Lessons learned: Former DHS CIO discusses challenges facing today’s government CIOs and CISOs and offers advice on proactive measures to combat cyber threats in this recent interview with ActiveCyber.
I was delighted to sit down with Richard Spires recently to discuss his views on cybersecurity, how the recent OPM breach has changed things for government agencies, and what can be done to improve our cyber defenses and strengthen our overall cyber management practices. Richard drew upon his extensive practical experience leading up to and including his tenures as CIO of DHS and IRS, as well as his current position as the CEO of Resilient Network Systems, to provide insight into these and many more topics. Learn about Richard’s views on the current cyber defense challenges facing government CIOs and CISOs and his recommendations on how to proactively deal with these challenges in this interview.
Spotlight On Richard Spires
» Title: Former CIO of DHS and IRS, CEO of Resilient Network Systems in San Francisco, CA
» Email: richard.spires@resilient-networks.com
» Website: http://www.resilient-networks.com
» LinkedIn: https://www.linkedin.com/in/richardspires
Read his bio below.
September 28, 2015
Chris Daly, ActiveCyber: Richard, your recent testimony to the Senate Appropriations Subcommittee on the OPM Data Breach outlined the need for more innovative and streamlined acquisition processes to put emerging and adaptive security tools in the hands of agencies faster to meet the growing cyber threat. Can you provide some examples of the critical cyber technology gaps that need to be addressed?
Richard Spires: Given the number and diversity of federal government agencies, it is not surprising that agencies have widely differing cyber security needs and current postures. But with that caveat, I would say that the approach to implementing FISMA over the past decade has led to a situation in which federal agencies have focused on static views of security controls at a system level. This has led agencies to a position in which they lack real-time insight to the posture of their networks and systems. Certainly with the CAP cyber goals and the continuous diagnostics and mitigation (CDM) program, agencies are working to shift their focus to continuous monitoring, and they are beginning to make progress, but given the complexity of many of the agency IT environments, this is a slow and laborious process.
Frankly, another area of concern is identity, credential, and access management (ICAM). HSPD-12 mandates existed for a decade in which civilian federal agencies were supposed to use the PIV card for logical network access control. It has taken a wake-up call, the OPM data breach, for agencies to get serious regarding enhanced identity authentication to access government systems and sensitive data. That is goodness. Yet today, there are ICAM solutions that are more cost effective, easier for users, and just as secure as the use of physical smart cards. It is not surprising, but a bit disappointing, that once the federal government does get serious about implementing multi-factor authentication, they rely on solutions that are costly to scale and maintain in comparison to other suitable solutions available from industry.
Finally, as you allude to in your question, the acquisition process does not help, in which it can take sometimes years to get new capabilities bought and deployed within agencies.The CDM program, itself, is such an example of a government-wide vehicle that is taking years to make a full suite of continuous monitoring capabilities available for agencies. As I testified, it is very difficult for agencies to protect against advanced adversaries when they cannot procure state-of-the-art cyber security capabilities in a timely manner.
Daly: Your testimony also focused on the need to improve cyber management practices, especially the need to strengthen the role of the CIO and CISO in the overall IT security strategy and operations of the agency. How will these roles change by the adoption of FITARA and how can security automation improve the central role of the CIO and CISO envisioned under FITARA as well as the overall effectiveness of a security program?
Spires: It is exceedingly difficult to protect IT systems you do not manage, and impossible when you don’t even know they exist. The largely distributed nature of IT management in large federal government agencies has led over time to a situation in which the agency CIO and CISO are in the position of not controlling how many of the agency IT systems are designed, deployed, and operated. That dynamic extended to OPM, which is small in comparison to most of the federal government’s agencies. While FITARA was not passed as a means to help address our cyber security vulnerabilities, good IT management disciplines across an agency’s total IT environment are foundational for cyber security success. My hope is that FITARA will be effectively implemented so the federal government can begin to more effectively manage IT, which will over a period of years, not only save money and improve our security posture, but help agencies be more effective in carrying out their missions.
To your point on security automation, certainly a key element of effective management of a complex IT environment is to bring automation to management processes, which encompasses security as well. Phase 1 of the CDM program is meant to help agencies do just that. But to be effective, a top-down driven approach from an empowered CIO and CISO is needed to enforce the use of such capabilities across an agency’s IT environment. Too often, the agency CIO or CISO are not able to drive discipline across all systems, resulting in significant vulnerabilities that sophisticated adversaries can find and exploit. That needs to change and I hope that with the OPM data breach as the wake up call and FITARA as the mechanism, the federal government makes the cultural shift necessary to address these management shortcomings.
I would note that many of the same challenges apply to private sector organizations as well – this is not just a government problem.
Daly: Spear phishing continues to plague agencies despite efforts to improve security awareness of agency personnel. Now, as a result of the OPM Data Breach, the possibility of very targeted phishing attacks will likely increase. What types of adaptive security defenses, and proactive trust management / security awareness approaches do you believe could help in this area?
