Lance Bellers - Fotolia
The White House Office of Management and Budget (OMB) issued new guidelines aimed at improving government cybersecurity across federal agencies. Experts approve of the plan, but question if it will be properly implemented.
The main set of guidelines released was the Cybersecurity Strategy and Implementation Plan (CSIP), the result of the 30-day Cybersecurity Sprint implemented by the government following the OPM breach earlier this year.
CSIP aims to strengthen federal civilian cybersecurity by pushing for improvements, including identifying and protecting high-value assets and information; detecting and responding to cyber incidents; recovering and learning from cyber incidents; recruiting and retaining highly qualified cybersecurity talent; and acquiring and deploying existing and emerging technology.
To comply with CSIP, the Department of Homeland Security (DHS) will accelerate the deployment of continuous diagnostics, and mitigation and EINSTEIN capabilities to all participating federal agencies; OMB, in coordination with the National Security Council and DHS, will issue incident response best practices; and the National Institute of Standards and Technology (NIST) will provide new guidance for cyber event recovery. As a companion to CSIP, OMB has issued guidelines for reviewing and implementing the cybersecurity changes.
When asked about potential upgrades to improve the EINSTEIN intrusion detection system, the DHS pointed SearchSecurity to comments made by DHS Secretary Jeh Johnson in July regarding EINSTEIN 3 Accelerated (E3A), which was first deployed in 2013.
"E3A has the capacity to both identify and block known malicious traffic," Johnson said. "EINSTEIN 3A is also a platform for future technologies and capabilities to do more. This includes technology that will automatically identify suspicious Internet traffic for further inspection, even if we did not already know about the particular cybersecurity threat."
Johnson also noted the use of Continuous Diagnostics and Mitigation (CDM) programs, which play a major part in the new CSIP guidelines for government cybersecurity.
"CDM will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter," Johnson said. "CDM will allow agencies to identify, prioritize and fix the most significant problems first. It will also provide DHS with situational awareness about government-wide risk for the broader cybersecurity mission."
Adam Kujawa, head of malware intelligence at Malwarebytes Labs in San Jose, Calif., was optimistic that CSIP will not only be helpful in improving government cybersecurity, but may even make government faster at doing so.
"One of the biggest issues to our government cybersecurity has been the lack of movement when it came to employing modern protections. As with most government operations, usually, the solution to a problem is approved long after the problem started. But cybersecurity is a very dynamic field, with new threats popping up every day," Kujawa said. "These guidelines, if followed correctly, should give organizations the freedom to not only understand and research relevant security measures, but also employ them without dealing with the slow turn of normal government approval."
Experts pointed out that the term "rapidly" was used a number of times in the CSIP guidelines, including in regards to detecting and responding to threats, recovering from threats, creating an Emerging Technology subcommittee to facilitate efforts, and deploying emerging technologies.
Joe Pizzo, field engineer at Norse Corp., in Foster City, Calif., said this language stood out and applauded the aims behind the plan, but said that having a plan and following through are two different things.
"Though this plan addresses a standard in technology practices, proper technology, proper people and proper procedure, it would be a surprise if it was implemented properly and in a timely manner," Pizzo said. "There are a lot of agencies, people, and resources to poll and gather information from, likely including several unknown systems in places that need to be identified. It will be surprising if federal agencies can move fast enough to succeed in this timeframe."
Vann Abernethy, product manager at NSFOCUS Inc., based in Santa Clara, Calif., was confident that agencies will implement the changes successfully, because "the core of this program is constant review and improvement."
"If the processes are followed, then all of the security controls put into place will be updated as new threats emerge," Abernethy said. "In fact, part of the mission is to update EINSTEIN to include behavioral analytics to improve the detection of zero-day threats. The CSIP is based on an understanding that not only will there be compromises, but learning from them and taking immediate remediation efforts is a critical component."
In introducing CSIP, OMB said that there is no "silver bullet" to cybersecurity. Experts all agreed with this assessment, and Abernethy and Kujawa said that because of this, the most important aspect of CSIP for the government to get right was rapid detection and response to cyber incidents.
"An organization attacking a government network isn't going to put all their eggs in a single basket as far as being able to infiltrate the network. They will try numerous methods and numerous points of entry," Kujawa said. "The key is that if the attack is detected quickly enough and that information disseminated to as many groups as possible, then the attack method can be protected against at all entry points. Let's face it, when you are dealing with government-sponsored cyberattacks, you are going to see things that you haven't seen before, so trying to predict them is almost a farce. It's all about making it difficult for the bad guys to get what they want and bouncing back, learning and adopting new precautions after something gets through."
Learn how to leverage government cybersecurity programs.
Find out more about how enterprises can learn from the CDM program.