Tag Archives: cyber security

For Defense Contractors New Qualification Cyber Rule Requires Auditable Plan Documents


Internet security


“Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward.

Here are some tips on how to approach creating and utilizing these complex compliance documents.”


“Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

First of all, DFARS compliance includes safeguarding all controlled unclassified information and “covered defense information.” Contractors must report cyber-related incidents to the Defense Department and any deviations or gaps from NIST SP 800-171. They must show progress on a “plan of action with mitigations” and report and maintain a “system security plan.”

The plan of action with mitigations and system security plan are important artifacts to use to demonstrate your adherence to the NIST 800-171 guidance. Defense contractor or suppliers will need to submit these compliance documents to the department or a prime contractor, preferably sooner rather than later. Defense Department documentation calls these type of artifacts “critical inputs to an overall risk management decision to process, store or transmit” controlled unclassified information.

Contractors processing, storing or transmitting controlled unclassified information must meet these security standards at a minimum that were laid out in the Defense Federal Acquisition Regulation Supplement. Those who decide to avoid it, unfortunately risk losing contracts this year and in years moving forward and even risk falling under the False Claims Act. Especially if a company has already received a questionnaire, it’s important that it submit its compliance status truthfully, and prepare compliance documents now if it wants to keep its customers.

Identifying the scope and target of valuation is important here. There are approximately 120 controls included in NIST SP 800-171 and assessing each of these controls for documents, for every component of a system, can be a massive undertaking for an organization. By identifying only those components that are either directly or indirectly in scope, a contractor can reduce the list of areas that need to be assessed.

Having these two documents proving each control status and plan for remediation allows an organization to address the DFARS 252.204-7012 requirement for 2018. The key is showing where the gaps are, a plan for remediation and progress according to that plan.

Here is the direct guidance from the Office of the Under Secretary of Defense: “NIST SP 800-171 was revised (Revision 1) in December 2016 to enable non-federal organizations to demonstrate implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”

The security requirement 3.12.4 — system security plan, added by NIST SP 800-171, Revision 1 — requires the contractor to develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 — plans of action — requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

The goal is to assess the target of evaluation defined in step one and the components identified in step two of the process against the controls. Both current and target scores should be recorded to enable a gap analysis that will feed the two documents.

A system security plan can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation of a plan to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”

In addition to the plan of actions and mitigations, the system security plan “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.”

That means that the documents must describe the requirements, how a contractor plans to remediate for each of the controls, and a timeline for remediation in the organization.

That is just the bare bones, as there is much more information that can be included for compliance such as team members in charge of controls, deadlines and technology that will be adopted in remediation steps.

A great deal of company resources will have to be allotted to getting these documents ready if requested. Regardless of the method, these documents are key for saving contracts if not yet fully compliant, and will put a company in good standing for primes or contracts against the competition.

In 2018, contractors need to ensure they are working on becoming compliant using these documents, and that they can demonstrate competitiveness and adherence to the regulations if the business relies on defense-related revenue.”



Pentagon Wants to Merge Human and Computer Cyber Defenders


“Image:  Shutterstock”


“The Pentagon’s long-horizon research and development wing is betting it can combine human and computer cyber defenders in a way that adds up to more than the sum of their parts.

The program, from the Defense Advanced Research Projects Agency, is called Computers and Humans Exploring Software Security, or CHESS.”


“The goal is to mix autonomous and semi-autonomous cybersecurity systems with human cyber experts who can work out some of the abstract problems that computers aren’t as good at solving. Brian Pierce, director of DARPA’s Information Innovation Office, described the program to Nextgov on the sidelines of the RSA Cybersecurity conference in San Francisco Wednesday.

The idea for the program occurred to its director, Dustin Fraze, while watching a cybersecurity contest at the DEF CON hacking conference, Pierce told Nextgov.

The team, dubbed Shellphish, from the University of California, Santa Barbara, had built an autonomous cybersecurity system to compete in DARPA’s Cyber Grand Challenge. Under the rules for that contest, teams’ autonomous systems compete against each other to repel cyberattacks without any human intervention once the starting bell rings.

