There’s a joke often told to warm up crowds wherever CISOs gather. It goes something like this: an outgoing CISO hands his replacement a series of letters. He tells her to open them when a breach is discovered, one by one. The first one says: “blame me.” The second one says: “Blame China.” The third one says: “write three letters.”
As we move well past the first 100 days of the new Administration, the security of Federal data is now something that the Trump Administration will own in the event of a breach. The window in which Sean Spicer will credibly be able to say, “the infiltration occurred during the last Administration; we detected it and have stopped any further loss of data” is closing.
Estimates vary, but it takes most organizations between 99 and 200 days to detect an intrusion. By that reasoning, sometime after August 8, the Trump Administration won’t have anyone else to blame (the OPM intrusion used up the China excuse… sorry).
In many respects, the Trump Team deserves credit for sticking to the game plan on cybersecurity first laid out by the Bush Administration and expanded by President Obama: a focus on public-private partnership, a recognition that military solutions have limited value, and a heavy emphasis on improving Federal hygiene and modernization. All those elements come through clearly in the executive order of May 11.
But after OPM, the emphasis on patching vulnerabilities and eliminating legacy IT systems always felt misplaced. Yes, the OPM incident showed the poor state of cybersecurity hygiene and exposed the problem of legacy systems that cannot be secured. But more to the point, it showed that Chinese cyber actors had compromised one of our most vital repositories of information. And it begs the question, did they compromise other ones?
After OPM, I was expecting other agencies to fall like dominoes. Yet two years later, the only systems outside of OPM known to be compromised were at the Department of Interior, which were compromised as part of the same campaign. While the Obama Administration made an effort to inventory high value systems, a follow-on effort to determine whether they were compromised never materialized.
As we are still in the early days of the new Administration, it’s a good time to make a full court press to find and route out malicious actors inside government networks. As CIOs are appointed to each of the cabinet agencies, each of these appointees should have as their first priority conducting a systematic compromise assessment of their networks and systems.
These assessments should be conducted by third parties (yes, Cylance has this capability but so do a host of other companies). While NSA’s Blue Hunt Team and DHS’s US-CERT both have good capabilities, they alone cannot operate at the scale necessary. Third party compromise assessments will either find ongoing malicious activity, traces of past activity, or give networks a clean bill of health.
Moving forward, as the Trump Administration continues to press improved hygiene and modernization, a process that is likely to continue for more than a decade, Federal agencies need to build the capacity to hunt for threats on a continual basis. Otherwise, improvements in hygiene are likely to be the equivalent of locking the door to the hen house after the fox is inside.