Here is part 2 of our review of the cybersecurity issues the US government faced in 2015.

What came from these incidents

            Despite their best efforts though the government stilled faced a giant problem, the inability for government agencies to draw and keep top level cybersecurity talent. There are many reasons as to why the government cannot lure in top talent and watching as top talent leaves for the private sector. One reason is the long drawn out hiring process. In most cases it can take up to a year to bring someone on board and this is due to background checks and security clearances required by each agency. Another problem is the inability to compensate as highly as private sector companies can. For entry level employees the difference in salary can be in the thousands where senior level employees can be in the tens of thousands. Another flaw with the hiring process is the way it is actually performed. Most agencies are delegated to offices that are not capable of picking out supreme talent from a stack of resumes. They depend on specially designed software and algorithms that is designed to scan a resume for certain keywords, this is not always an effective way to find the right candidates. Due to these problems it is leading to the creation of another problem, agencies being understaffed. Forget the lack of talented professionals in most cases it is just the lack of able bodies to perform the tasks at hand.

With all the issues the government faced they needed to find a way to secure up the infrastructure and make sure all of their critical information and citizens were safe. The first way to solve that problem was addressing the issue of procuring the top cyber talent. Many recommendations were made in hopes to solve this problem. One solution was giving certain agencies special permissions to bypass curtain hiring hurdles to speed up their hiring process to fill critical workforce shortages. Another recommendation was developing a comprehensive cybersecurity workforce strategy. First, the departments would need to do a self-evaluation of themselves to better understand what their needs are and then from that evaluation develop a plan to attract and retain top talent. It was also recommended that they expand their cybersecurity internships and scholarships offered. Making better use of both of these programs is a great way to capture young talent early. Another great way to capture young talent even earlier is develop a program similar to the Reserve Officers’ Training Corps (ROTC). This would be a way to encourage more students to consider a government position at an earlier age. There was a recommendation to make the academic cybersecurity certification more demanding and challenging. More recommendations made were to allow more agencies the authority to do a direct-hire, put all cyber positions in the expected services, validate cybersecurity competitions and scenario-based testing, allow agencies to share lists of best qualified candidates, modify the security clearance process, give managers recruitment development expectations and requirements and create a cybersecurity training academy. Upon graduation and completion of the cybersecurity training academy offer a Cybersecurity Reserve Corp. This would create a pool of experts who would be called on during emergencies and times when more technical help was needed. Along with all these recommendations it was also suggested that they track the attrition of the cyber workforce. Get a better understanding of why people of leaving and from this data work on improving in those areas of need to help in cutting down turnover.

The biggest hurdle to overcome when trying to get top level talent to consider a governmental position over a private sector position is in offering a competitive wage.  The first thing they needed to understand was what they were offering in pay compared to what the private sector was offering for a similar position. Getting a better understanding of this will help so they can develop a compensation system that is sensitive to the market of the cyber workforce and in being able to close the pay gap. This competitive wage does not only apply to attracting top talent to government opening but also to the talent already working for the government. Keeping these employees is just as important as bringing in new talent as it helps in cutting down the need to bring in the new talent and the resources required to onboard new talent.

Besides addressing the issue with the employee talent, there was the issue of securing up the network itself. Upon the breach from Chinese spies, the U.S. Chief Information Officer (CIO) called for a complete sweep of all cyber networks. It was called the 30-day cybersecurity sprint. This emergency procedure included; deploying indicators or warning signs of cybercrime operations into anti-malware tools used by the agencies, patching up all critical-level software and tightening up technical controls and polices for all privileged users or high-level staff with access to systems. Also, the creation of a new task force called the Cybersecurity Sprint Team was created. Their main purpose was to lead the month long review of the federal government’s security hygiene practices.

Once this 30-day cybersecurity sprint was completed and reviewed the U.S. CIO will create a set of action plans based on the findings and establish further strategies to be used to address critical cybersecurity issues and priorities and then create the Federal Civilian Cybersecurity Strategy. This strategy will focus on these key principles; protecting data, improving situational awareness, increasing cybersecurity proficiency, increase awareness, standardizing and automating processes, controlling, containing and recovering from incidents, strengthening systems lifecycles security and reducing attack surfaces.

