“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government .
So that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Co-Chairman Rep.Mike Gallagher, R-Wis. Gallagher “
“A co-chairman of the Cyberspace Solarium Commission said April 22 that the fiscal 2021 defense policy bill could include about 30 percent of the group’s cyber policy recommendations.
According to Rep. Mike Gallagher, R-Wis., who co-chairs the Cyberspace Solarium Commission, which released a report with more than 75 cyber policy recommendations March 11, said on a webinar hosted by Palo Alto Networks that commission staff is working with the appropriate congressional committees and subcommittees to put about 30 percent of its recommendations into this year’s National Defense Authorization Act.
The report proposed a three-pronged strategy for securing cyberspace, called layered deterrence: shape behavior, deny benefit and impose cost.
The report also takes U.S. Cyber Command’s “defend forward” policy, which allows the military to take a more aggressive approach in cyberspace. It also suggests broadening the policy to encompass the entire federal government.
Gallagher didn’t specifically identify recommendations he thinks will be included in the NDAA, but given that the bill focuses on authorizing Defense Department programs, Pentagon-specific recommendations are the likeliest to be in the legislative text.
The recommendations for the department focus on ensuring that the Cyber Mission Force is adequately equipped; establishing vulnerability assessments for weapons and nuclear control systems; sharing threat intelligence; and threat hunting of the networks of the defense-industrial base.
The spread of the new coronavirus, COVID-19, disrupted the commission report’s rollout, which included congressional hearings on the commission’s recommendation. Those hearings have been canceled. But the pandemic also highlights the need to implement recommendations made in the report, Gallagher said, specifically the establishment of a national cyber director in the White House.
“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government so that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Gallagher said
Before the spread of the coronavirus, congressional committees had planned to host hearings on the commission report, but those were canceled after the coronavirus spread throughout the United States. Congress is currently wrestling with how to remotely conduct voting and committee business, as the pandemic is restricting gatherings of large groups of people.
“Even though coronavirus has complicated some of … our commission rollout, we’re continuing the legislative process right now, and I’m pretty optimistic about our ability to shape this year’s NDAA,” Gallagher said.
As for the other recommendations, Gallagher said they aren’t germane to the NDAA and will take “some time.”
“Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.“
“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.
“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.
Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.
The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.
What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.
In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.
“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”
As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.
Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.
“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.
“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.
Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.
However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.
“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.
She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”
But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”
Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.
“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.
“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.
It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”
“Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it.
The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels.
Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.
Information sharing within the IC has also improved due to the creation of several websites within its top-secret networks that contain threat indicators and several different types of summary reports on cyber activity and vulnerabilities.
Technological change is molding the future of information sharing within the government. With the rise of cloud computing at various classification levels throughout the government, the IC SCC told IGs that it plans to expand the ICOAST threat intel capability to work in secret and unclassified clouds. That is in the “planning and development” stages, according the report.
“At the secret and unclassified levels, the ICOAST instances will interface with multiple DoD components and other federal entities that have the responsibility for distributing cyberthreat information to federal, state and local entities and the private sector,” the IGs wrote.
According to the report, an IC SCC official told the IGs that they wanted to deploy ICOAST in those environments by the end of calendar year 2019. A spokesperson for the ODNI didn’t immediately respond to a question about the availability of ICOAST.
The IC SCC is also working with the Department of Homeland Security’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency, to improve information within CISA’s threat intelligence platform, Automated Indicator Sharing (AIS), for integration with ICOAST.
Barriers to sharing
Though the government has made marked improvements in its info sharing, the IG noted several ongoing challenges to better information sharing.
CISA’s AIS solution, a system through which the federal government and the private sector can share threat intelligence in near-real time, has its own participation challenges. In December 2018, the IGs found, there were 252 federal and non-federal organizations signed up for AIS. But in June 2019, only four agencies and six non-federal entities were using the platform for information sharing. DHS told auditors that the lack of participation hindered improvement.
“DHS reported that the limited number of participants who input cyberthreat information to AIS is the main barrier for DHS to improve the quality of the indicators with more actionable information to mitigate potential cyberthreats,” the IGs wrote.
