But more worrying than the broad onslaught against agencies is what Alan Paller, research director for security consultants SANS Institute, called the "advanced persistent threat"—skillfully focused, intelligence-seeking attacks on government cyber security, often sponsored by hostile foreign governments. "It's a threat that is highly targeted," he said. "They know what they're after. It's not random."
Threats to government cyber security
A prime example of such a threat, according to Paller, was an attack four years ago on the information systems at the Commerce Department's Bureau of Industry and Security (BIS), the branch of the department that licenses U.S. technology exports with both commercial and military applications. After the attack, which originated in China, the bureau had to lock down Internet access for more than a month and replace hundreds of computers to cleanse its systems of malicious code.
"The BIS division determines which technologies in the U.S. are too sensitive to export," Paller said. The division possesses data relating to "why [an export] is too sensitive, who manufactures it, what are the underlying technologies—everything a malicious government would need to jump start that technology in their own country. That's why it's so awful."
Paller said that developing effective threat management processes can help thwart the advanced persistent threat. "Tools don't find [the threat], people do," he said, adding that the State Department has created an approach to security management that other agencies can emulate. "State has the model that we all look to in terms of how you array your people to do it," he said.
Managing government cyber security with layers
Streufert described the State Department's strategy in tackling increasingly sophisticated cyber attacks as a "layered approach to risk management."
To furnish senior leaders better data on the security status of their information systems, State has deployed a risk scoring program in which scanning tools tag specific weaknesses with point values from 0 to 10, with 10 representing the highest vulnerability. When a threat is deemed to be resolved at a particular site, risk points are deducted. Moreover, senior managers are held accountable for showing results on reducing threats to their systems—they receive letter grades (A+ to F) every 30 days to rate their progress, Streufert said.
Using this system, overall risk to the department's key unclassified network has been reduced by about 90 percent at both overseas posts and domestic locations, he added.
The department also maintains a 24-hour network watch program that guards against external penetration of its systems. "Analysts stationed at [a network monitoring center] serve as continuous sentries for inappropriate network activity," Streufert said.
State also has assembled a Cyber Threat Analysis team that gives department managers early warnings about potential cyber incidents. Collaboration is critical part of the team's job. In addition to performing assessments of network intrusions and coordinating the department's response to government cyber security attacks, the team works closely with law enforcement agencies and network defense communities to create a comprehensive threat picture and develop remediation measures.
The team also shares information on threat data with officials at other government agencies and participates in a wide range of security working groups to improve coordination among federal cyber defense teams, Streufert said.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in April 2010