A call for such drastic measures be taken is because of how slow the government has been in the past to address vulnerabilities. In the past the average time to address something flagged “high” by vulnerability scans was forty-two days. Some malicious code was found on one agency’s system for one hundred and twenty-six days. Scans were not being ran as frequently as they should, some agencies were waiting two weeks in between scans. Measures needed to be taken to tighten up the vulnerabilities on this front.

Also coming out from the 30-day cybersecurity sprint is the government’s plan to rapidly accelerate the deployment of the second-phase of the Department of Homeland Security’s managed continuous diagnostics and mitigation program. This program can detect unauthorized access in near real time. Along with this the government also released new standards aimed at protecting potentially sensitive data on system’s contractors and other third parties use. The government also deployed an expansion to their intrusion-prevention system, EINSTEIN. The EINSTEIN system is an email and network surveillance technology, it allows the Department of Homeland Security to detect malicious traffic on government networks and then will prevent harm to come to those networks.

Another major area of need addressed during the 30-day cybersprint was the cutting of the amount of privileged users and implementing the use of multifactor authentication checks through the utilization of smart cards. Along with that it became a law government wide for internet monitoring to be done. Agencies made great strides in creating solutions to these problems. The first being increasing the agencies authentication process for federal civilian agencies for both privileged and unprivileged users from forty-two percent up to seventy-two percent, a thirty percent increase within the thirty day sprint. Ever since the end of the 30-day cybersecurity sprint the increase in the authentication process has continued as it is now near eighty percent. More than half of the largest government agencies implemented the same strong level of authentication for nearly ninety-five percent of their privileged users. Lastly, the federal civilian agencies also took matters into their hands and increased their use of strong authentication for privileged users from thirty-three percent to around seventy-five percent, close to a forty percent increase.

The way the government bought, managed and secured IT systems and infrastructure also needed to be changed. Departments were given a thirty day window to submit requests and comments on the new policy that is expected to be released in December of 2015. In the new policy it calls for agency level CIO’s responsibilities more specifically spelled out especially when it comes to the power to approve IT spending. CIOs would also be required to keep track of the aging information systems. The policy also called for a stronger policy on replacing, upgrading, or retiring equipment used. When it comes to the cybersecurity of systems the policy called for a new and more dynamic continuous monitoring system instead of the periodic point in time authorization check. The process of acquisition was also redefined. Now instead of just submitting a whole major IT project it is now to be broken down into segments and award each of the segments to contractors instead of awarding the whole major project to one contractor. The White House also issued tougher guidance on limiting contracts for basic office materials. These contracts would range from desktops and laptops to vehicles. The new policy would also recommend limiting the amount of contracts issued to a vast amount of vendors but instead use vendors used in the past or already being used by another department. Agencies would also have to perform quarterly and monthly reports. They must also attend TechStat sessions which are face to face meetings centered around the reviews of the IT programs with agency leadership. Lastly, it would engage in creating government wide software licenses to eliminate duplicates being purchased and purchased at different prices. Many departments were found to have purchased the same licenses used in other departments from the same company but at varying price levels. Creating government wide licenses would eliminate attempt to limit this problem.

A major issue the government is looking to change when it comes to spending is the end of the year free for all spending spree agencies go on. Towards the end of every year departments and agencies start to spend the rest of their remaining budget on not so important or not forward thinking projects out of fear of the use it or lose it set-up to budgets. This type of budget set-up creates very short term thinking and spending money on frivolous projects just to not lose and future money in their budgets. Roughly one third of a federal agency’s budget is found to be spent during this spending spree time. The government’s CIO is currently looking into other types of budget set-ups that would create and promote long-term investment and forward thinking projects. Two of the budget set-ups being considered are the way the Department of Veterans Affairs and the Department of Justice set up their budgets. The VA budget is set-up in two year cycles and the DOJ allows for unused IT funds to roll over from year to year but these are just a couple of models being considered.

