Agencies don't know where attacks are coming from
A risk report being produced under the cybersecurity executive order suggests that agencies need to get a better handle on where attacks are originating.
Federal agencies have a problem with attribution when it comes to cyber breaches, according to an upcoming White House report mandated under President Donald Trump's cybersecurity executive order.
"It was no surprise to use really in terms of the incident reporting framework….that most agencies didn't have a handle on where the threat was coming from," Joshua Moses, director of cybersecurity performance and risk management at the Office of Management and Budget, said at an Oct. 25 meeting of a federal advisory group. "Nearly a third of the incidents that were reported to Homeland Security last year did not have that associated attack vector, threat vector in the reporting."
There's no timetable for the release of the White House report, and some aspects of the study may be classified under the terms of the executive order. But its findings closely mirror what will be shown in the consolidated Federal Information Security Management Act compliance report due out from OMB in March 2018, Moses said in remarks for the Information Security and Privacy Advisory Board.
The information will be circulated inside the government over the next few months, and will drive plans to improve cybersecurity posture and make hard decisions about what kind of risks are justified based on agency mission and budget and make sure that agency efforts are aligned with the National Institute of Standards and Technology's cybersecurity framework.
"The point here isn't to say, let's provide more money to the lowest performers," Moses explained. "It's, let's make risk-based decisions on what we chose to operate and what we choose not to operate."
Board member Laura Delaney of DHS worried that the survey of agency cybersecurity risk is "a pretty difficult report." Her concern is that the report will rank and rate agency and component performance on cybersecurity risk, but that those rankings will be based on values that are hard to validate, and that those rankings will be lagging rather than leading indicators.
"You get lots of numbers…and the reality is all those numbers really don't mean a whole lot, especially when you're talking about risk," she said. "Usually in the time it takes to produce a report that is across dot-gov that goes up and out through an administration, you're usually [at least] a year behind where you were in the assessment of that risk."
The other downside to risk rankings is that agencies that have been named and shamed in a White House report may not be open to help, Delaney noted. While the White House will issue the rankings, it will be staff from DHS, the General Services Administration and the National Institute for Standards and Technology who will be tasked with helping problem agencies dig themselves out. She suggested that once the first two phases of the Continuous Diagnostics and Mitigation program are implemented governmentwide, OMB and other overseers will be able to observe trend data about how risk and risk acceptance is changing over time, rather than a snapshot based on past reporting.
"It's really difficult the day after a report a report like this comes out to walk into an agency and say 'really we want to help you,'" Delaney said. "You really change the dynamics of a discussion when you are also then reporting rather publically on the risk posture of an agency."