Imagine someone building a house with only a partial roof and expecting the rain to stay out. Ridiculous, right?
Federal officials now have a critical chance to make sure that scenario doesn’t play out in government cybersecurity strategy.
At issue are a pair of programs set up to defend federal computer networks and systems from attack. You may not have heard of them, but they have been the cornerstone of government cybersecurity efforts for years.
1. The Continuous Diagnostics and Mitigation program (CDM), established by the Department of Homeland Security in 2012 and managed by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), provides tools and dashboards to more than 100 agencies for real-time risk monitoring and defense.
2. EINSTEIN, part of CISA’s National Cybersecurity Protection System, was created in 2003 to analyze the flow of network traffic to and from federal civilian executive branch agencies and detect and block malicious activity.
Both programs have had an important impact on federal cybersecurity through the years, but they have started to show their age and require significant updates to keep pace with a rapidly evolving threat landscape.
The biggest hole involves the kinds of systems and devices that CDM and EINSTEIN typically watch over.
Most agencies are fortunate to have strong technologies in place for protecting “managed devices” – traditional end points like servers and laptops that are controlled by agencies and set up and configured by their IT or security teams.
However, the world has seen an explosion of “unmanaged devices” – employee-owned smart phones and tablets, security cameras, building access systems, and much more that sit outside IT or security’s usual purview.
These technologies have delivered new efficiencies in the way we work, but the flipside is that they have introduced new vulnerabilities and complexities that legacy security technologies are not designed to identify, profile or defend.
Unmanaged devices have turned the once well-defined security perimeter into a dynamic, borderless frontier and have created visibility gaps that cyber criminals can exploit.
In fact, that is exactly what’s happening. Intrusions outside traditional managed devices are sharply growing.
While the traditional perimeter security function remains important, “it is not sufficient for a cybersecurity program given the current threat landscape and the ability of bad actors to evade many perimeter security mitigations,” Rep. Andrew Garbarino (R-N.Y.), chairman of the House Homeland Security cybersecurity subcommittee, said at a Sept. 19 hearing.
“What’s more,” he added, “EINSTEIN has faced long-standing downsides, including limitations on detecting and preventing encrypted traffic and focusing only on what we already know is malicious traffic.”
CISA’s own Binding Operational Directive (B.O.D.) 23-01, issued in October 2022, articulates where we need to go. “Continuous and comprehensive asset visibility,” it says, “is a basic pre-condition for any organization to effectively manage cybersecurity risk.”
The directive calls for a combination of “asset discovery” (“an activity through which an organization identifies what network addressable IP-assets reside on their networks”) and “vulnerability enumeration” (detecting and reporting suspected vulnerabilities on those assets).
But in practice, CDM practices have been excluding many unmanaged devices. Not only that but procurement and security teams tend to be siloed and don’t communicate much with each other, so they’re often not even talking about how to do better.
There are positive developments: CISA officials say they intend to revamp and improve these programs.
For example, in an RFP issued in July, CISA acknowledged that “the evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides.” CISA said it “plans to modernize the legacy capabilities used under the EINSTEIN program to detect threats targeting federal networks.”
President Biden’s fiscal 2024 president’s budget proposal includes $408 million for CDM that could be used to modernize the program. It also earmarks a $425 million request for the Cyber Analytics and Data System, or CADS, which is meant to restructure EINSTEIN.
But the devil will be in the details, and the starting point in these programs’ modernization should be a comprehensive, next-generation strategy to give agencies complete visibility of all managed and unmanaged assets. After all, you can’t protect what you can’t see.
This holistic approach should even go beyond merely identifying and cataloguing devices and enable deep understanding of how those assets interdepend on each other. That way, federal security teams can gain true situational awareness as they work to protect their entire enterprises.
CISA also should change its procurement processes to expedite purchase and implementation of newer technologies purpose-built for today’s changed attack surface.
More often than not, legacy contracts and programs with existing providers and solutions are routinely extended. That may save time, but it also prevents the innovation and collaboration needed to address modern threats.
The bottom line is that what may have worked in the past no longer suffices. Cyber criminals are moving faster than ever, and the federal government has to up its game too. Now.
Brian Gumbel is president of Armis, the asset intelligence cybersecurity company.
© 2023 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.