OSINFO - Open Sources Information

Statement of Alan Paller Director, Research The SANS Institute

Committee of House Oversight and Government Reform Subcommittee on Information Policy, Census, and National Archives Subcommittee on Government Management, Organization, and Procurement

February 14, 2008

--Federal agencies are under massive attack from China and other nation states, and agencies have demonstrated that they are not able to protect their systems or the sensitive information stored on those systems.

--In 2000, President Clinton vowed to make sure the federal government leads by example in cyber security.

--Government has failed to lead in large measure because of a provision that was originally made in the Government Information Security Reform Act (GISRA), but carried over to the Federal Information Security Management Act (FISMA). Federal cyber security has been set back, and more than $300 million in scarce cyber security funding has been wasted because of this error.

--A small legislative change and a shift in oversight technique could turn this situation around.

--Time is of the essence. The Director of National Intelligence reported last week to the Senate Select Committee on Intelligence, that cyber exploitation is growing ``more sophisticated, more targeted and more serious. ``

My name is Alan Paller; I am director of research at the SANS Institute. Thank you for the opportunity to testify today. While there are doubtless many things that could be done to improve the security of the Federal government`s cyber infrastructure, my testimony today will focus on one item that, in my professional opinion, would materially improve the security of that infrastructure without requiring the expenditure of more money.

The Cyber Threat Is Expanding and Growing In Sophistication

Federal agencies and government contractors are facing a wave of cyber attacks from sophisticated nation states. The attacks began in earnest at least five years ago (our first firm evidence is from May 2003) and are so successful that agencies that know they were penetrated do not know how much information was taken, how widespread the compromises were on their systems, nor which systems are still under control of the attackers.

Those attacks resulted in sensitive data about national security technologies and strategies and practices being copied and moved to hostile nations. The stolen data, although not classified, is highly sensitive - such as details on the technologies that the US considers too sensitive to export and the specifications for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force. The Commander of the US Air Force Cyber Command, Major General William Lord, said in August of 2006 that ``There is a nation-state threat by the Chinese... China has downloaded 10 to 20 terabytes of data from the NIPRNetl.``

Moreover, the fact that federal computers are under the control of potentially hostile foreign governments means that the US government agencies cannot be sure the data they provide is accurate or whether it may have been altered to be misleading.

The attacks are continuing, accelerating, and spreading to the commercially owned US critical infrastructure. A week ago today, the Director of National Intelligence, J. Michael McConnell, told the Senate Select Committee on Intelligence,

``Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industriesincreasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year. ``

A Presidential Cvber Security Promise That Could Not Be Kept Because of FISMA

In February of 2000, in the aftermath of the Mafia Boy attacks on Amazon, CNN, Yahoo, and Dell, the President of the United States promised twenty Internet leaders that the US government would ``lead by example`` in building defenses that would block the growing scourge of cyber crime. But neither the Clinton Administration nor the Bush Administration have led by example, in large part because they were hamstrung by an error in a law called GISRA, the Government Information Security Reform Act. GISRA later morphed into FISMA, but the FISMA drafters did not know of the error, and did not fix it. Because of that error in GISRA, not only are government systems far less secure than they could be, but more than a $300 million dollars of scarce federal security money was spent on writing reports that were never read, and that did not improve security.

How do we know this? Because SANS trains more than 14,000 cyber security professionals each year - with more than 15% employed in federal information security. Our alumni in the working for the federal government and for contractors, like other alumni around the world, keep us up to date on what works and what doesn`t in cyber security.

SANS also operates the Internet Storm Center, an early warning system, so we have a pretty clear picture of the threat landscape as wet l as the effectiveness of the defenses.

Major Federal Successes in Cvber Security Illuminate How FISMA Can Be Improved

On December 10, 2007, SANS published a compendium of federal successes in information security, entitled ``What Works in Implementing the US National Strategy to Secure Cyberspace: Case Studies of Success in the War on Cybercrime and Cyber Espionage.`` I have attached that document for your reference.

A quick review of the federal successes listed in the ``What Works`` document shows that most were accomplished without any FISMA support or relevance, but that the most important one (the Federal Desktop Core Configuration or FDCC) was enabled by a clause in FISMA [3544(b)(2)(D)(iii)].

