By: Hannah Hager 03/07/2014 ( 4:07am)
Daniel Chapple is the Supervisory Cyber Counterintelligence Specialist at the Department of Health and Human Services. In this interview, he discusses the biggest cybersecurity threat to the government today and risk management best practices.
Q: What poses the biggest cyber security threat to the government?
A: The biggest cybersecurity threat to the government stems from the potential damage of the Insider Threat. The Cyber Insider Threat (CINDER) is not new, but several trends outside information security are leading to an ever-increasing impact and frequency from this threat. While external threats, particularly the Advanced Persistent Threat (APT), are fueled from the same trends, the potential impact from CINDER is greater and mitigation efforts more complicated.While the APT remains a significant threat that has received a great amount of public attention, many of the exploits used by APT are successful because known vulnerabilities have not been patched, or the risk from those vulnerabilities was accepted (albeit perhaps misunderstood), or because an APT is exploiting a previously-unknown vulnerability that will eventually be mitigated.
The APT is frightening because it is adaptable and determined; if a particular avenue of attack is closed, the advanced threat will research a new path until it achieves its goal. However, I submit that the Advanced Persistent Threat is also logical; it is, once attributed, predictable and willing to respond to appropriate external pressure.I also submit that the APT is an entirely predictable outcome of a number of longstanding digital information trends, including the logarithmic increases in processing power and societal dependence on computing systems coupled with the linear decrease in cost per unit of processing power. This is important because the future of the APT is also entirely predictable.
In contrast, the insider threat is fractal in behaviors and motivations and unwilling to respond to traditional external pressures. Indeed, some external pressures may counter-intuitively promote insider threats. Christian Fotinger and Wolfgang Zeigler from Danube University conducted an examination of the psychology of “hackers” (their term); one conclusion from this study applied to CINDER is that an insider threat would be psychologically rewarded by more secure systems whose exploitation promised higher chances of detection and punishment.Additionally, insider threats are not motivated by a singular factor, so simply changing the rules on insider threats (by treating “hacking” as a medical problem instead of a criminal problem, for example) would not solve the problem. Instead of a singular motivation, the ever-increasing risk of cyber insider threats is driven by the same international pressures that are leading to prominence of non-state actors, such as Al Qaeda, in the physical world.
To fully appreciate the scope of the cyber insider threat and the ever-increasing threat he poses, one need only review the damage wrought by these trusted insiders. Arguably the first confirmed cyber insider threat, Michael John Lauffenburger, was thwarted in his attempt to employ a logic bomb at a General Dynamics rocket research facility, but would have at most cost $100,000 in remediation fees.In contrast, Edward Snowden, (who, regardless of your opinion of him, undermined his organization from within and is therefore, by definition, an insider threat), has been responsible for the loss of 1.7 million documents (more than anyone else) and has cost American firms an estimated $35 billion in losses according to the independent non-partisan Information Technology & Innovation Foundation. This trend shows that the potential damage from CINDER is increasing in both scope and cost.
Q: In your opinion, what is the best risk management process in practice today?
A: I like the Zurich Corporate Forum-Harvard Business Review model for managing cyber risk. This model is similar to the new National Institute of Standards and Technology (NIST) Cybersecurity Framework, although it is simpler because it only focuses on four pillars: prepare, protect, monitor and respond.
Perhaps key to this model is that it is information and analysis-based; this is a familiar and time-proven method of risk management in the asymmetric intelligence field. At its core, the Zurich-HBR model recognizes the lag between awareness of cyber risk and implementation of appropriate controls. The Zurich-HBR model attempts to decrease this lag by understanding the specific risks an organization faces and layering this analysis-first approach with specific controls.
Within the federal government, the new NIST Cybersecurity Framework is a significant step in the right direction towards effectively mitigating risk, although there is no perfect federal risk management process. Federal risk management suffers from two fundamental problems.First, a corporate risk management process cannot be modeled within the federal government; transfer of risk is a significant part of corporate risk management, and there are some elements of federal business that are simply uninsurable. For example, how could the federal government secure an insurance policy to mitigate the risk from the potential loss of its nuclear launch codes?
The second problem with federal risk management is that too much is too protected. As Simon Fulleringer said, “when everything is a priority, then nothing is a priority.”Trust is essential to responsible democratic government, and part of creating trust with citizens is assuring them that the federal government will protect their information. Thus, federal information systems often choose to protect all of their systems to largely the same level.
The traditional federal government implementation for securing their systems is compliance as security. FedRAMP has 298 security controls, 60 of which directly address cloud computing. These security guidelines provide a solid baseline that every institution should endeavor to model. However, even the federal government has recognized that compliance as security has its limitations, which is why the most recent FISMA revisions focus on continuous diagnostics and monitoring.In a way, federal movement to cloud computing provides a brilliant loophole to the traditional problem of how to transfer risk while not explicitly requiring insurance. Federal movement to the cloud transfers some of the risk for protecting federal information to cloud providers, who take responsibility for meeting federal security requirements and, presumably, assume liability for failing to properly meet those requirements.
Additionally, the federal government should take some other lessons from the corporate risk management world and incorporate segregation of exposures and exposure avoidance into its risk management process. There is friction in the federal government between the desire to make information more public and the desire to protect information. I submit that these two desires are mutually exclusive.Thus, the goal should be to better identify what to protect and separate the most important information from any public network. This is already done, to an extent, with classified information systems. The remaining question is what to do with information that is not classified but should still be accorded some unusual level of protection.
The Department of Health and Human Service’s Food and Drug Administration, for example, holds billions of dollars in proprietary corporate information. While unclassified, perhaps this information should only be available to those researchers who need to review it, and perhaps it should reside on a segregated network.By incorporating these best corporate practices, in combination with existing federal risk management practices, federal risk management could be vastly improved.
Hannah Hager is the online content manager at IDGA.