Security Architecture

Federal Agencies Respond to 2017 Cybersecurity Executive Order

The U.S. Department of State, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week published reports in response to the cybersecurity executive order signed by President Donald Trump last year in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.

Department of State on deterring adversaries The Department of State has published two reports with recommendations to President Trump on reducing the risk of cyber conflict, detering malicious actors, maintaining an open and interoperable Internet, and protecting the country's cyber interests through international cooperation. The State Department believes the United States can deter both state and non-state actors using two approaches: improving the security of its networks, and through "cost imposition."

The goal is to prevent cyberattacks that can be classified as use of force, and a long-lasting reduction of less serious destructive and disruptive activities that fall below the use of force threshold. "The President already has a wide variety of cyber and non-cyber options for deterring and responding to cyber activities that constitute a use of force. Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence," the State Department's report reads.

It adds, "With respect to activities below the threshold of the use of force, the United States should, working with like minded partners when possible, adopt an approach of imposing swift, costly, and transparent consequences on foreign governments responsible for significant malicious cyber activities aimed at harming U.S. national interests." Criminal charges, prosecutions and sanctions can represent an efficient deterrent, but the government should make it clear to potential adversaries that they would face consequences if they engage in malicious cyber activities. However, these types of actions may not deter some threat actors, such as terrorists, in which case the solution is increasing the operational cost and complexity for the adversary to achieve its goal, the State Department said.

OMB report on cybersecurity risk determination The Executive Office of the President through the OMB has published a Federal Cybersecurity Risk Determination Report and Action Plan, which assesses cybersecurity risk management capabilities across federal agencies and provides recommendations on addressing gaps. An analysis of 96 civilian agencies showed that 71 of them had been assigned an "At Risk" or "High Risk" rating for their ability to identify, detect and respond to cyber incidents and recover from them.

"OMB and DHS also found that agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers their facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity," the OMB said in its report.

The OMB and DHS have detailed the actions required to address cybersecurity risks and say they have already started implementing them. Department of Commerce and DHS on enhancing resilience against botnets The Department of Commerce and DHS have published a report on enhancing the resilience of the Internet against botnets and other automated threats.

After collecting data on the matter, the agencies determined that international collaboration is needed due to many devices ensnared by botnets being located outside the U.S. They also believe this challenge can only be solved through collaboration between different stakeholders. The organizations found that while the tools and processes required to address the problem exist, they are not applied in some market sectors due to various reasons, including budgets, lack of awareness, lack of incentives, and insufficient technical expertise.

"The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives. No single investment or activity can mitigate all threats , but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience," reads the report from the DHS and the Department of Commerce. DHS and Commerce on cybersecurity workforce

The DHS and the Commerce Department also published a report on supporting the growth and sustainment of the United States' cybersecurity workforce. According to the report, there had been nearly 300,000 cybersecurity-related job openings in the United States as of August 2017. The agencies believe veterans represent an underutilized workforce supply, and women and minorities are underrepresented in the field.

They admit that while pay for cybersecurity roles is typically above average, the government pays cybersecurity staff below the level needed to attract the necessary talent. "A successful cybersecurity workforce strategy for the Nation should include an enhanced focus upon the value of diversity and inclusion and convert it into a potent resource that can be used to great advantage. Fostering and sustaining a diverse workforce will support the ability to find new talent to carry out this effort and to uncover novel ways to solve problems.

Integrating cyber security concepts in to our primary and secondary education curricula will generate early interest in cyber security in a manner that cuts across all sectors of American society. Among workforce - aged adults, veterans, women, minorities, and the economically disadvantaged should be aggressively recruited, without compromising required standards," the report reads. Related: U.S.

Energy Department Unveils Multiyear Cybersecurity Plan

Senator Asks DoD to Secure Its Websites

Senator Ron Wyden (D-Ore.) on Tuesday asked the chief information officer at the U.S. Department of Defense (DoD) to take immediate action to ensure that the organization’s websites use HTTPS. The senator noted that some of the DoD’s websites, such as the ones belonging to the NSA, the Army and the Air Force, do use HTTPS by default and certificates trusted by major web browsers, but many other sites either don’t use HTTPS at all or they rely on digital certificates issued by the DoD Root Certificate Authority.

Certificates issued by the DoD itself trigger security warnings in browsers. The list of websites that do not use HTTPS includes the ones of the Navy, Marines, and even the CIO’s official website hosted at dodcio.defense.gov. Sen.

Wyden believes the security warnings displayed for HTTP sites will “erode the public’s trust in the Department and its ability to defend against sophisticated cyber threats” and “actively degrade the public’s security by teaching users to treat security warnings as irrelevant.” The lawmaker has pointed out that memo M-15-13 issued by the Office of Management and Budget (OMB) in 2015 requires all federal agencies to secure their websites by enabling HTTPS and enforcing HSTS. Furthermore, a Binding Operational Directive issued last year by the Department of Homeland Security (DHS) requires all agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS.

The senator also noted in his letter that Google’s Chrome web browser will soon start marking HTTP pages with a red “Not Secure” warning. The CIO of the DoD, Dana Deasy, has been instructed to direct all agencies to enable HTTPS with HSTS on all public web services, obtain and deploy certificates trusted by major browsers, and evaluate the use of shorter-lived certificates such as the ones offered by Let’s Encrypt. An action plan and progress report must be provided by the DoD by July 20.

The senator is well regarded by many in the cybersecurity industry for his initiatives. One of his advisers in privacy researcher and activist Christopher Soghoian, formerly principal technologist at the American Civil Liberties Union. Related: Security of U.S.

Government Sites Improved Only Slightly

Related: DMARC Not Implemented on Most White House Email Domains

Senator Asks DoD to Secure Its Websites

Senator Ron Wyden (D-Ore.) on Tuesday asked the chief information officer at the U.S. Department of Defense (DoD) to take immediate action to ensure that the organization's websites use HTTPS. The senator noted that some of the DoD's websites, such as the ones belonging to the NSA, the Army and the Air Force, do use HTTPS by default and certificates trusted by major web browsers, but many other sites either don't use HTTPS at all or they rely on digital certificates issued by the DoD Root Certificate Authority.

Certificates issued by the DoD itself trigger security warnings in browsers. The list of websites that do not use HTTPS includes the ones of the Navy, Marines, and even the CIO's official website hosted at dodcio.defense.gov. Sen.

Wyden believes the security warnings displayed for HTTP sites will "erode the public's trust in the Department and its ability to defend against sophisticated cyber threats" and "actively degrade the public's security by teaching users to treat security warnings as irrelevant." The lawmaker has pointed out that memo M-15-13 issued by the Office of Management and Budget (OMB) in 2015 requires all federal agencies to secure their websites by enabling HTTPS and enforcing HSTS. Furthermore, a Binding Operational Directive issued last year by the Department of Homeland Security (DHS) requires all agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS.

The senator also noted in his letter that Google's Chrome web browser will soon start marking HTTP pages with a red "Not Secure" warning. The CIO of the DoD, Dana Deasy, has been instructed to direct all agencies to enable HTTPS with HSTS on all public web services, obtain and deploy certificates trusted by major browsers, and evaluate the use of shorter-lived certificates such as the ones offered by Let's Encrypt. An action plan and progress report must be provided by the DoD by July 20.

The senator is well regarded by many in the cybersecurity industry for his initiatives. One of his advisers in privacy researcher and activist Christopher Soghoian, formerly principal technologist at the American Civil Liberties Union. Related: Security of U.S.

Government Sites Improved Only Slightly

Related: DMARC Not Implemented on Most White House Email Domains