The most common complaint was that AIS threat information lacked proper context to be actionable, a complaint similar to that heard from state governments receiving threat intelligence from DHS and the FBI during the 2016 election. Therefore, cybersecurity officials at several agencies couldn’t “determine why the indicator was an issue.”
“As a result, the entities did not know what actions to take based on the information received from AIS without performing additional research,” the IGs wrote.
CISA officials told the IGs that they were working on improving the quality of information with AIS.
Meanwhile, agencies also noted that the classification levels of certain threat intelligence prevented widespread info sharing. Aside from officials lacking proper clearance being prevented from viewing certain information, auditors also noted that classified threat information couldn’t be uploaded into the sharing platforms that aren’t cleared for storing that information, further hampering sharing efforts. Some agencies have worked with the owners to downgrade the classification level, according to the report.
“Sharing cyberthreat indicators and defensive measures increases the amount of information available for defending systems and networks against cyberattacks,” the IGs wrote.”
In a request for information released late December, the agencies asked industry for feedback on how to set up a system that could serve as a primary point of entry for security researchers warning about bugs in their internet-accessible systems.
“The Department of Homeland Security and the General Services Administration want to know what it would take to develop a cloud-based centralized vulnerability disclosure platform for the federal government.
While the platform would be managed by the Cybersecurity and Infrastructure Security Agency at DHS, agencies might have to kick in some of their own funding and participation would be voluntary. CISA is looking at a centralized software-as-a-service platform that can track incoming submissions, validate each report for legitimate bugs while filtering out errant ones, enable web-based communication between the reporter and agency during remediation efforts and allow agencies to create separate role-based accounts for their main organization and component agencies.
While federal civilian and military systems are often riddled with bugs, the document points out that the system could be beneficial to many agencies that will likely be starting vulnerability disclosure management from scratch.
“Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” the RFI notes. “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”
The platform would also track a number of metrics around each agency’s disclosure program, such as the number of reports submitted, number of valid vulnerabilities identified and the median time needed to respond, validate and mitigate issues. Automatic alerts would be sent out to all parties as different stakeholders complete their tasks, and the web application would allow CISA to intervene in instances where the affected agency is unknown or unresponsive to a pending bug.
The RFI overlaps with a request from CISA for feedback from security researchers on a draft Binding Operational Directive that would compel civilian agencies to set up their own vulnerability disclosure programs.
Some security researchers have expressed concerns around legal protections and how easy it would be to contact and communicate with affected agencies. Over the years internal audits by the Government Accountability Office and agency inspectors general have found hundreds of security vulnerabilities and spotty patch management practices for U.S. weapons systems, airport screening systems, the electrical grid, unclassified nuclear systems and a host of other critical IT systems managed by the federal government.”
“The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first. “
“DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications.
The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place.
“[I]t’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation,” Jeanette Manfra, CISA’s assistant director for cybersecurity, wrote in a blog post explaining the unusual decision to seek feedback on a DHS cybersecurity order.
Outside experts on VDPs have a month to offer their feedback.
The draft order tasks agencies with setting up VDPs within six months of the order being released. It adds a sense of urgency to the issue by requiring agencies to add one new system or service to the scope of their VDPs every 90 days. The draft BOD also “draws a line in the sand” for agencies to embrace VDPs, as Manfra put it, in that agency systems that come online after the directive must be included in the disclosure program.
“In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” Manfra, who is leaving CISA by the end of the year, wrote in her blog post.
The big changes in how agencies deal with software vulnerabilities will be coordinated through the Office of Management and Budget, which has issued its own guidance to agencies as they prepare to establish VDPs.
“As the federal government’s digital footprint has expanded, the risks to its networks and information have also grown,” the OMB guidance states.”
“Adoption and deployment of cyber technologies have improved the effectiveness of U.S. warfighters across the globe. From reducing the cost and lead-time for high-tech weapons production, to ensuring reliable communications across the battlefield, cyber underlies many defense innovations.
