening and they aren’t acting on it, bad things are going to happen,” Touhill, president of Cyxtera Federal Group, said at the AFCEA Homeland Security Conference on Sept. 12.
Touhill acknowledged that the Federal government has improved its information sharing process since the Office of Personnel Management breach in 2015, but he said that improvements could still be made.
“I think we stink, but we don’t stink as bad as we have in the past,” Touhill said.
Charles Garzoni, incident response coordinator for the FBI Cyber Division, experienced his first major government “wake-up call” during the OPM breach, and his first FBI “wake-up call” during the hack on Sony in 2014. The cyber issues during the Sony breach bled over into the physical problems that the FBI was facing. One problem was that Sony employees were getting threats to their children’s schools. The FBI had to share this information with the Cyber Division to keep all of the relevant parties informed.
“I don’t think we or other people were prepared for that,” Garzoni said. “Our resources on the unclassified side were almost nonexistent before this. We had email. That’s about it.”
In order to provide more information sharing pathways for unclassified information, the FBI began to look into messaging applications like Slack and Microsoft products.
“Don’t try to reinvent the tools that are already available in the private sector that are 10 times better than what the government can make,” Garzoni said.
Touhill said that the “overclassification” of government information causes the government to react to a problem rather than lead the solution.
“In about seven days it’s going to be out on the Internet anyways,” Touhill said. “We can’t overclassify. Otherwise we have the cones of silence and nothing gets done.”
Sam Liles, acting director of the Department of Homeland Security’s Intelligence and Analysis Cyber Division, said that the May Cyber Executive Order recognizes the problem of classifying too much information. The executive order said that it doesn’t help for all of the agency employees to have top secret clearances if the network hasn’t been patched for vulnerabilities. Liles also said that agencies should learn to transition information back and forth between the classified and unclassified areas of the cloud to ensure the rapid movement of information during a cyberattack.
“I kind of like where we’re going with the EO that came out in May but we’ve got to follow through,” Touhill said.
He said that one of the biggest challenges is modernizing the 1980s-era technology that many agencies still rely on. By staying with the old technology, agencies waste money continuing to maintain the systems.
Touhill is also concerned that the next type of cyberattack with be on the integrity of information. Bad actors will change the data in companies’ or agencies’ systems and demand more money to change it back to accurate information. Touhill said the government should prepare for this type of attack.
“We’ve got plenty of money budgeted in the budget but we’re not spending it well,” Touhill said. “I don’t want to spend $10 protecting two cents’ worth of information.”