On February 9, President Obama published “Protecting U.S. Innovation from Cyberthreats” in The Wall Street Journal. The article outlined the cyber-focused portion of the federal budget proposal, which includes a new national plan giving $3 billion to kick-start an overhaul of the federal computer systems. According to the article, Obama’s new Cybersecurity National Action Plan (CNAP), backed by his proposal to increase federal cybersecurity funding by more than a third, to over $19 billion, “has plans to address both short-term and long-term threats, with the end goal of providing every American a basic level of online security.”
On first glance, more money to revamp government security seems to be a step in the right direction, but I have a few additional thoughts…
This recent announcement of a new CNAP is a start, but seems to lack some of the critical elements one would have expected.
“I’m proposing a $3 billion fund to kick-start an overhaul of federal computer systems. It is no secret that too often government IT is like an Atari game in an Xbox world. The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way”
Spending money on a new system is probably a good thing. However, with respect to security, the first thing that should be done is a security assessment – i.e. what is connected, why is it connected, what is the value of that connection, what is the risk associated with the asset, and what mitigations are in place to protect the asset? Then we can, and should, look at updating the mitigations for the risk to a level commensurate with the value of the information. Without this line of thought we are doomed to hemorrhage information and even be vulnerable to things like skip attacks. (i.e. attack from “a” to get to “b”).
What’s more, plenty of successful businesses are operating with “code from the 1960s”. There are ‘bridge technologies’ that allow organizations to align to new technology capabilities, while future-proofing existing application investments. To quote from my colleague Ed Airey‘s recent blog post on Federal IT modernization not needing to be taxing “Check out the COBOL modernization initiative at the US Small Business Administration, an agency now well positioned for future growth and leverage next gen technology [and now responsible for “offering cybersecurity training to over 1.4 million small businesses and their workers”]. Or how about the City of Miami or Marin County, CA who have also undertaken similar COBOL application modernization projects? Modernizing core business systems can be straightforward…and it all begins with a strategy geared towards leveraging past success and unique attributes.”
“…we’re doing more to help empower Americans to protect themselves online. In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone.”
While I applaud the element in the announcement that helps ‘Americans to move beyond passwords’, we are missing the point here as well. We should be asking what is being protected? If it is simply access, would using only your fingerprint really improve things? Let’s look at fingerprint technology for a second. If the back-end system stores the fingerprint, for anytime, and their infrastructure is compromised, so is your fingerprint. How? Think of a 3D printer that could create a negative image of the fingerprint. The attacker could then pour latex or gummy bear gelatin into the print and well…game over. Or just recall the hackers who claimed to have faked a German minister’s fingerprints using photos of her hands. Are we better off if we assume the infrastructure does not store the raw fingerprints but does store minutia? Maybe not. The question then becomes one of what can a minutia record be used for? i.e. Can it be used in a birthday attack against a fingerprint? (hint…maybe).
Moving to multi-factor authentication is a good move, we’ve been promoting it for years. David Mount, director of security solutions consulting EMEA here at Micro Focus, was recently quoted in the Huffington Post as saying “Passwords quite simply aren’t working… They are too easy for hackers to steal and too difficult for customers to remember, which is why we’re seeing banks like HSBC shift towards biometrics.” What the Huffington Post left out from Mount was what was later picked up by SC Magazine: “However, there are concerns about the privacy implications of biometrics… such as, what does the biometric data say about me and my physical and emotional state? “There’s [also] this element of trust around it and how accurate will it be…in identifying me? If you get examples where voice recognition doesn’t work, it introduces creeping distrust. It hasn’t authenticated me this time, OK is there capability for it to mis-recognise someone else as me?”
“We’re also establishing a national testing lab, where companies can test their systems’ security under simulated attacks.”
While the Cyber test lab sounds interesting, it raises lots of logistical questions (i.e. who has access? Would one be able to establish an environment to really mirror theirs, etc )? In the end, how would this be different from running existing commercial cyber security tools against your infrastructure?
I could go through all the ideas expressed in the announcement and while on the surface they sound reasonable, they may not be. If we look at what can be done – perhaps we should look at the situation a little closer. Over the past few years, along with the massive cyber breaches, we have seen massive fines associated with them. The plans that we have seen, to date, haven’t done anything concrete to help prevent breaches. While there are budget proposals requiring money to drive Healthcare and Social reforms, which are very important topics, we seem to be neglecting the fact that we are under cyberattack. So far our response to this attack seems to be ‘Lets fine the victims’; which, while a money maker for the government, doesn’t help any industry, doesn’t help the country’s economy, and doesn’t help our security posture. With this in mind, I would like to see a continued push for real cybersecurity solutions not just the planned information sharing initiatives. Ideally, this push should help the areas that are constantly under attack and perhaps provide plans to assist the besieged sectors recover faster. In addition to this relief, the government should look at providing cybersecurity education for industry.
While I am wishing for things, it would be nice if the federal government would budget and plan on homogenizing all the various state privacy, cybercrime, and breach notification laws. I for one would not complain about a single comprehensive national set of laws in these areas.