The cyber capabilities of adversaries continue to grow and industry is concerned that the government doesn’t have the proper tools and technology be safe in cyberspace.
Several industry experts interviewed by Fifth Domain at Black Hat USA, a cybersecurity conference held in Las Vegas, Nevada, from Aug. 3-8, expressed concern that government agencies don’t know what’s on their networks.
“One of the needs on a large scale is to really understand the elements of the stack that are needed in order to perform full-scale cyber defense,” Abdul Rahman, chief scientist at Fidelis Cybersecurity, told Fifth Domain Aug. 5.
The government, he said, needs more network visibility. Just last week, a report from the Office of Management and Budget revealed that federal civilian agencies had 31,000 “cyber incidents” during the last fiscal year. And that report also revealed that the government wasn’t able to identify how it was attacked in nearly 27 percent of incidents.
“Their sensors don’t give them good enough visibility … into where the problems are in their network," Rahman said. “You don’t know what you don’t know because you don’t know your terrain.”
Rahman also warned of “vendor bloat,” meaning an agency has so many different vendor products in the environment that employees lose track of where important tools like sensors sit on their network because it may not be “properly documented” amidst staff changes or contractor projects.
Chris Kennedy, chief information security officer at AttackIQ and former Treasury and Marines cyber official, told Fifth Domain Aug. 7 that even if the government had better visibility, they still may not know if all their technology on the network was configured correctly.
“Within all that investment, do they have a way to actually know if the configuration is good?” said Kennedy, suggesting government invest in continuous security evaluation.
Another problem hurting the government is poor communication within security teams, Rahman said. He said the structure of agency cyber teams need to change.
“The network teams that manage the infrastructure … are not accountable or interact with the information security [or] cybersecurity teams,” Rahman said. “Cybersecurity teams control the rules and the policies, but the hardware and the physical devices — and some of the policies — are controlled by the network teams.”
There aren’t any incentives for the network teams to tell the cyber team when they’ve placed a new component on a network that bypasses technology put on the network by the cybersecurity team, Rahman said.
“So now, no one’s really watching the traffic; it may seem the same, but the quality and the content of it is different,” Rahman said.
Other industry leaders told Fifth Domain that the government needs better vulnerability disclosure programs, which would allow hackers to alert the government to vulnerabilities within their system.
“They should mandate vulnerability disclosure programs for every federal agency, for every publicly listed company, and every company that holds consumer information,” Marten Mickos, CEO of a white hat hacking company HackerOne, said Aug. 8.
There has been at least some progress in the how the government views hackers. The Department of Defense and some of the military services are hiring ethical hackers to find vulnerabilities.
“Implementation of a vulnerability disclosure policy across the entire federal government literally as a starting point for the conversation around the fact that they are serving the public,” said Casey Ellis, founder and CTO of Bugcrowd, another white hat hacking company, speaking to Fifth Domain Aug. 5. “The public is connected to the internet and if they see something, they should be able to say something,”
Similarly, Tom Kellermann, chief cybersecurity officer at endpoint security company Carbon Blac, told Fifth Domain Aug. 6 that the federal government needs to do quarterly threat hunts.
“They need to invest in hunt teams that have the authority to mandate remediation across attack paths that have been deemed viable,” said Kellermann.
Kennedy said that the government needs to go beyond just cyber hunt teams.
“That’s not good enough,” Kennedy said. “The government needs to invest in better ways of evaluating [if] their cybersecurity strategy is effective. That means that they need to connect real adversarial emulation as a way to drive ‘is the effectiveness of my program working?’”
The government has taken some good steps in the right direction over the past few years, said Dave Weinstein, chief security officer at Claroty, an operational technology security company. Weinstein cheered some measures that the government has taken around data security, like installing a federal chief information security officer, a position created in 2016 under the Obama administration. However, he did have one suggestion:
“The first thing they need to do is to start to gain visibility into what operational technology assets they have and then go from there. It’s kind of that whole other side of the house that is invisible to the agencies, so they need to wrap their heads around it."
Rahman compared the current government cybersecurity posture to a medical examination that dances around the real pain point.
“I’m going to take an X-ray of everything above your torso but I’m not going to do it in your midsection and I’m going to do it below your knees. Well, hey, I’m feeling a lot of pain in certain areas,” Rahman said. “It’s just like not being able to have visibility into areas that are important. You have to be able to see everything in order to say something about it.”