President Barack Obama’s budget proposal for fiscal 2017, unveiled yesterday, brings a welcome 35 percent increase for cybersecurity. As part of the plan, the creation of a federal Chief Information Security Officer (CISO) also was announced to parallel what most major organizations already do to coordinate information security and risk. Yet the devil will be in the details for this new spending and new position.
Will the United States' CISO have any real authority? Will the new hardware and software bought with these funds be as insecurely configured or poorly implemented as the current systems? Two weeks ago Rob Joyce, chief of the NSA's Tailored Access Operations (TAO), publicly reminded defenders that attackers know what actually is on a target network, whereas agency leaders often only think they know their own information environment. What should be and what is are often different, and this delta is usually the most fertile area of the attack surface.
This additional funding should be applied in two ways, first addressing the present and second looking to the future:
1) Compel federal government agencies to prove they are doing the basics:
- inventory authorized and unauthorized devices (know what you’ve got)
- inventory authorized and unauthorized software (know what it’s running)
- reduce and control use of admin privileges
- read your logs (yes, really read them!)
- establish secure configs for all apps and devices, roll this out, don’t deviate, and patch it aggressively.
None of this is new, but actually doing it consistently would be novel for much of the U.S. government. The new CISO and cognizant officials can’t keep admiring the problem, but actually must measure progress and hold poor performance accountable.
2) Fund research and development for cybersecurity across disciplinary lines – computer science, engineering, policy, etc:
- Attribution of cyberthreats
- Consumer-facing privacy
- Cyber-physical systems
Reward those working on hard problems and seek revolutionary gains. Don’t be afraid to fail. Create the next!
Michael Farrell is chief scientist for the Cyber Technology & Information Security Lab (CTISL) and associate director of attribution for the Institute for Information Security & Privacy (IISP) at Georgia Tech.
Last revised May 15, 2020