DEF CON’s Capture the Flag contest, on the other hand, traditionally pits human cyberattackers and defenders against each other without any autonomous systems in the mix. But, because there’s no rule explicitly barring those systems, Shellphish added its “autonomous cyber-creature” Mechanical Phish to the team roster.

“It was intriguing to look at the partitioning of work between what the human hackers can do and what the computers can do,” Pierce said.

While computers outshine humans at spotting vulnerabilities and repelling attacks that mirror basic logic and math problems, humans remain better at problems that follow a more complex set of rules, such as the syntax of a language.

“Humans can look at patterns in a much more abstract and comprehensive way,” Pierce said.

DARPA launched the CHESS program April 3 and held a proposers day for organizations interested in conducting the research on Thursday.

The program reflects one of three main cyber areas DARPA is focusing on, Pierce said.

Broadly, the agency’s goals are to: Make systems more secure and resilient against cyber threats; improve situational awareness in cyberspace, including better attributing cyberattacks; and improving the military’s ability to strike back in cyberspace in a precise, tactical manner that reduces the chance for collateral damage or unintended consequences.

CHESS contributes to that first goal, Pierce said. Other DARPAprograms focus on making it cheaper and easier to build software using “formal methods,” a process that applies mathematical proofs to computer code to ensure the code can’t do anything it’s not intended to.

A main program aimed at the second priority is called Enhanced Attribution. The goal, Pierce said, is to combine and analyze public data about internet activity that, in aggregate, makes it easier to attribute cyberattacks to particular attackers.

U.S. officials regularly attribute major cyber incidents. They attributed the 2014 Sony Pictures Entertainment breach, for example, to North Korea and the 2016 Democratic National Committee breach to Russia.

When it makes those attributions, however, the government typically only releases a smattering of evidence to prove its case because it’s wary of exposing intelligence sources and methods – such as NSA spying tools – that produced the attribution. That gives U.S. adversaries a lot of wiggle room to say the U.S. is off base in its conclusions or just making stuff up.

Because the Enhanced Attribution data would all be public already, that would make it much easier to make a public attribution case, Pierce said, and, ideally, deter future attacks.”


Pentagon Could Impose New Cyber Regulations on Industry



cyber-regulations Massivealliance dot com

Image:  Massivealliance.com


“We want the bar to be set so high, it will become the condition of doing business” with the Pentagon, Deputy Defense Secretary Patrick Shanahan said Feb. 6.

He emphasized that the level of cyber vulnerability within the defense community is significant, and hinted that parameters could be put in place to ensure companies were doing their part to keep critical information safe.”

“You can imagine if tomorrow  … instead of having a financial disclosure statement, we want you to sign a cyber disclosure statement that says, ‘Everybody you do business with is secure,’” he said. “I don’t think you’d sign that tomorrow, but … we need to get to that level because your secrets, our secrets are exposed.” He did not elaborate on how specifically the Pentagon aims to achieve that level of security.

Shanahan assumed the role of deputy defense secretary in July 2017 after spending over three decades at Boeing, most recently serving as the senior vice president for supply chain and operations. Speaking to reporters after his speech, he noted that cyber hygiene standards were “just a condition of employment at the company.”

“In terms of protecting our data and protecting their information, there should be this standard,” he added. He referenced his college-aged son and noted, “I don’t call him up and ask him if he’s brushed his teeth.”

Product integrity and safety were “the first order of business” at Boeing, he added. “When I think of things like safety, cyber falls into that category … as being one of those things that should be uncompromising.”

It may not be easy to change the culture to be more stringent about cyber hygiene, but the U.S. workforce once also engaged in lengthy debates about smoking, he noted.

“We need to have the same intolerance on cyber,” he added.

The Defense Department has continued to prioritize cybersecurity efforts inside and outside its facilities as it warns of the potential threat of an attack from a near-peer adversary, as well as the dangers posed by everyday electronics usage. The 2018 National Defense Strategy, which was released in January, stated that the Pentagon will prioritize investments “in cyber defense, resilience and the continued integration of cyber capabilities into the full spectrum of military operations.”

Shanahan’s comments follow recent reports that U.S. military installations could be traced via a heat map released by Strava, a fitness tracker app that uses a device’s GPS to follow where and when a user exercises. Potential adversaries could possibly employ that data to track how personnel move across installations or how frequently, inviting security concerns.

