Numerous federal agencies rely on legacy systems that have security bolted on as an afterthought instead of security "being deeply embedded" in the systems. It is unsurprising that such older hardware, software, and operating systems are vulnerable to intrusions. But sometimes security problems have more to do with human vulnerabilities – stupid PEBKAC and ID10T errors committed by the person behind the keyboard – than legacy systems. If the same people who handle sensitive government information also keep falling for phishing scams, should they have their security clearance revoked? Indeed they should, according to DHS chief security officer Paul Beckman.
During the "Government CISO Priorities" track at the Billington Cybersecurity Summit held last week in Washington, Beckman explained that he sends fake phishing emails to DHS staff members to see if they will fall for it. NextGov reported that he is concerned about how often "even senior-level federal employees" who handle top-secret documents fall for the scams; Beckman is apparently so frustrated that he believes it's time to adopt "get-tough solutions."
"These are emails that look blatantly to be coming from outside of DHS," Beckman said. Yet "you'd be surprised" at how often senior managers and other high-ranking officials click on the link and enter their username and password. If it was an attacker and not a test, such carelessness could result in serious pwnage. Anyone who fails the phishing test is required to take online security training. But what if the same people keep falling for the phishing scams? "There's no punitive damage," Beckman stated. "There's really nothing to incentivize these people to be aware, to be diligent."
"Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government," he said, using the government acronym to describe a top-secret security clearance. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information."
While it certainly make sense to penalize irresponsible federal employees who continually show no cybersecurity wisdom, at what point would the line be drawn? His phishing emails are obvious, but fallout from the massive OPM breach will include carefully crafted phishing attempts that are exceedingly hard to spot.
"You can bet your bottom dollar" that the OPM hackers are "coming up with insidious anti-phishing campaigns that look very tailored and very personal to these people," Beckman added. "Every bit of my personal information is in an attacker's hands right now. They could probably craft my email that even I would be susceptible to, because they know everything about me virtually."
Automated cybersecurity maintenance to make it too costly for hackers to 'play'
Plenty of other feds pinged in with their ideas and opinions at the Billington Cybersecurity Summit.
Right now, the cost of cleaning up after cyberattacks falls on the victims, but DoD CIO Terry Halvorsen wants to make it more expensive for hackers to "play." He said, "We are on the wrong side of the cyber economic curve. We need to raise barriers to attackers' entry, making it more expensive to play."
"Today a threat actor can send a fairly modest amount of money, not just on [attacking] DoD but on any sophisticated enterprise, and cause that enterprise to have to spend quite a bit more money — by orders of magnitude — cleaning up and fixing the problem," he added.
At the summit, Halvorsen suggested that one way to get on the right side of the cyber economic curve is to automate some basic cybersecurity maintenance actions and responses; automation would eliminate "basic" attackers, reduce attackers' benefits and "make it more expensive for hackers to play."
Speaking of automated cybersecurity…
Pentagon developing cyber scorecard
According to "cybersecurity's human factor, lessons from the Pentagon," company CEOs often take cybersecurity "cues" from how the military deals with cyberattacks. The U.S. military can "detect and remedy intrusions with hours, if not minutes. From September 2014 to June 2015 alone, it repelled more than 30 million known malicious attacks at the boundaries of its networks. Of the small number that did get through, fewer than 0.1% compromised systems in any way."
Yet the Department of Defense is not even close to being completely secure, so it is developing a new framework that will identify security flaws; eventually it will automatically detect and respond to cyber threats.
Air Force Lieutenant General Kevin McLaughlin, deputy commander of U.S. Cyber Command, "directs the forces and daily activities of USCC and coordinates the DoD computer network attack and computer network defense missions." During his keynote speech at the Billington Cybersecurity Summit, McLaughlin discussed an automated cyber "scorecard" that is being developed by the Pentagon. The goal of the "scorecard" is to help defense officials "instantaneously detect and respond to cyberattacks."
The need for a "massive, electronic system" capable of identifying vulnerabilities in military networks and installations became obvious after a highly critical report was released earlier this year by Michael Gilmmore, the Pentagon's chief weapons tester. Through testing, he found that almost every U.S. weapons program was vulnerable to cyberattacks. The weapon systems showed "significant vulnerabilities" such as "misconfigured, unpatched and outdated software" and Pentagon policy violations.
McLaughlin said, "There's probably not enough money in the world to fix all those things, but the question is what's most important, where should we put our resources as we eat the elephant one bite at a time."