Increasingly sophisticated threats against the country’s cyber-infrastructure means the country has to invest in protecting against, detecting, mitigating, and recovering from cyber-incidents.
One way to improve cyber-security is to adopt continuous network monitoring, according to a recent report from the Center for Strategic & International Studies (CSIS), a private institution that focuses on international public policy issues.
Network monitoring allows organizations to observe what is happening on the network, generate quantifiable data to identify and measure risk, and take rapid action to solve problems, according to the report, released Tuesday by the Technology and Public Policy Program at CSIS. This approach reduces the avenues a potential attack can take, and forces the adversaries in developing more expensive techniques or give up.
Continuous monitoring, measurement, and mitigation are highly effective in addressing real threats in an environment where the attackers are moving quickly, the report said. Continuous diagnostics and mitigation replace periodic compliance reporting, which allows the agency to detect anomalous behavior and address common vulnerabilities faster and more effectively.
“Our adversaries are well equipped and agile. Our defenses must be equal to the threat, and they are not,” wrote James A. Lewis, a senior fellow and director of the CSIS Technology and Public Policy Program, and one of the report’s authors.
Government agencies are often spending tens of millions of dollars on reports and processes to meet certification and compliance requirements but do little to enhance security. Oversight groups such as the Government Accountability Office are also “wasting time,” releasing reports on whether agencies are complying with “outdated policies,” the report’s authors wrote. These reports incentivize “exactly the wrong behavior among agencies,” according to the report.
The Federal Information Security Management Act of 2002 requires agencies to regularly report to Office of Management and Budget and Congress about their security efforts. OMB changing the focus of FISMA to continuous monitoring instead of sticking with the current compliance-based approach would be the “single most important action OMB can take for cyber-security,” the authors wrote in the report.
The compliance-based approach is expensive and insufficiently dynamic to account for threats, the report said. Managers also did not receive adequate information to make timely decisions about the risks facing their networks. Automating critical controls and comparing the status of the network against known issues and configuration provides “daily, authoritative data on the readiness of computers” in case of an attack, the report said.
The report cited the State Department implementing automated security management for over 85,000 systems in 2009 as an example. The scoring system gave administrators “unequivocal information” on which security actions were the most important to implement. In the first year, the risk “score” for computers across the department dropped by nearly 90 percent. After a critical vulnerability in Internet Explorer was disclosed, it took the Defense Department, with its compliance-based approach, two months to get 65 percent of the systems patched, compared to 89 percent of State Department systems in 11 days.
Congress has passed laws and issued policies to address cyber-threats since the 1980s, Lewis wrote. While the “underlying principles” of managing and mitigating risk haven’t changed, technological changes and advancements means the laws and policies have to be periodically reviewed and updated.
Implementing the recommended changes would make government cyber-assets more secure without spending more money, Lewis said. If the recommendations are not deployed, agency staff and oversight groups would continue to “waste scarce resources” on strategies that do little to mitigate risk, Lewis said.
“While one might argue that more resources need to be spent on cyber-security in the current threat environment, the fiscal situation argues for first assuring that every dollar spent on cyber-security be spent wisely and allow for more rapid adoption of cheaper and more efficient technologies,” Lewis said.
CSIS says that its research is nonpartisan and nonproprietary, and that the organization does not take specific policy positions.
The full report is avilable here in PDF format.