Resiliency has taken on new meaning for government agencies as they accommodate new ways of working due to COVID-19 and as a result, grapple with an exponentially larger attack surface. MeriTalk sat down with former Navy CIO and DoD Deputy CIO, Robert Carey, now VP/GM of Global Public Sector Solutions at RSA Security, to talk about steps agencies can take to ensure they meet their missions in the short term, as well as in the longer term as we navigate toward the “new normal.”
MeriTalk: How do you define resiliency within the context of the Federal and state and local agencies?
Carey: Simply put, it’s the ability of the network to operate and support the mission of the Federal, state, or local agency before, during, and after an attack by a capable adversary. You have processes in place and technology in place to isolate, contain, or work around threats and continue operating. You have an understanding of how to prioritize your systems – which things really, really need to be up and running, and which may be able to be less resilient and probably don’t. And you have a means to maintain that capability until the threat is resolved.
Breaking it down further, resiliency begins with planning; support before an attack generally means executing a continuity of operations (COOP) plan. It includes people, process, technology, applications, and data. And it should be practiced. We’re living in unprecedented times right now, so we’re finding that agencies struggling with a completely dispersed workforce may be wishing they had planned and practiced their COOP strategies a little bit more.
During an attack, you need to have a network ecosystem that enables you to detect in near real time, contain or mitigate the threat by rerouting around hotspots or problems to continue operating, and monitor in order to make decisions in real time. Knowledge of mission critical systems mapped to the network is essential here, and is the operational support relationship with cloud service providers.
After an attack, you’re going to try to resume normal operations. Normal operations are, for the Federal government, providing services to citizens in the way that they normally access them. It’s important to ask, “How well did we do? Is everything that we provide the citizen able to be provided in times of challenge?”
MeriTalk: Because of the surge in teleworkers due to COVID-19, agencies are balancing two timeframes: the immediate term and the long term – the “new normal.” What is the next step agencies should take in order to improve resiliency immediately? And on the flip side, what long-term priorities should agencies consider?
Carey: In order to improve resiliency, develop and deploy changes to the network architecture that support the dispersed workforce (COOP plan). The Department of Defense CIO produced this design just a few days ago. The next step is to make changes that prioritize what you’re spending money on. Typically, when 10, 15, or 20 percent of your workforce is teleworking, it’s business as usual for the network. When it’s more than 30 percent, it’s not business as usual. Now, nearly everyone is teleworking. So that’s the new design parameter…and could become the new normal cap.
What you put in your next budget will be influenced by the last six weeks to the next six to 10 weeks, or however long this lasts. For example, does everybody at a critical organization have laptops or tablets? Is mobility going to become a mantra for all Federal civil servants?
Because the potential for a complete dispersion of workers is now real, the planning for it to occur again, and the level of training needed to be able to work in this way, will have to be addressed. It’s not a one-and-done situation.
You have to also prepare yourself for a slowdown in decision-making. Decision making in Government cannot stop, so it just needs another operational model on which to be conducted, a different form of the network supporting the mission. Things are not going to occur at the speed you want unless you apply laser-like focus and gather everyone’s attention. Generally, they’re not down the hall from you right now.
Calendars are full with phone calls and virtual meetings, but you want your dispersed telework decision-making model to be as close as possible to your normal decision-making model. You have to set up a mechanism (perhaps a routine online group session) whereby people bring forward the problems that are on their plate, so decisions can be made and people can go off and execute.
MeriTalk: Discussing resiliency at the RSA Conference back in February, CISA’s Chris Krebs said ransomware attacks against government targets have spiked over the past two years. Now that the remote workforce has grown – and as you’ve noted previously, the attack surface has exploded – how can agencies take action to protect their data from ransomware attacks?
Carey: Chris Krebs was spot on, this is about formalizing digital risk management across departments and agencies. It’s about measuring and knowing where your investments are, and providing a focus on data-centric security. If the bad guys can get your data, nothing else matters. Especially while we’re in the midst of transforming digital infrastructure, further dispersing our data and leveraging the cloud, CIOs and CISOs need to have a way to monitor, reroute, and block ransomware attacks that are aimed at gaining money for the attacker in the short term and holding data hostage in the long term. Cybersecurity as a whole must be elevated to ensure that mission assurance can be achieved.