However, despite the numerous advantages of a cyber-connected world, the proliferation of cyber tools presents an array of threats and vulnerabilities that deserve the attention of decision-makers across the defense enterprise. Cybersecurity breaches are increasingly common across industry and government, with the defense industry being no exception. With the cost of these breaches reaching into the billions of dollars, demand for more robust cybersecurity controls and regulations comes from the highest levels of government and Congress.
The Defense Department seeks to address these concerns by placing a more intentional focus on data that falls outside of classified controls but remains valuable to an adversary.
Technical data, ordering information, and instructional materials are examples of data deemed “controlled unclassified information,” or CUI.
While a more exhaustive definition of CUI is still in development, requirements to protect it have been included in contracts since late 2018. The DFARS 252.204-7012 clause requires contractors abide by the 100-plus cybersecurity controls developed by the National Institute of Standards and Technology in Special Publication 800-171. The effectiveness of these controls and their impact on industry is the focus of recent research by NDIA.
The survey was developed in conjunction with NDIA’s San Diego Chapter and was distributed via email and to NDIA members. The survey opened in April and ran until July. Approximately 300 responses were collected from industry representatives across the country.
Results measured notable differences in experiences across large versus small companies, primes versus subcontractors, and new entrants versus established actors. Questions gathered data about company financials, information technology processes and corporate views on current policy.
One finding is that cybersecurity breaches are pervasive across industry but range in cost and severity. Some attacks go unnoticed while others debilitate business. The defense industry has experienced a range of cyber-attack events, according to the study results. Overall, one quarter of participants have been prior victims of cyber attacks, with a concentration on businesses larger than 500 employees. Forty-four percent of these companies suffered attacks and an additional 30 percent of this group responded that they were unsure if they had been attacked.
If even half of these unsure respondents are victims, the attack rate for larger firms stands greater than 50 percent. The high frequency of attacks across the defense industry demonstrates the seriousness of the cyber risk. The question is increasingly moving away from if a company has been the victim of an attack, to when a company will experience an attack.
As the number of cyber attacks grows, so does the range of cyber-related threats. Of a list of current threats facing industry, a cyber attack from an outside actor was ranked by 43 percent of respondents as the most threatening, followed by the fear of a dismissed employee wreaking havoc on the company’s systems. Industry participants viewed threats of contract revocation or retribution for the mishandling of sensitive material as comparatively much less threatening, signaling that current mechanisms for discouraging contract violations are not viewed as a serious threat in comparison to other cyber vulnerabilities.
The growing risk to industry from cyber attacks has driven growth in information security companies offering tools and services to prevent or recover from these attacks.
Companies now have a litany of fortification products and consulting services available to help them fend off attackers in the cyber arena. These tools, of course, offer varying levels of protection and range in cost, thus adoption of them across industry varies widely.
Of the security measures presented, the presence of a firewall was cited as the most common for both small and large businesses. A similar level of adoption was seen for the use of multi-factor authentication and VPNs for remote work for large businesses, but the response saw a large drop-off of utilization of these tools among smaller companies.
Across the board there is evidence that small businesses use security measures at a rate of approximately 20 percent less than their large counterparts. Cost, lack of experienced personnel to implement secure practices, and the belief that these tools provide little benefit compared to the cost potentially explain this lower level of implementation. It is worth noting, however, the NIST 800-171 standard requires a number of these security measures, indicating many of these companies may currently fail to meet requirements.
While the lack of compliance may cause concern, one area that’s more worrisome is the levels of preparedness across industry for an attack. Only 40 percent of respondents expressed lack of confidence in their company’s ability to recover from a cyber attack within 24 hours, 30 percent claimed to not have a good sense of the cost of recovering from an attack, and small businesses are trailing large ones by 15 percentage points in agreement with the statement that “our employees are well prepared to understand and respond to cybersecurity threats.” These indicators should alert government and industry to the continued presence of significant cyber vulnerabilities across the defense industrial base.
Those in government tasked with monitoring cyber threats are clearly concerned about weaknesses in industry’s cyber fortifications. The Defense Department has focused on and actively promoted development and implementation of cyber regulations for the past few years, and continues to debate the best approaches to protecting America’s critical cyber infrastructure.