There was also the issue of the information stolen on each victim and offering them some sort of protection and monitoring going forward. In attempt to help remedy the four million two hundred thousand people who were affected by the breach the government has offered credit protection and monitoring. The government will spend upwards of twenty-one million dollars to issue a free yearlong subscription to CSID to all those affected. This compensation, however, has been met with a lot of push back and criticism. Many of the people who went ahead and accepted the subscription found that even after their personal information had been compromised they now have to give this organization even more personal information upon registration. After completing registration many started to receive solicitations in the form of phone calls and emails based off the personal information they had to divulge to CSID. Enough people voiced their displeasure with this that the government had to contact CSID to have them make sure anyone who signs up for this free yearlong subscription offered by the government didn’t receive these unwanted offers. CSID did come out and state they do not sell any personal information of their clients to third party companies that it was merely just a big coincidence and this information is stated in the privacy policy that every client is supposed to read through before agreeing to their service. For every person who was affected that registered there were those who did not register. One reason they didn’t take advantage of this offer was that the email that was sent out about the service went straight to their junk mail folder causing cause for concern as many felt that this was not in fact a legitimate email from the government but possibly another hack attempt. Some just chose to not trust CSID and work with another credit monitoring company they have worked with before and felt more comfortable with, even if that meant paying for it out of their own pocket.  Others are just waiting it out to see how the people who have already signed up fare, essentially using them as guinea pigs.

Also coming out of from these breaches was the Office of Personnel Management rewriting of the privacy regulations to allow investigators to probe all databases for breaches. In doing this it will now allow personal information to be shared with outsiders when there has been some suspicion or if it has been confirmed that the security has been compromised and disclosing this information is considered reasonably necessary. A reason this was done because it will allow organizations like CSID to see certain agency held personal data like names and email addresses.

The Office of Personnel Management also came out with fifteen actions they will take to safeguard and upgrade the agency’s information technology systems in the wake of the breaches. The actions are broken down into four sections; security improvements, consultations with outside experts, system upgrades and accountability. The fifteen actions are: finish activating the two-step ID checks, expanding continuous monitoring, ensuring permission to probe contractor systems, reviewing encryption of databases, hiring a cybersecurity adviser, consulting private sector technology and cyber experts, seeking more counsel from the inspector general, transitioning to a new IT set-up, finalizing the budget an scope of the overhaul by the end of the fiscal year, requesting additional congressional funding, assessing IT project performance, holding regular cyber awareness education sessions, establishing protocols on incident response and complying with federal computer security laws. But many have lost confidence in the OPM and the ones who are in charge of it stating they feel these actions are just a lip service to please people after the breach but they will not carry out and follow through. They feel many of these actions will be started up but will fall to the way side quite quickly.

Someone had to be blamed within the government for these breaches and that was the director of the Office of Personnel Management, Katherine Archuleta. She would give her resignation amongst these breaches and from the uproar from all the other agencies. After learning of the two largest data breaches in US history lawmakers and representatives of both the House and Senate called for her termination. They lost faith in her and her ability to run an agency with competency. The deputy director for management took over upon her resignation.

Our Thoughts on part 2

            The government taking many necessary steps in figuring out how to solve this problem currently and putting steps in place to make sure it does not happen again is a step in the right direction. The problem is it comes at the cost of over twenty-one million people’s personal information. These people will now have to always worry that there is someone out there who can pretend to be them, ruining everything their name holds and carries. For a policy that was passed in the early 2000s not to be one hundred percent used in the all the agencies is a complete lack of control by the government. This incident could have been avoided all together if something as simple as a two-step authentication process was already in place like it should have been. There are many good policies and procedures coming out of this, as does happen when a major incident happens, it is just unacceptable that these responses are reactive. Going forward breaches of this magnitude should be harder to administer on governmental systems and networks because these breaches did expose the vulnerabilities and the government did put solutions in place to remedy these vulnerabilities.

What happened to the government and what they did and are doing moving forward is an important lesson any organization can learn from. Making sure all policies that are in place are being followed is a key take away. Also, doing constant monitors of your system and network to make sure there are no flaws or holes that you are unaware. All of this just proves that no organization or entity is without faults and things do go unnoticed but it is important to be proactive to discover these faults and find solutions to them before someone else discovers them and uses them for their benefit or gain.