Spires: First, let me state that while we should continue to educate users on cyber security threats and adversary techniques, like the use of spear phishing, the CIO or CISO must assume that a certain percentage of their users will make mistakes and as a result, adversaries will be able to introduce malware and gain at least initial penetration of systems. Given that, IT leaders need, as you state in the question, adaptive security defenses and proactive trust management. Providing these capabilities falls into three areas:
- There is without a doubt a continuing need to pursue cyber security tools to prevent intrusions, but perhaps even more importantly, detect them quickly when intrusions do occur. With enhanced automated protection, network defenders can then focus on detecting and remediating only the most sophisticated and potentially dangerous attacks – rather than trying to decide which of the seemingly endless alerts to pursue today. The cyber security industry has made great strides in these areas in the last few years, and organizations should be using the most advanced tools for prevention and detection that leverage threat intelligence from users all over the world.
- Yet even with the most advanced prevention tools, sophisticated adversaries will still gain access. So alternative approaches are needed, and in particular, ones that rely on creating more trust in access control. The root of all trust is verified identity. I must know that it is who I believe he/she/it to be, and in the online world, multi-factor authentication methods are key to doing that. There are a plethora of newly available technologies to enable multi-factor authentication for both internal as well as external users. Organizations need to step back and rethink how they very rapidly implement ubiquitous use of multi-factor identity authentication. Even though the root of trust is identity, there is more to the trust equation. In the “physical” world, I trust another because I have high confidence they will act in a manner that I expect. Some of the most damaging data breaches have come from individuals that were properly authenticated and authorized to use systems and access data. Their behavior, however, was not in keeping with what was expected. This is commonly called the insider-threat problem. There are new technologies and capabilities today that can bring in other context, such as an audit log or behavioral analysis systems to assess someone’s trustworthiness on a regular basis. These additional factors, beyond those used to assess authenticity, are key to fully establishing and monitoring trust.
- Finally, agencies need to target additional protection of their most sensitive information, whether it is data sets or documents. Tools and products exist that enable agencies to protect information, independent of the likely insecure environment in which they operate. Organizations should focus on their most sensitive information, ensuring that only trusted parties have access to this information. This approach would go a long way toward thwarting or at least limiting major and damaging data breaches.
Daly: It has been often stated that the increase in complexity of systems is outstripping the ability of system designers and managers to effectively build and maintain secure systems. For example, a major architectural flaw that resulted in a memory sinkhole and a new class of exploits in older generations of Intel-based chips was announced at the recent Black Hat conference. This flaw was hidden in the complexity of multiple changes and versions over the last 20 years of chip design and development. The increasing degree of complexity also seems to pervade the entire stack. What can system managers do to proactively address this rising tide of complexity as it relates to securing systems and maintaining security situational awareness?
Spires: You are absolutely correct that complexity is a major reason why it is exceedingly difficult for organizations to maintain a good cyber security posture. As I alluded to earlier, the distributed nature of IT management in the federal government has added to this complexity, making the CISO’s job in an agency even more challenging. I have been an advocate of working to drive simplification in an agency’s IT environment. But whether it is government or a private sector organization, the place to start is in IT infrastructure. As networking and compute platforms have become more standardized, organizations can drive significant simplification (and cost savings) by rationalizing and consolidating their IT infrastructure. And with today’s cloud service providers, much of that can be done with an outsourced, consumption-based model. The security benefits for such simplification are manifold, to include much improved ability to continuously monitor your IT environment, to simpler configuration and patch management, and to better approaches to implementing data protection capabilities.
Daly: Identity, Credentialing, and Access Management (ICAM) are important security pillars and have received increased attention by the Administration as evidenced by NSTIC and FICAM efforts. However, despite this increased focus, the results overall seem to be less than stellar. What key management, standards, and technology advances seem to be missing? How will migration to cloud-based environments change how ICAM must be delivered for better security and efficiency?
Spires: I would agree that ICAM is still an area that from an operational and management perspective, organizations struggle. There are a plethora of products that help an organization manage the identities for individuals it provisions (such as employees, support contractors, etc.) but as organizations scale and need to work more with partners and their customers (or citizens for government agencies) the need to continue to provision users and manage their identity information becomes daunting, and results in an organization having greater liability in the case of a data breach. Federated ICAM solutions are meant to help ease the burden of managing those identities that are not a part of your organization, but they still replicate identity information and don’t address those liability issues of holding others’ identity information.
We need to move to the model of using authoritative data sources of identity (not replicating the data but accessing it only when necessary), and providing adaptive access control capabilities (e.g., using context as was described in the answer to question 3 above) to meet the trust requirements for a given access control decision. Such a capability must, to meet the requirements and scale, have a fully distributed architecture along with being flexible to meet the needs of many different types of organization. The company I am leading, Resilient Network Systems, is working directly on this challenge. Our distributed architecture platform enables organizations to use existing identity directories and other authoritative sources (whether owned by an agency or external to it) to specify and enforce the level of trust required in an access control decision.