That one powerful clause worked because it showed agencies how to prioritize their cyber security actions. It did that by providing direct, unequivocal guidance.

What Went Wrong Because of FISMA

The error in GISRA and later in FISMA was the lack of priority setting. It is best illuminated by showing exactly what went wrong when agencies tried to implement FISMA.

First, the National Institutes of Standards and Technologies (NIST), following its FISMA mandate, wrote a series of guidance documents, later made mandatory by OMB, telling agencies how to comply with FISMA. NIST failed to prioritize the actions it required agencies to take. Instead NIST wrote guidance at a very high level - leaving interpretation to the agencies and their Inspector Generals (IGs). The lack of priorities, along with language open to broad interpretation, made it nearly impossible for agencies to do all the things their IGs might consider as required. None of the agencies had sufficient budgets to do everything, so they did what they could and received Ds and Fs on their report cards because the IGs found that they hadn`t done everything.

Far worse than bad grades, however, was the three hundred million dollars wasted in the name of GISRA and then FISMA compliance. That money could have gone a long way toward improving the security of federal systems.

The money was wasted because both Congress and OMB forced agencies (through the annual Congressional Report Card and the President`s Management Agenda) to write Certification and Accreditation (C&A)repoits on 100% of their systems, using C&A requirements documented by NIST. Every agency had to prepare reports on every system every three years with annual reviews of those systems every year. That would be a wonderful way to monitor improvements in security if the security actions being reported are the essential ones that actually block attacks and improve response to attacks. But guidance from NIST was far too high level. Most of the NIST-specified security measures are disconnected from the key protections. And because the report writers felt obliged to cover all the NIST controls, the reports became essentially useless. Most were never read by the operational staff who would have to implement key security controls. We know that the reports were never read from complaints received from dozens of people frustrated by the process, but the most telling data comes from a meeting of the Northern Virginia Information System Security Association, the membership group of cyber security managers and consultants. While addressing an audience of 72 security professionals there, I asked them to raise their hands if their job involved drafting C&A reports. Fifty-five raised their hands. Then I asked them to keep their hands up if anyone had ever read their reports besides the people who wrote them. Only four kept their hands up.

In other words,

1.FISMA became a report writing exercise caused by

2.NIST language that focused on `everything` and

3.`a single scorecard/report card` that indicated `compliance` to everything (and nothing) and

4.gave a Talse sense` that systems were actually secure -- as demonstrated by the continued infiltrations and exfiltrations.

5.In this case, compliance often had little to do with actual security but Agencies spent all the money on compliance. Why? Because...

6.Leaders are small. They want to keep their jobs. Congress and OMB (and the press) focused so exclusively on the report cards that CIOs simply spent the money to get Congress and OMB off their backs.

Proof That Tighter FISMA Language Improves Security

One exception demonstrates how to correct the problem. Subsection 3544(b)(2)(D)(iii) of Title 44 tells agencies to establish, implement minimum security configurations for every system. The Air Force demonstrated that following this Congressional rule to the letter enabled it to reduce vulnerabilities significantly, to cut patching time from seven weeks to 3 days and to save tens of millions of dollars. It improved security while reducing costs.

The single most important correction needed in FISMA is to include language that directs NIST to prioritize the actions it tells agencies to take and the frequency for ensuring each action is taken: NIST guidance would provide specific actions and specific time frames for executing those actions. The most critical actions are to be performed quite frequently. For example:

--Actions performed continuously would include such things as stopping malicious packets from entering the network and alerting security teams when any unauthorized system or service is added to the network.

--Actions performed weekly would include things such as ensuring every system is configured in accordance with the agency`s standard secure configuration, and

--Actions that could be performed annually would include such things as security awareness testing.

FISMA can be an important part of the successful defense of the computers and networks that run our government. But to do that it needs to direct agencies to spend their security money on the defenses that make a difference in their ability to protect the information they keep. You can make FISMA do that. At the request of your staffers, we have provided draft changes and report language that we think would help make FISMA more effective.

I would be happy to answer your questions.