Cybersecurity Sprint or Multi-Year Egg Roll?

White House Tells Agencies To Tighten Up Cyber Defenses ‘Immediately’ by Aliya Sternstein.

The steps Aliya reports start off strong enough..

U.S. Chief Information Officer Tony Scott “recently launched” what officials are calling a 30-day cybersecurity sprint.

According to White House officials, the emergency procedures include:

  • “Immediately” deploying so-called indicators, or tell-tale signs of cybercrime operations, into agency anti-malware tools. Specifically, the indicators contain “priority threat-actor techniques, tactics and procedures” that should be used to scan systems and check logs.
  • Patching critical-level software holes “without delay.” Each week, agencies receive a list of these security vulnerabilities in the form of DHS Vulnerability Scan Reports.
  • Tightening technological controls and policies for “privileged users,” or staff with high-level access to systems. Agencies should cut the number of privileged users; limit the types of computer functions they can perform; restrict the duration of each user’s online sessions, presumably to prevent the extraction of large amounts of data; “and ensure that privileged user activities are logged and that such logs are reviewed regularly.”
  • Dramatically accelerating widespread use of of “multifactor authentication” or two-step ID checks. Passwords alone are insufficient access controls, officials said. Requiring personnel to log in with a smartcard or alternative form of ID can significantly reduce the chances adversaries will pierce federal networks, they added, stopping short of mandating multi-step ID checks.
  • Agencies must report on progress and problems complying with these procedures within 30 days.

    … but end with a whimper.

    If you recall, OPM doesn’t have the IT staff, interest or even a complete list of its IT assets, not to mention this activity will conflict with other agency goals. U.S. Was Warned of System Open to Cyberattacks

    How quickly do you think OPM will be able to take any of the steps Aliya outlines?

    I’m betting on the government cybersecurity sprint being a multi-year egg roll.


    Comments are closed.