Despite this attention, a large portion of the defense industrial base remains unprepared for DFARS 7012 compliance. When asked if their company was prepared to comply with DFARS 7012, 72 percent of large businesses agreed they were prepared while only 54 percent — a slight majority — of small businesses reported readiness. Rates of actual compliance drive greater concern. Currently, 44 percent of prime contractors do not have system security plans from their subcontractors, a central tenant of DFARS 7012 compliance, and only 5 percent of prime contractors have taken corrective action against their subcontractors, allowing the risk to continue unchecked.
While adoption and compliance levels with current cybersecurity standards may concern government officials, industry’s perspective on the impact of these policies is a notable bright spot. Data from NDIA’s survey show signs senior defense industry managers are prioritizing DFARS 7012 compliance and large and small companies believe implementing DFARS 7012 standards will help them achieve a comprehensive level of security. Industry also assessed government regulations as superior to their security policies, and felt implementing these regulations would help to deter and prevent attacks from even the most determined adversaries.
While the current state of cybersecurity across the defense industrial base needs improvement and will remain a focus area for policymakers in the Pentagon and Congress, there are some clear initial steps that can immediately strengthen cyber infrastructure.
The government should begin by increasing communication and access to resources available to lower-tier, smaller members of the defense industrial base. Communication should focus on the business case for compliance. Resources should help companies achieve and maintain compliance. Pairing individual compliance requirements with communications about risk and reward strengthens the case for implementation.
For industry, prime-level contractors should amplify government communications about risk and reward. Primes should routinely and broadly share best practices, cost-saving efforts, and methods of cyber regulation compliance with not only their supply chain, but with their competitors. Overall, defense industrial base members both large and small must increase their level of preparedness to deter, defend and recover from cyber attacks. In this era of the hyper-connected battlefield, delivering superior, uncompromised capabilities to our warfighters begins by ensuring availability and reliability.
“Reports emerged Oct. 16 that UAE-based cybersecurity company DarkMatter recruited officers who had previously worked for Israel’s elite cyber intelligence outfit, Unit 8200. Interestingly, the story also noted that many of the Unit 8200 personnel had first worked at the Israeli cybersecurity company NSO Group before reportedly departing the company for larger salaries at DarkMatter. Both NSO Group and DarkMatter have generated a great deal of media coverage for allegedly arming governments with intelligence tools to spy on potential dissidents and journalists, among other targets. These cases, however, undoubtedly only scratch the surface of a much larger threat — that is, the increasing proliferation of intelligence tools and skills on the open market. Today, more actors than ever can purchase advanced intelligence capabilities, forcing us to reconsider the way we think about, analyze and protect against corporate espionage threats.
An Emerging Black Market
When assessing the corporate espionage threat posed by a hostile actor, Stratfor has long used a three-pronged model that gauges the actor’s interest, intent and capability. Over the course of my career, I’ve encountered numerous cases in which an actor had the interest and intent to conduct espionage, but lacked the innate capability to effectively steal some piece of proprietary information or monitor a private organization’s activities and communications. State sponsors have helped intelligence services punch far above their weight class in decades past. The training and equipment that the Soviet KGB and the East German Stasi provided Cuba in the 1960s and 70s, for example, helped propel its intelligence agency to top-tier status. Likewise, Jordanian intelligence has become quite competent thanks to its long association with U.S. counterparts. Many other nations and other espionage actors simply did not possess, and largely could not obtain, world-class intelligence capabilities.
But that is changing under this new model of intelligence capabilities proliferation. Certainly, the United Arab Emirates has taken a very big jump in its capabilities by creating DarkMatter and employing some of the world’s most elite intelligence officers. Meanwhile, other countries such as Mexico and Saudi Arabia have allegedly purchased and used tools developed by the Israel-based NSO Group to ostensibly spy on journalists, opposition politicians and human rights organizations seen as threats to the regime. China’s partner governments in Africa are also reportedly using technology manufactured by tech giant Huawei to track political opponents and other targets.