Daly: Autonomous systems are becoming more prevalent as the Internet of Things and the era of unmanned devices begins to roll out. Do you believe that autonomous security capabilities are keeping pace with this new technology and what role do you believe that autonomous security capabilities have in the enterprise?
Spires: Autonomous security capabilities are not keeping pace to meet the burgeoning growth of the IoT. In manufacturing control systems, for instance, many vendors are still keeping their systems “closed” as a way to help secure that ecosystem. While it might help manufacturers in the near term, it is inherently self-limiting and impedes the level of innovation possible if one had a trusted, ubiquitous way to access devices and sensors across the network. I bring up that word “trust” again, but this time it includes additional concepts: a) can I uniquely identify a device or sensor and have trust that what it is doing or the information it is producing is correct; and b) how do I trust an individual or a device so it can access another device and take some type of action? These are complex problems to address, particularly as the scale of an ecosystem increases, both in terms of the number and diversity of the devices. There is a lot of work going on to help address these issues, but not dissimilar to a more standard computing environment, the security solutions are lagging the IoT innovation. I do believe that these IoT cyber challenges will only be solved with fully distributed solutions that can handle significant scale and diversity – traditional enterprise-based solutions are architecturally incompatible with the IoT.
Thanks Richard for sharing your significant insights across such a broad set of cybersecurity topics. I believe many of ActiveCyber’s readers will benefit from the lessons learned and insight you provide to create better and more proactive cyber defenses.
And thanks for checking out ActiveCyber.net! Be on the lookout for more articles and more interviews coming shortly. Please give us your feedback on this interview because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.
About Richard SpiresRichard A. Spires currently serves as the CEO of Resilient Network Systems, a San Francisco-based software firm that provides the Trust Network platform to bring trust to the cloud and the Internet of Things. Trust Networks virtualize real-world relationships and conditions of trust by resolving identities in the network and enforcing each party’s rules in transit. Mr. Spires was appointed and served as the Department of Homeland Security’s (DHS) Chief Information Officer (CIO) from August 2009 till May 2013. In this capacity, Mr. Spires was responsible for the strategy and operations of the department’s annual $5.6 billion investment in Information Technology (IT). Mr. Spires also served as the Vice-Chairman of the Federal Government CIO Council and the Co-Chairman of the Committee for National Security Systems (CNSS), the committee that sets standards for the US Government’s classified systems. Mr. Spires held a number of positions at the Internal Revenue Service (IRS) from 2004 through 2008. He served as the Deputy Commissioner for Operations Support, having overall responsibility for the key support and administrative functions for the IRS, to include Information Technology, Human Capital, Finance, Shared Services, Real Estate, and Security functions. Prior to becoming Deputy Commissioner, Mr. Spires served as the IRS’ CIO, with overall strategic and operational responsibility for a $2 billion budget and a 7,000-person Modernization and Information Technology Services organization. Mr. Spires led the IRS’s Business Systems Modernization program for two and half years, which is one of the largest and most complex information technology modernization efforts undertaken to date. From 2000 through 2003, Mr. Spires served as President, Chief Operating Officer, and Director of Mantas, Inc., a software company that provides business intelligence solutions to the financial services industry. Prior to Mantas, Mr. Spires spent more than 16 years serving in a number of technical and managerial positions at SRA International. Mr. Spires currently serves on the Board of Directors of Learning Tree International (NASDAQ: LTRE) and Rate Reset Corporation. He is also on the Public Sector Board of Advisors for Palo Alto Networks (NYSE: PANW). Mr. Spires received a B.S. in Electrical Engineering and a B.A. in Mathematical Sciences from the University of Cincinnati. He also holds a M.S. in Electrical Engineering from the George Washington University. Mr. Spires has won a number of awards for his leadership in IT, to include the 2012 Fed 100 Government Executive Eagle Award, TechAmerica’s 2012 Government Executive of the Year, Government Computer News 2011 Civilian Government Executive of the Year and was named a Distinguished Alumnus of the University of Cincinnati’s College of Engineering in 2006. |
Spires mentioned CDM.
The need for disruptive Cyber Security is no more apparent than the signature Department of Homeland Security’s remedy for Cyber Security termed Continuous Diagnostics and Mitigation (CDM) now being adopted by OPM and other government agencies. In essence, CDM provides a routine inventory of network assets intended to answer the questions, What devices are connected to the Internet and who are the people operating these devices?
1. Just how does CDM prevent a future OPM Cyber attack? So much more is needed!
2. The problem with CDM is that its value is limited to post-Cyber attack. CDM does not deliver basic security in the form of protection against danger or loss.
3. What is needed is disruptive Cyber Security. Data encryption is an example of disruptive Cyber Security. We know this because industry and government are in conflict over who controls the data encryption keys. The direction of this issue is consequential to privacy and security.
4. Even more disruptive though is an organization policy not to use the Internet for proprietary information it cannot afford to lose. These measures are aimed at protecting against danger or loss and actually do so.