Today I had the honor to testify before Congress regarding issues of national cyber-security, and the much needed revision of federal policies including FISMA to help address the electronic threats that stalk our government agencies, private corporations and critical grid infrastructure on a daily basis.
While FISMA has had some positive effects in improving our nation’s approach to cyber-security, the time has clearly arrived for the standards issued under the seminal Act to be updated to address the continued proliferation of more sophisticated threats, and some of its existing shortcomings.
In being invited to address the Senate Homeland Security and Government Affairs Committee, I was specifically asked to offer my thoughts on the Department of Homeland Security’s current efforts to stem cybercrime, in particular the effectiveness of several teams under DHS oversight that are involved in running various elements of the agency’s overall program.
I think it comes through in my testimony, the full version of which can be found here, but I want to reinforce that the teams that I refer to in my testimony are already doing an outstanding job of making the most of the resources made available to them to achieve their respective goals.
Overall, my biggest criticism of these DHS initiatives in general is that they have not been granted sufficient authority and funding to have an even greater impact, and not to infer that the hard-working people on these teams are coming up short in any regard. If anything, the reality has been quite the opposite.
Rather than re-hashing my entire testimony, since you can read or watch it for yourself, along with the expert commentary provided by my fellow participants – Stewart A. Baker, Former Assistant Secretary DHS, James A. Lewis, Director and Senior Fellow, CSIS Technology and Public Policy Program, and Alan Paller, Director of Research for SANS Institute – what follows are some bulleted highlights.
From the vantage of a risk manager it is my personal opinion that:
· More aggressive and devoted effort must be exerted to improve the ability of our government agencies, critical infrastructure providers and the many private contractors with whom they interact, to improve their ability to manage the risk.
· DHS cyber-security efforts currently struggle with a lack of management continuity, an insufficient support structure, and a lack of identity among peer organizations.
· U.S.-CERT has been limited in its ability to move beyond mere information sharing into other more dynamic operations, and needs to be the country’s cyber-defense coordination clearinghouse.
· The Secret Service Electronic Crimes Task Force needs greater financial backing to track and pursue operators and should adjust some of its longstanding staffing functions to ensure that it has the most qualified people on the job every day.
· The Federal Network Security Branch has not been granted the necessary authority to foster needed defense-in-depth protective IT mechanisms or to run initiatives including the Trusted Internet Computing (TIC) program.
· The Cyber Storm cyber-security defense exercises must be expanded, with participation from crucial private entities transitioned from voluntary to mandatory status and the tests altered to be less oriented toward check-box compliance.
· The federal government must expand FISMA to compel all agencies to undergo more frequent internal assessments to gauge their risk to cyber-attacks.
· Agencies must be required to conduct regular, extensive security audits of their IT systems using Red Team penetration testing methodologies to gain a more precise fix on where their most significant weaknesses lie on at least a quarterly basis. The results will serve as benchmarks for investments in cybersecurity.
· Congress should mandate that all entities who provide Managed Information Services of any sort to the U.S. government or providers of critical infrastructure sign more stringent Information Security Service Level Agreements.
A tall order but I remain convinced that if any nation can lead the way in creating and enforcing stronger cyber-security policies it is the U.S.
It is my honor, and Core’s honor, to have been asked to participate in this process.
-Tom Kellermann, VP of Security Awareness