In the past six months, Defense Secretary Jim Mattis has launched a review of how technology is used across the services, including the use of cell phones at the Pentagon. Department Chief Spokesperson Dana White said in a media briefing Feb. 1 that operational security was Mattis’ priority in taking a closer look at the potential threat posed by electronic devices.

“This recent incident [with Strava] and others has allowed him to take a bigger look at, ‘What are we doing and how are we doing it?’” she said. The Pentagon has not reached a consensus on policies going forward, she noted.

White noted that U.S. military bases have already been targeted.

“Information is power and our adversaries have used information to plan attacks against us,” she said.”



Do Young Humans + Artificial Intelligence = Cybersecurity?

Young Humans plus AI

West Point cadets conduct a cyber exercise.


“The Army is recruiting smart young soldiers to wage cyber war. But human talent is not enough.

Ultimately, say experts, cyberspace is so vast, so complex, so constantly changing that only artificial intelligence can keep up.”

“America can’t prevail in cyberspace through superior numbers. We could never match China hacker for hacker. So our best shot might be an elite corps of genius hackers whose impact is multiplied by automation.

Army photo

Talent definitely matters – and it is not distributed equally. “Our best (coders) are 50 to 100 times better than their peers,” Lt. Gen. Paul Nakasone, head of Army Cyber Command (ARCYBER), said. There’s no other military profession, from snipers to pilots to submariners, that has such a divide between the best and the rest, he told last week’s International Conference on Cyber Conflict(CyberCon), co-sponsored by the US Army and NATO. One of the major lessons learned from the last 18 months standing up elite Cyber Protection Teams, he said, is the importance of this kind of “super-empowered individual.”

Such super-hackers, of course, exist in the civilian world as well. One young man who goes by the handle Loki “over the course of a weekend…found zero-day vulnerabilities, vulnerabilities no one else had found in Google Chrome, Internet Explorer and Apple Safari,” Carnegie Melon CyLab director David Brumley said. “This guy could own 80 percent of all browsers running today.” Fortunately, Loki’s one of the good guys, so he reported the vulnerabilities – and got paid for it – instead of exploiting them.

courtesy David Brumley

The strategic problem with relying on human beings, however, is simple. We don’t have enough of them. “We don’t want to be in a person-on-person battle because, you know what, it just doesn’t scale,” Brumley told CyCon. “The US has six percent of the world’s population (actually 4.4). Other countries, other coalitions of countries are going to have more people, (including) more people like Loki.”

That creates a strategic imperative for automation: software programs that can detect vulnerabilities and ideally even patch them without human intervention. Brumley’s startup, ForAllSecure, created just such a program, called Mayhem, that won DARPA’s 2016 Cyber Grand Challenge against other automated cyber-attack and defense software. However, that contest was held under artificial conditions, Brumley said, and Mayhem lost against skilled humanhackers – although it found some kinds of bugs better and faster. So automation may not be entirely ready for the real world yet.

Even when cybersecurity automation does come of age, Brumley said, we’ll still need those elite humans. “What these top hackers are able to do… is come up with new ways of attacking problems that the computer wasn’t programmed to do,” he said. ” I don’t think computers or autonomous systems are going to replace humans; I think they’re going to augment them. They’re going to allow the human to be free to explore these creative pursuits.”

Sydney J. Freedberg Jr. photo

Young Humans

“For those of you who are in the military who are 25 years old or younger, captains and below…you’re going to have to lead the way. People my age do not have the answers,” the Army’s Chief of Staff said at CyberCon. After his speech, Gen. Mark Milley called up to the stage lieutenants and West Point cadets – but not captains, he joked, “you’re getting too old.” (He let the captains come too).

“It’s very interesting to command an organization where the true talent and brainpower is certainly not at the top, but is at the beginning stages,” said Lt. Gen. Nakasone at the same event. “It’s the lieutenants. It’s the sergeants. It’s the young captains.”

Sydney J. Freedberg Jr. graphic

The Army has rapidly grown its cyber force. It now has 8,920 uniformed cyber soldiers, almost a ninefold increase since a year ago (and cyber only became an official branch three years ago, when it had just six officers). There are also 5,231 Army civilians, 3,814 US contractors, and 788 local nationals around the world. All told, “there’s 19,000 of them,” Milley said. “I suspect it’s gonna get a lot bigger.”

