With 40 some pieces of cybersecurity legislation pending before Congress, FISMA II is one that has drawn significant attention from the government-contracting world. While most government agencies and federal contractors learned to check the box and implement whatever measures the act set as standards the first time around, FISMA II will demand more than that: Instead of being compliance focused, the new bill will introduce performance-based standards and guidelines.
When federal government officials last month testified before the House subcommittee, they all acknowledged that while the FISMA had somewhat improved cybersecurity, the overall results did not impress.
“Despite the improvements as reported by agencies, the federal government’s communications and information infrastructure is still far from secure,” said Vivek Kundra, federal chief information officer. “The FISMA measures reported on annually have led agencies to focus on compliance. However, we will never get to security through compliance alone.”
While FISMA originally may have been a good idea to introduce some standards across the federal government, it turned into more of a paperwork-compliance exercise than really addressing the core issues of securing networks and securing data, said Michael Markulec, chief operating officer at Lumeta, a network mapping and discovery company.
“While initially a very positive step in terms of standardizing practices across the federal government, I think it has gotten a little bit out of control,” he told The New New Internet. “My hope is for FISMA II and some of these streamline reporting is that some of the dollars that are being spent on the reporting compliance side can go back to really supporting securing the network and securing the underlying data to make sure that our critical infrastructure is protected.”
Looking at metrics and standards that could help strengthen cybersecurity through FISMA II, Markulec said what really needs to be highlighted is the number of security personnel and monitoring statistics around attack vectors, with a certain focus on vulnerabilities and compliance with regulations around things like Federal Desktop Core Computing.
“How many devices are in or out of compliance? You argue whether this is the right standard or not, but at least there is a standard out there,” he said. “But I also think they need to reach beyond the traditional security metrics that I have described and look at some of the policy-based ones. They need to make sure the policies are being adhered to, and not reported around.”
With constant emphasis on technology and not enough focus on people and processes, the current discussions on cybersecurity tend to lack an important aspect, he noted.
“While you can deploy the world’s best technology and you can hire the world’s best people, if you don’t have good processes in place on how you handle data and how you secure your network, how you handle things like access control, then the rest of it doesn’t do you anything good,” Markulec said.
Case in point: social engineering. Instead of exploiting flaws in technology, spear phishers make use of human vulnerabilities to get what they want. With some good old data mining, social-engineering efforts and hacking toolkits, attack vectors can easily gain enough an advantage and cause serious damage, he said.
“That kind of combination of social-engineering data mining and sophisticated hacking tools that have elevated the hacker side’s [cyber criminals and cyber terrorists] game,” Markulec said. “I think from a defensive standpoint, we need to continue to look at how we address that — how we address the data that we put out so that it can’t be used against us. How we protect ourselves from the social-engineering side, as well as putting in the technology to block the attack vectors.”
Lack of education and not giving people the ability to do their job better can lead to these successful attacks, Markulec said. For example, a supply sergeant who wants to do his job better buys a wireless access point so he can work from anywhere in the supply depot. He has created vulnerability in the network, but he did it with positive intentions, Markulec said.
“I don’t think it is neglect, I don’t think it is willful negligence,” he said, referring to the scenario. “I think it is folks who want to do their jobs better and want to be more efficient in what they do, and want to leverage the technologies out there.”
When Markulec wrote an op-ed in The New York Times two years ago, he noted cybersecurity had “left a gaping hole in the United States’ national security system.” Since the publication of the piece, he acknowledges that while progress has been made, especially on the technology side, there is still plenty of work to be done.
“I still think it comes down to those other two legs of the stool that we need to continue to reinforce: people and process,” he said. “And we see some of it. I talked to some university professors and we are starting to see information assurance and training popping up in places like the community college level. We are seeing master’s degrees offered in security and information management. I think we are moving in the right direction, but we need to continue and reinforce it.”