Saturday, July 11, 2015

Katherine Archuleta - Is she the only one leaving?? Clear the room of the bureaucrats.

I purposefully don't criticize government in writing. But... I watch with horror at the continued mishandling of the breach at OPM.  While I'd completely agree that Katherine Archuleta should be fired (note I didn't say resign --she should have been fired), the bigger question (for me) is, where's the information security team in all of this?

I've been digging through the sexy graphic that appears on the organization page of the OPM website, looking for a function (any function) that remotely resembles a Chief Information Security Officer, but sadly, there is none. Even in reading Archuleta's 15 point plan for going forward, there is no Chief Information Security Officer named going forward. If I'm missing something --perhaps there's one of those fancy Deputy Director titles in there somewhere that corresponds to the CISO role --maybe there is, but I've not see it. As close as I can tell, Donna Seymour, OPM's Chief Information Officer - an HR focused CIO has both the IT and Information Security, and should clearly be asked to follow Archuleta out the door.  Regardless of whether she's an appointee or a civil servent, the CIO must follow Archuleta out the door. Clear the room of the bureaucrats.

Beyond who gets fired, there's plenty of bureaucratic blame to go around,

Why was this not identified by US-CERT when it first occurred? 

US-CERT has been monitoring government networks since the mid-2000's. They fly-away to help private corporations, own a forensic capability, malware analysis, and have been running Einstein for years backed a team of PhD's and researchers called NetSA from Carnegie Mellon's Software Engineering Institute, so why was this not detected by US-CERT??  Is their scope so broad that they've become ineffective?  Were they ever?  At what point will DHS's cyber organizations step up to the plate, hire a leader with enough whasta to create the internal change needed.  Should US-CERT be manned by an MSSP and verification services? I don't know.  Maybe the government should be looking at their sub contractors for help.  Northrop Grumman has an amazing internal infosec and intelligence team. Lockheed, Raytheon as well.  The list goes on. Northrop is the prime contractor in US-CERT, but my bet is, it's not the A-team sitting in seats on the contract. I'd also bet the folks at US-CERT don't use them in anything more than a butts-in-seats extension of the government folks running the show.  Is US-CERT using any of the tech developed by Grumman for their own internal network?  They should be. I could go on, but I won't. 

Call me. I'd be happy to author a 100 plan for change. The recipe isn't hard, but you have to want it.

Let's start here...

  • Focus: I realize that the mission of US-CERT is for all Americans, but get the government piece right. Knock the government protection piece out of the park. Make others want to participate with you because you're great at what you do, not because you control contract money. 
  • Turn off the never ending money spigots to the Federally Funded Research and Development Centers (CMU, SRA, Mitre, etc.).  Focus efforts on effective operational monitoring and response tech and processes in US-CERT --the mission at hand.. monitoring and protecting US Government networks.  Fly away teams and everything else should be tabled until US-CERT can get that one piece right. 
  • Give the prime some room to execute. Measure the prime by the output of the operation rather than the cost of labor.  Give them budget and hold them accountable. Blue for bonus means they get incentivized for higher than expected outcomes --72 hour patch cycles, increases in identification/reductions in successful penetrations, faster turn forensic and malware analysis, and more are all possible if commercial thought can be brought to bear in government networks.  Let them hunt.  Beyond FISMA, incentivize the prime to identify, prioritize and fix new, previously unknown security concerns.
Clear the room of the bureaucrats.  Ask the prime what they would do with the current budget.... and then listen.... and then pay them and execute.

And now for the positive.

We're beginning to see Directors and CEO's being removed (or allowed to resign) as a result of information security failures. Boards are building IT Security governance models into their oversight, and while still focused on generating revenue they are also realizing that they  have a responsibility to protect the safety of their customers. 

To assist, earlier in the days of our start-up, we authored a free white paper that discussed
https://cms.wapacklabs.com/?page_id=354&preview=true
the seven things that every company does to successfully prepare for, navigate, and fight APT events.  And while at the time, we thought of APT has the hardest adversary, many of the tactics used by espionage focused hackers have now used by many others. These lessons learned work. I realize of course that during incident response things move fast, but the dust will settle; and when it does, these seven common steps must be implemented. Many or low cost-high payoff. Some are high cost-high payoff.

The paper is free, and it's a short read, and it's in no way focused on sales.  If you have questions, call me or ask your security team. If you're serious about maturing your governance model, this is where it starts. I've built several of these teams. In every case, I use CMM and ISO as my guide, but this boils it all down to roughly 10 pages.

Ok... Hanging out today, then heading off for the Potomac for en epic day of fly fishing for smally's tomorrow morning. It's going to be a great weekend. So until next time, as they say, 'tight lines!'

Jeff