At the most elite level, US Cyber Command officially certified the Army’s 41 active-component Cyber Protection Teams and the Navy’s 40 teams as reaching Full Operational Capability this fall, a year ahead of schedule. (We’re awaiting word on the Air Force’s 39). At full strength, the teams will total about 6,200 people, a mix of troops, government civilians, and contractors.

To speed up recruiting, Gen. Milley wants to bring in cyber experts at a higher rank than fresh-out-of-ROTC second lieutenants – say, as captains. Such “direct commissioning” is used today for doctors, lawyers, and chaplains, but Milley notes it was used much more extensively in World War II, notably to staff the famous Office of Strategic Services (OSS). Why not revive that model? “There’s some bonafide brilliant dudes out there. We ought to try to get them, even if it’s only 24 months, 36 months,” he said. “They’re so rich we won’t even have to pay ’em.”

(That last line got a big laugh, as intended, but “dollar-a-year men” have served their country before, including during the World Wars.)

No matter how much the military improves recruiting, however, it will probably have enough talent in-house. (Neither will business, which is short an estimated two million cyber professionals short worldwide). So how does the military tap into outside talent?

Defense Department graphicOne method widely used in the commercial world is bug bounties: paying freelance hackers like Loki for every unique vulnerability they report. (Note that the Chinese military runs much of its hacking this way.) The Defense Department has run three bounty programs in the last year – Hack the Pentagon, Hack the Army, and Hack the Air Force – that found roughly 500 bugs and paid out $300,000. That’s “millions” less than traditional security approaches, says HackerOne, which ran the programs.

What’s really striking, though, is the almost 3,000 bugs that people have reported for free. Historically, the Pentagon made it almost impossible for white-hack hackers to report bugs they find, but a Vulnerability Disclosure Policy created alongside the bug bounties “has been widely successful beyond anyone’s best expectation,” said HackerOne co-founder Alex Rice, “without any actual monetary component.”

So what’s motivating people to report? For some it’s patriotism, Rice told me, but participating hackers come from more than 50 countries. In many cases, he said, hackers are motivated by the thrill of the challenge, the delight of solving a puzzle, the prestige of saying they “hacked the Pentagon,” or just a genuine desire to do good.

The other big advantage of outsourcing security this way, said Rice, is the volunteer hackers test your system in many more different ways than any one security contractor could afford to do. “Every single model, every single tool, every single scanner has slightly different strengths, but also slightly different blind spots,” Rice said. “One of the things that is so incredibly powerful about this model is that every researcher brings a slightly different methodology and a slightly different toolset to the problem.”

Those toolsets increasingly include automation and artificial intelligence.

DARPA photo

Automation & AI

“I’m the bad news guy,” Vinton Cerf, co-inventor of the Internet, told the audience at CyCon. “We’re losing this battle (for) safety, privacy, and security in cyberspace.”

Why? “The fundamental reason we have this problem is we have really bad programming tools,” Cerf said. “We don’t have software that helps us identify mistakes that we make…..What I want is a piece of software that’s watching what I’m doing while I’m programming. Imagine it’s sitting on my shoulder, and I’m typing away, and it says ‘you just created a buffer overflow.’” (That’s a common mistake that lets hackers see data beyond the buffer zones they’re authorized for, as in the Heartbleed hack.)

courtesy Wikimedia Commons

Such an automated code-checker doesn’t require some far-future artificial intelligence. Cerf says there are new programming languages such as TLA+ and COQ that address at least parts of the problem already. Both use what are called “formal methods” or “formal analysis” to define and test software rigorously and mathematically. There are also semi-automated ways to check a system’s cybersecurity, such as “fuzzing” – essentially, automatically generating random inputs to see if they can make a program crash.

Artificial intelligence doesn’t have to be cutting-edge to be useful. The Mayhem program that won DARPA’s Cyber Grand Challenge, for instance, “did require some amount of AI, but we did not use a huge machine learning (system),” Brumley said. “In fact, NVIDIA called us up and offered their latest GPUs, but we had no use for them.” Mayhem’s main weapon, he said, was “hardcore formal analysis.”