But while these cases involving Huawei, NSO Group and DarkMatter have garnered headlines, the threat extends far beyond the cyber realm. It has become increasingly common for intelligence professionals to parlay the tradecraft skills they acquired during their government service into high-paying, private sector jobs. This not only includes cyber skills used for hacking, but human intelligence know-how such as source recruitment and handling, as well as other esoteric tradecraft skills such as conducting black-bag jobs. As a result, the full array of espionage tools — including human intelligence tradecraft — is now available for purchase.
In some cases, the price tag for such tools and skills can be relatively steep. The base fee for NSO Group’s Pegasus software used by the Mexican and Saudi governments reportedly cost $500,000 — with an additional $650,000 to hack the phones of 10 targets. But while expensive, these fees are certainly well within the budget of not only the intelligence agencies of even small countries, but private companies and large organized crime groups. Drug cartels in Mexico, for example, have hired hackers to help them gather information on their enemies. The notorious Sinaloa cartel also purchased state-of-the-art encrypted cellphones from the Canada-based Phantom Secure to protect both its operations and Joaquin “El Chapo” Guzman Loera’s communications with his various wives and mistresses.
The Limitations of Outsourcing Expertise
This new model of intelligence capabilities outsourcing, however, is not without risk. First, as we’ve seen in Saudi Arabia’s alleged killing of journalist Jamal Khashoggi, it can bring a great deal of unwanted attention upon the instigator when intelligence tools are used to help facilitate atrocities or otherwise violate international norms. Since the two stories first broke in late 2018, the Saudi and Mexican governments’ use of the NSO Group’s software have also resulted in a public uproar and court cases in both countries.
Second is the concern of loyalty. Intelligence providers will know who their clients are targeting, which can grant valuable insight into the internal dynamics of a country or its foreign affairs. There will thus always be some unease over the possibility that the providers of these intelligence capabilities could be double agents who are either still reporting to their former employers, or sharing that information with others — including those being targeted by the client. Take the case of Saudi Arabia: Even if the cyber tools are being employed by Saudi personnel, can the kingdom be positive that the software isn’t reporting back to the NSO Group through some sort of backdoor channel where it can then be passed on to Israeli intelligence?
And last but not least, the intelligence tools and techniques up for purchase are either industry-standard or one-size-fits-all, and thus may be somewhat outdated and less effective in going after truly hard targets. Such capabilities are therefore unlikely to grant clients capabilities that rival those of first-tier intelligence agencies, such as the U.S. National Security Agency or the Chinese Ministry of State Security. But they can — and indeed have — sufficed when used to target less difficult targets, such as companies, journalists or nongovernmental organizations. And we expect to see them used increasingly against such softer targets going forward.
Because of this new reality, it is imperative that we update the way we think about the intelligence threat triad. Now, if an actor has interest in a piece of information and the intent to use espionage tools to obtain it — as well as the resources to afford outsourced tools and tradecraft — we must believe that they can acquire the capability to do so; to presume otherwise in an era where anyone can buy advanced espionage proficiency is as foolish as it is dangerous.
“Plenty of colleges have popular cybersecurity courses for young students looking to find a career, but even employees who don’t work in IT need to have knowledge of basic cybersecurity principles these days. There aren’t many such educational resources for people not looking to go into the cyber field, or who are already in the workforce.
That’s where the National Security Agency comes in.
They worked with Penn State University, as part of a broader initiative from the Department of Homeland Security, to develop a free online course to educate people on cybersecurity operations, law and policy.
“The NSA asked us to design a law course about cyber operations that can be taught to non lawyers, and really no requirement of any technical background or expertise,” Ann Toomey McKenna, a professor at Penn State’s Institute for CyberScience and one of the three professors who wrote the course, said on Agency in Focus: Intelligence Community. “They wanted a course that can be designed to be taught as a whole comprehensively, or in modules; smaller units of the course could be taken and taught independently. So in a very unusual way we went about this and we created a course designed to be taught in whole or part, and designed to be taught by anyone who might be interested.”
