The federal government's information systems have been under relentless security pressure, including an increasing number of well-executed intelligence-seeking attacks. And government cyber security experts say it's getting worse. At the State Department, for example, malicious code attacks have increased by 47% in the last two years, according to John Streufert, chief information security officer for the department's Bureau of Information Resource Management, at a recent House subcommittee hearing on federal information security. In a typical week, the department blocks 3.5 million spam e-mails, intercepts 4,500 viruses and detects more than a million external probes to its network, he said.
But more worrying than the broad onslaught against agencies is what Alan Paller, research director for security consultants SANS Institute, called the "advanced persistent threat"—skillfully focused, intelligence-seeking attacks on government cyber security, often sponsored by hostile foreign governments. "It's a threat that is highly targeted," he said. "They know what they're after. It's not random."
Threats to government cyber security
Tools don't find [the threat], people do.
research director for security consultantsSANS Institute
A prime example of such a threat, according to Paller, was an attack four years ago on the information systems at the Commerce Department's Bureau of Industry and Security (BIS), the branch of the department that licenses U.S. technology exports with both commercial and military applications. After the attack, which originated in China, the bureau had to lock down Internet access for more than a month and replace hundreds of computers to cleanse its systems of malicious code.
"The BIS division determines which technologies in the U.S. are too sensitive to export," Paller said. The division possesses data relating to "why [an export] is too sensitive, who manufactures it, what are the underlying technologies—everything a malicious government would need to jump start that technology in their own country. That's why it's so awful."
Paller said that developing effective threat management processes can help thwart the advanced persistent threat. "Tools don't find [the threat], people do," he said, adding that the State Department has created an approach to security management that other agencies can emulate. "State has the model that we all look to in terms of how you array your people to do it," he said.
Managing government cyber security with layers
To furnish senior leaders better data on the security status of their information systems, State has deployed a risk scoring program in which scanning tools tag specific weaknesses with point values from 0 to 10, with 10 representing the highest vulnerability. When a threat is deemed to be resolved at a particular site, risk points are deducted. Moreover, senior managers are held accountable for showing results on reducing threats to their systems—they receive letter grades (A+ to F) every 30 days to rate their progress, Streufert said.
Using this system, overall risk to the department's key unclassified network has been reduced by about 90 percent at both overseas posts and domestic locations, he added.
The department also maintains a 24-hour network watch program that guards against external penetration of its systems. "Analysts stationed at [a network monitoring center] serve as continuous sentries for inappropriate network activity," Streufert said.
State also has assembled a Cyber Threat Analysis team that gives department managers early warnings about potential cyber incidents. Collaboration is critical part of the team's job. In addition to performing assessments of network intrusions and coordinating the department's response to government cyber security attacks, the team works closely with law enforcement agencies and network defense communities to create a comprehensive threat picture and develop remediation measures.
The team also shares information on threat data with officials at other government agencies and participates in a wide range of security working groups to improve coordination among federal cyber defense teams, Streufert said.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.