Additionally, continuous cyber hygiene, and training, as boring as it may seem, does pay off. It is sort of like brushing your teeth. If you brush your teeth every day, visits to the dentist aren’t so bad. If you don’t, they’re not a lot of fun. Each member of the workforce is now a cyber warrior, like it or not. It gets back to our resiliency discussion and the importance of practicing your COOP plan.
MeriTalk: Let’s talk a little bit about the FITARA Scorecard. In the cyber category, which is largely based on FISMA, the average grade has improved from a D in May 2018 to a C in May 2019, but it remains the lowest-scoring category. How can an agency improve its detection, response, and recovery to improve its score? Should other factors be considered in the score?
Carey: I’m a huge fan of keeping track of capability, but I’ve found that both FISMA and FITARA are scorecards and have become counts rather than measures of effectiveness or measures of performance. So, they’re not necessarily reflective of (actual cyber defense) capability; it’s more of implied capability. There’s a lot of data that’s gathered, and there’s a lot of inferences made.
You can address the agency’s ability to detect, respond, and recover in words, but have you practiced it? Complex cyber attacks can do a great deal of damage, in minutes. If it takes hours or days to detect… Well, you get the point. Do you have hard measurements of how fast you can detect, contain, recover, and reconfigure your network and restore operations? What investments make a different to those actual metrics? Do you have a fully functioning COOP plan? What’s the evidence that makes that an ‘A’ answer?
We’ve got to balance the risk management approach, what I refer to as “cyber admin,” with what I call “cyber actual.” Cyber admin is language that says what I’ve done – compliance. Cyber actual means if somebody were to try to break in, how hard would it actually be? Are the controls required sufficient? Does my cyber defense architecture make bad guys work hard?
That’s where a red team can bring some powerful learning, although it’s frequently shortchanged in budgets. You can know how good your network is if you turn your own team loose to attack. Does it take them forever to get in? Or do they use a tool they just built and get in within 15 minutes? These are the things we need to understand. What does that required defense cost???
My advice to agencies is to use the time now to put in your budget for the next fiscal year the ability to withstand and operate through, before, during, and after an attack from a capable adversary.
MeriTalk: What tools can help Federal, state, and local governments improve resiliency both now and in the long term?
Carey: As agencies are digitally transforming to a FedRAMP-approved cloud, they are expanding their firewalls. They’re responding to agility and demand signals to grow and reduce operating costs. They could also be opening security holes. The ability to manage who is on the network, the applications they are using, and the data they’re accessing is crucial. At RSA Security, we have four solutions that conquer the full spectrum of these challenges: SecurID, Fraud and Risk Intelligence Suite, Archer, and NetWitness.
You have to have robust identity and access management to access your network resources. RSA Security’s SecurID does that in hard tokens and soft tokens that provide multi-factor authentication to get into a network. Similarly, our Fraud and Risk Intelligence Suite provides organizations with a portfolio of sophisticated fraud detection and prevention capabilities designed to protect consumers from financial fraud threats across digital and physical channels.
Our visibility tool, Archer, enables agile software decision-making in the security operations center. It can span from an analyst measuring compliance with NIST SP 800-171 to an executive view of the network where someone can see what server has been impacted, take it offline, and enact their COOP plan.
Finally, RSA NetWitness is an enhanced SIEM platform that allows for both heavy duty real-time management of network traffic, as well as threat hunting through log and packet analysis. The combination of these tools enables better and more efficient network management and keeps the mission moving forward.
MeriTalk: It can be difficult to see the little wins these days. Have you heard or seen positive gains in security, protection,siliency that might help inspire readers?
Carey: Definitely – the government CIOs and the CISOs should be lauded for their vigilance and successful transformation from a “walls and halls” architecture to a nearly completely dispersed workforce architecture. The network is supporting the mission from an almost full-telework point of view. The attack surface is much larger, and we’re seeing some rise in the number of cyberattacks, but overall it works. That is not a simple feat. The new operating model will birth and the decision will be made to continue the process of Government.
This is an unprecedented time that has produced a very different network ecosystem. And yet, we’re up and providing services to our constituents; that’s the most important thing.