The course is offered for free through the Clark Center, operated by Towson University in Maryland. And Toomey’s isn’t the only course offered there; there’s a whole range of cybersecurity offerings as part of this program.
The course starts with a quick, introductory overview of how the U.S. government and legal system operate, so that everyone understands the legal framework around cyber operations and cybersecurity.
“I think folks need to be aware when they’re engaged in something that involves U.S. law, when are they engaged in something that could be considered a problem under the Computer Fraud and Abuse Act? When are we engaged in operations that implicate national security?” Toomey said.
The course does the same for technology concepts, such as the fundamentals of communications and cellular technologies. And then it goes into the legal foundations for modern cyber law and policy. That focuses on the Constitution and Bill of Rights, and how they’re applied to these concepts. For example, how does the Fourth Amendment and the right to privacy inform the Electronic Communications Privacy Act, or electronic surveillance?
“And then really the final module is where we get into cyber operations, and that’s sort of the meat of this from the standpoint of what we consider today an offensive operation and defensive operations,” Toomey said. “And we did it through sort of a cyber threat response framework, where we looked at operations by and against private actors, and how our domestic law comes into play and that intersection with international law and international norms in cyber operations. And then we really went through the international right to conduct cyber operations. And one thing we did to keep students engaged is use real-world case examples. So we talked about Estonia, we talked about different situations that folks can look at and read about in real news articles and think ‘okay, here’s how this played out. Here’s how the law works.’ And here’s how we intersect that technology, domestic law and national security.”
“In an event that brought two Cabinet secretaries and around 50 top federal and state officials together for three days of discussion on cybersecurity and critical infrastructure, one question remained: Who has the lead on information security issues in the United States?
It was an issue pondered aloud by Sen. Ron Johnson, R-Wisc., the chairman of the Senate’s Homeland Security committee. Johnson said Sept. 19 he had recently sat through a classified 5G briefing with cabinet officials and had a similar inquiry then.
“The No. 1 question I [had] is ‘who’s in charge? Who is actually doing the problem definition when it comes to our challenge with 5G?,’” Johnson said at the Cybersecurity and Infrastructure Security Agency’s second annual national cybersecurity summit at National Harbor. “And nobody would really answer the question.”
“This is constant. This is common across the federal government,” Johnson added.
In addition, state and local governments control their elections. Private utilities largely manage the power grid. And with cyberthreats launched remotely and crossing international borders, this means there’s a need for coordination and collaboration between organizations — a task that can be made difficult by jurisdictions.
“International boundaries dissolve away,” said CISA Director Chris Krebs in his opening speech Sept. 18. “Jurisdictions do not, but the boundaries seemingly do.”
The summit brought together top state election and cybersecurity officials; federal officials from agencies such as the Pentagon, the Department of Homeland Security, the National Security Agency and the Department of Commerce; top congressional aides, along with some industry experts. In a rarity, several panels were exclusively government officials, even with a government moderator. At the outset, Krebs said he was ready to move beyond the boilerplate “information sharing” conversation.
“I’m sick of hearing about information sharing and how that’s going to solve the problem. It’s not,” Krebs said. “We have to get beyond information sharing. We have to work together to understand what our respective advantages are.”
Looking at the stature of the officials participating in this year’s summit, it’s clear that CISA is serious about finding the best ways to protect government systems.
Coordinating with big players
Consider the government leadership that sat for the summit’s first panel. It included Anne Neuberger, director of the NSA’s new Cybersecurity Directorate; Suzette Kent, federal chief information officer; Tonya Ugoretz, deputy assistant director of the FBI’s cybersecurity division; Jack Wilmer, deputy CIO and chief information security officer at the Pentagon — all moderated by CISA’s Assistant Director for Cybersecurity Jeanette Manfra. Outside of a congressional hearing, it was an unusual display of top officials.
The significance of the leaders CISA pulled together wasn’t lost on some in industry.
“They’re linking the players together, and so when you start creating that kind of collaboration, information sharing, where we can create an outcome and execute behind — that is where you actually start seeing transformational change,” said Travis Reese, president of FireEye, a threat intelligence company. “And to me, it starts here, it starts with getting people from different backgrounds, different components, different sides of the political world, into a place where they can share ideas, be very transparent [and] have some debates.”