“There is a lot of potential in this area, but we are in the very, very early stages of true artificial intelligence and machine learning,” HackerOne’s Rice told me. “Our tools for detection have gotten very, very good at flagging things that might be a problem. All of the existing automation today lags pretty significantly today on assessing if it’s actually a problem. Almost all of them are plagued with false positives that still require a human to go through and assess (if) it’s actually a vulnerability.”

So automation can increasingly take on the grunt work, replacing legions of human workers – but we still need highly skilled humans to see problems and solutions that computers can’t.”


Cyber Tech Firms Need Integrator Partners to Broaden Their Services

Itegrator Parnter Oracle dot com

Image:  Oracle.com


“Given the frequency and severity of security intrusions in the public and private sector, cybersecurity companies are now looking for more complete offerings beyond their core capabilities.

By demonstrating an ability to technically integrate with third party vendor products, these companies can show that they are able to more fully meet the needs of Federal government customers.”

“Government agencies are looking for companies that can act as general contractors, but not all companies are system Integrators. Therefore, the goal for many companies is to have the ability to provide a more expansive, holistic offering beyond just their own product portfolio.

That hasn’t traditionally been the case among cybersecurity providers. These companies have typically focused on selling their uniquely specialized products into agencies, which understandably can limit their success in responses to requests for proposals in more comprehensive programs.

For the government in particular, the approach agencies to more easily make decisions on which products to deploy in complex environments.

Let’s look at how some general technical cybersecurity integrations can add benefit to customers:

Multi-Factor Authentication (MFA) – An agency looking to deploy MFA tokens to all their employees will likely need a card management system (CMS) to enroll the certificates stored on the physical tokens. Some companies offer both tokens and a CMS, but particularly when looking for high assurance tokens that were designed with the Federal government in mind, they are unique areas of expertise. Having the ability to vet out, in advance, a working solution that can be jointly offered to a customer simplifies the overall process and allows a customer to more readily select the appropriate vendor.

Storage & Key Mgt Encryption – What’s important here is whether a storage encryption solution can work with a key manager through open standards such as the Key Management Interoperability Protocol (KMIP). This type of interoperability is another way of layering levels of security and creating an overall efficient solution for the customer. It alleviates the challenge of the customer having to validate that the products they purchase will properly integrate in their environments.

Complete offerings – In some cases a company may be missing one element to an overall holistic solution. Among encryption providers, encrypt everything is the Holy Grail. Some come very close to meeting that promise with encryption solutions for web/application servers, databases, file servers, disk encryption, virtual machines, etc. Often, however, what might be missing is the ability to encrypt email and documents. Companies should pool resources to be able to offer that level of encryption and storage with hardware for root key management, to provide an integrated solution for all available data venues.

So after being a bit late to the game on the need to create integrated offerings, cybersecurity firms have come to realize that there is more value to creating a simple means for agencies to ensure their IT security than there is to owning a narrow segment of the market.”



“Who’s Who” in Cyberspace Operations (CSO)? DARPA Asks

DARPA Who's Who

(Photo credit: DARPA)

Defense Advanced Research Projects Agency Wants to Know


“DARPA wants to know who can do what when it comes to cyber research.

The agency wants to compile an up-to-date list of companies capable of participating in research projects in cyberspace operations (CSO).

“Ideally, respondents will include both potential performers currently holding security clearances and those who may be granted clearances based on technical capabilities and eligibility,” DARPA said.

“Often, these projects are classified and can only be solicited from a limited number of sources,” noted the FedBizOps request for information. “DARPA must maintain up-to-date knowledge about potential performers to maximize the number of sources that can be solicited for classified, highly specialized, CSO R&D initiatives.”

Interested parties should submit a white paper that includes a list of their personnel with CSO experiences, any security clearances those employees have, and a narrative description of their relevant skills. Companies should also list any relevant facilities, including secure areas.”




DARPA Wants Bots To Protect Us From Cyber Adversaries

Bots for Cyber Protection



“The military research unit is looking for technology and software that can identify networks that have been infiltrated—and neutralize them.

[They are]  looking for ways to automate protection against cyber adversaries, preventing incidents like the WannaCry ransomware attack that took down parts of the United Kingdom’s National Health Service networks.