Agency leaders made clear that they were exploring their responsibilities in relation to other entities in the federal government.
“We spend a lot of time at FBI thinking about our role as it relates to others in this constellation of entities that have a piece of this mission — especially CISA and CYBERCOM and other organizations [that] have been developing,” said Ugoretz. “What we keep coming back to … is that it requires such a blend of mission and authorities and capabilities to tackle all the different aspects of what we’re looking at in the cyber mission space. We agree that there really can’t be one entity, realistically, that does it all. But it’s all about, ‘how do we come together?’”
Krebs made increased coordination a point in his opening speech, comparing the role of the Federal Emergency Management Agency as the lead in disaster response to the state of affairs in cybersecurity.
“We don’t have that same doctrine built out for a large-scale cyber event,” Krebs said.
That missing doctrine worried Krebs, who said the government “got pretty close this summer” to a large cybersecurity event, referencing the ransomware attacks against parishes in Louisiana and school districts in Texas. At the summit, Jared Maples, homeland security adviser for the state of New Jersey, said that he guesses he receives as many as 10 ransomware alerts from organizations throughout his state each week.
Maples explained to Fifth Domain how CISA is helping states defend against these ransomware attacks by providing them with threat analysis of ransomware strains.
“We can get it out to the smaller constituencies, which we do have direct access to. [For] the feds, it’s tough to get out to 376 million people, but we can get it out to all 9 million of our people very quickly,” Maples told Fifth Domain.
Mac Warner, the Republican secretary of state in West Virginia, said that DHS and CISA are providing localities in his states with incident response plans to events like natural disasters and providing other training to country clerks.
“There’s a lot of activity going on from the federal government, DHS, CISA, and others to help us get the message across — not only training our own people but then the public part,” Warner said in response to a question from Fifth Domain.
CISA’s not the only group assisting state officials in cyberspace. For ransomware attacks, the Maples said his agency also gets help from the FBI.
“The federal government — CISA, for example, and a lot of our partners, FBI — there’s a lot of capabilities to help overcome those if you are attacked and respond to them,” Maples said.
CISA also manages a handful of cybersecurity programs for federal agencies, such as the trusted internet connection (TIC) program, which provides safe internet connection, and the Continuous Diagnostics and Mitigation (CDM) program, which provides insight into agencies’ cybersecurity posture.
“[This is] really the first time we had an agency really focused on security, with a major focus on cybersecurity,” said Grant Schneider, the federal chief information security officer. “Something that has really galvanized … efforts across the federal government.”
Johnson praised Krebs’ leadership at CISA and said that the overall structure of issue governance made sense, but added that there needed to be identified leadership over the individual issues.
“In some of these subproblems, like 5G … we do need to understand that we need individuals within government to be in charge of all the different operations,” he said.”
“The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department’s biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place. “
“Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST’s new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.
Both are designed to shore up different aspects of DOD’s cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.
The NIST draft guidance around high value assets recently went out for public comment earlier this year. The more than 600 responses reflect confusion scope and application of the requirements.
Every individual requirement listed in the draft received more than a dozen comments or critiques, according to NIST’s Victoria Pillitteri.
Cost, practicality and straightforward questions like “does this apply to me or my systems?” were among the most common sentiments expressed, while certain requirements, like one for a 24-hour security operations center, were painted as unrealistic and cost prohibitive expectations for small and mid-sized contractors.
Roger Wakimoto, a vice chancellor at the University of California, Los Angeles, wrote that his research team successfully competed for hundreds of millions of dollars in federal research funding in 2017 and expressed concerns that the enhanced requirements “may inflict unintended consequences on fundamental research” and are “unclear” about whether they apply to basic research or academic institutions that take federal research funding.
“Unless agencies are mandated to state applicability in funding announcements, this proposed change could be incredibly burdensome, as it is possible that applicants would not know that the award would fall under the new requirements until they are far along in the process of applying,” wrote Wakimoto.
Others, like CTIA, a trade association representing the wireless industry, questioned whether NIST’s cost assessments for compliance was too low, saying it “will likely be substantial.”
Stronghold Cybersecurity worried that a requirement to restrict access to systems and components to information resources owned, provisioned or issued by the organization would wreak havoc on an increasingly mobile IT workforce.
“Any [Bring Your Own Device] goes out the window with this one for sure,” wrote Jason McNew, the firm’s Certified Information Systems Security Professional.
A definitional problem
Despite the complaints, the contracting community is unlikely to find sympathy among DOD officials or members of Congress, who have pushed for cybersecurity standards for the defense industrial base following a sustained campaign of digital espionage by China over the past 18 months that has hemorrhaged sensitive U.S. military secrets.
“Our adversaries aren’t looking at penetrating the nuclear triad at the highest point…they’re going to the lowest tier to gain access and they’re patient,” said Katie Arrington, a special assistant to the Assistant Secretary of Defense for Acquisition at the same meeting while discussing CMMC.
The enhanced NIST security requirements would only apply to components on nonfederal systems that store, process or transmit CUI, or when designated in a critical program or high value asset. Crucially, while NIST’s baseline cybersecurity requirements are mandatory for all defense contractors, agencies must be sure to specifically include the requirements for high value assets in any contracting or procurement documents.
Just what constitutes a critical program or high value asset (and by whom) is another complicating factor. The clearest definition comes from the Department of Homeland Security, which adopted the phrase in a Binding Operational Directive and has cycled through two iterations of a definition thus far, while leaving it largely up to agencies to identify specific assets that fit the bill.
“We’re still refining [the definition], I don’t know that that will ever be perfect,” said Alan McClelland, an information security specialist at the Cybersecurity and Infrastructure Security Agency. “Really it’s open to interpretation, the agencies determine themselves based on these definitions what their high value assets are.”
While DHS has offered technical expertise to the endeavor, military assets are not covered under the agency’s Binding Operational Directive or its definition, though McClelland said after his briefing that officials in both agencies are in discussions to cooperate and further align their efforts down the road.
A question of maturity
If the new NIST guidance is designed to scope out the technical requirements necessary to protect contractor systems, DOD’s new Cybersecurity Maturity Model Certification program is a way to ensure that contractors are in fact complying. Rather than allow contractors to self-certify, the program will bring in third-party auditors to review contractor systems to ensure they’re in fact implementing the protections they claim to the government.
The Pentagon’s desire for a stricter compliance regime received a boost earlier this year when the federal government successfully convinced a judge to allow a lawsuit against contractor Aerojet Rocketdyne Holdings to proceed for claims it violated the Civil False Claims Act by misrepresenting compliance with NIST’s baseline cybersecurity requirements listed in the Defense Federal Acquisition Regulation Supplement.
Like with NIST’s new guidance, defense contractors and experts have also expressed anxiety about how the CMMC will work, how it will apply to their systems and whether the military can work out the kinks and confusion before a contractor’s certification level begins affecting the kind of procurements it can pursue. The differing levels of maturity one can achieve (measured on a scale from 1-5) further clouds the picture as to what a particular contractor may need to do or implement to continue doing business with the military.
In addition, there are a number of contractors who may genuinely think they’re compliant when they’re not, a problem that again goes back to the general uncertainty and doubt that arises when general principles about security are applied to specific systems and programs in the defense contracting space.
Arrington was tapped by the Pentagon earlier this year to lead the CMMC and institute a broader cultural change among the defense contracting community. A former contractor, Arrington said she saw companies that falsely self-certified or embellished their compliance with contractor cybersecurity regulations in pursuit of business.
Those days must come to an end, she said, calling for the community to move away from its widespread fixation on cost, schedule and performance while ignoring security.
“It doesn’t matter how much I pay for something if it’s already been exfiltrated,” Arrington said. “If I’m worried about getting it on time, but by the time I get it delivered to me it’s worthless, why am I worrying about the schedule? Yeah, I wanted it to perform at this capacity, but if my adversaries already have it, they’re outperforming me before I get there. We have to change the culture.”