The Defense Advanced Research Projects Agency is gathering proposals for software that can automatically neutralize botnets, armies of compromised devices that can be used to carry out attacks, according to a new broad agency announcement.

The “Harnessing Autonomy for Countering Cyber-adversary Systems” program is also looking for systems that can exploit vulnerabilities in compromised networks to protect those networks, making cyber adversaries—both state and non-state—less effective.

This isn’t the first time DARPA has investigated automated cybersecurity. In the 2016 Cyber Grand Challenge, participants were tasked with building systems that could thwart attacks without human intervention.

The businesses awarded contracts under the HACCS program will also come up with ways to measure how successful that technology is, incorporating how accurate the systems are in identifying botnet infections and the types of devices harnessed by the botnet.

It’s not enough to simply fortify Defense Department networks, the solicitation says, because botnets might operate without the owner of that network knowing. The Defense Department needs a way to initiate an immediate response even if the owner is not “actively participating in the neutralization process,” according to the announcement.

One way to build such an autonomous system might be to teach it to mimic the way human operators neutralize attacks in cyber exercises, according to a HACCS slide deck.

DARPA is not concerned about how stealthy the technology is in neutralizing botnets, the deck notes, but an effective system should only work on the networks that actually are compromised instead of taking the “kitchen sink” approach.

Some internet privacy advocates noted that law enforcement’s efforts to quietly neutralize botnets could violate the privacy of those who own the compromised devices, especially if the Federal Bureau of Investigation doesn’t inform them that they’re accessing their devices in their attempts to thwart attacks.

Proposals for DARPA’s four-year program, whose budget is undisclosed, are due Sep. 29.”



All the Ways the U.S. Government Cyber Security Falls Flat


Gov Cyber Security Falls Flat


“[An] analysis of 552 local, state, and federal organizations [was] conducted by risk management firm Security Scorecard.

The report goes beyond the truism of government cyber security shortcomings to outline its weakest areas, potentially offering a road map to change.”

“DATA BREACHES AND hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cyber security analysis placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it.

Security Scorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.

“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.”

After a few years of high-profile government hacks—the devastating breach of the Office of Personnel Management chief among them—the sector as a whole has made some modest strides on defense, moving up from last place in a 2016 SecurityScorecard report. Even OPM has gained some ground, though findings (and a government review) indicate that it still has a long way to go. Agencies that control and dole out money—like the Federal Reserve, Congressional Budget Office, and National Highway Traffic Safety Administration—tend to have much more robust digital security, as do intelligence and weapons agencies like the Secret Service and Defense Logistics Agency. Even the Internal Revenue Service, which has been plagued by leaksover the past few years, has shown marked improvement, spurred by necessity.

SecurityScorecard gathers data for analyses through techniques like mapping IP addresses across the web. Part of this analysis involves attributing the addresses to organizations, not just by looking at which IPs are allocated to which groups, but by determining which organizations use which IP addresses in practice. This means that the report didn’t just assess blocks allocated to the government, it also tracked addresses associated with contract third parties, like cloud and web application providers. The group also scans to see what web applications and system software organizations run, and compare this information to vulnerability databases to determine which organizations should upgrade and patch their platforms more rigorously. Additionally, SecurityScorecard collects leaked data troves of usernames and passwords, and monitors both public and private dark-web forums.

The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.” When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.

For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. (Shout out to the Wisconsin Court System and the City of Indianapolis for strong cybersecurity showings.) That means that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way. The question now, Heid says, is how effectively legislation can guide government IT and cybersecurity policy. There’s a mixed track record on that at best, but in the meantime breaches and market forces are slowly driving progress.

“It boils down to the conception of information security as an afterthought,” Heid says. “‘We’ve got operations to handle and we’ll deal with the problems as they arise’ is essentially how it’s been implemented into government. But for some agencies they end up having losses in the millions of dollars. People start wearing kneepads after they fall off the skate board a few times.”



Estonia Lesson Learned: “Every Country Should Have a Cyber War”




” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”

“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”



A New Tool for Looking at Federal Cybersecurity Spending

cyber Spending

Image:  “Taxpayers for Common Sense”


“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”

“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”