On Tuesday, November 17th, SIIA hosted an event on Capitol Hill that featured Members of Congress, Hill Staff, and Industry who were all charged with the task of explaining how data-centric security measures could be used to protect federal information and information systems. In light of recent attacks on federal IT systems and the data theft of millions of Americans, this subject is of heavy importance for citizens and national security.
House Homeland Security Committee Chairman Michael McCaul (R-TX) opened the event with remarks about the need for greater security of federal information. “It’s highly important,” McCaul remarked. “With the OPM breach, over 20 million Americans’ security clearance forms were stolen.” The Congressman continued to speak discussing cyber threats that face America coming from all over the world. “I think now the American people are waking up to how important [cybersecurity] is.”
Regarding the recent attacks in Paris, Congressman McCaul discussed the “dark space,” the use of encryption by terrorists and the debate that has been reignited. In response to calls for government backdoors to encryption, McCaul held up his iPhone and declared, “You don’t want to put a backdoor on this device because you open it up to hackers.” McCaul also gave a potential solution to solving this issue by suggesting the formation of a commission involving federal agencies, the tech community, and other experts to study the encryption issue and better increase cybersecurity.
Next, Congressman Will Hurd (R-TX), the Chairman of the IT Subcommittee on Oversight and Government Reform and former member of the CIA, also discussed the need for greater data security measures for the federal government in light of recent successful cyber espionage attempts by foreign entities. He mentioned that there needs to be greater efforts to wean the federal government off the use and maintenance of older systems as newer systems are cheaper, more reliable, and more secure and can be used with a greater number of advanced security platforms. These platforms would allow for faster detection of malicious activity in federal systems. According to Congressman Hurd, somewhere around 85 to 90 percent of the federal IT budget goes to maintaining older, traditional systems which is unacceptable for security. Congressman Hurd concurred with Chairman McCaul’s stance on encryption, saying “Encryption is good and we shouldn’t do anything to weaken it."
Following the congressmen, there was a panel discussion that featured John Landwehr from Adobe, Mark Ryland from Amazon Web Services, and Brett DeWitt from the House Committee on Homeland Security. John Landwehr, Public Sector CTO from Adobe, discussed how platforms that utilize data centric security are faster, cheaper, and more environmentally friendly. He also explained that content centric security is being tested by consumers and other entities. John cited the example of the Army Corps of Engineers implementing a content-centric security system when conducting contract rating or bidding on sensitive facilities such as a military base. This type of security would prevent information from being forwarded to unnecessary persons by electronically shutting off files, no matter how many were downloaded, and only giving necessary files to those who were authorized to bid or actually won the contract.
Next, Mark Ryland, Chief Solutions Architect from Amazon, cited success using Adobe data-centric solutions to make their Amazon Web Services platform more secure. He said these platforms have super fine grain access controls so you can specify time of day, whether the person used a multi-factor authentication token, and other highly specific and controlled variables so that the administrator has rich control over who is accessing something. He also explained how logging could be turned-on so that everything done in the secure infrastructure, from changing a route in a virtual router or impacting a firewall, is logged into a common audit log system so that those actions by any user are fully visible to anyone who’s maintaining the security of the system. John also discussed how these logs are so secure that it will detect any time someone tries to make changes to them as it will impact the security signature of a system.
Finally, Brett DeWitt, the Staff Director for the House Homeland Security Committee, Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee discussed how building and implementing newer systems instead of maintaining the old is critical to a secure federal infrastructure. According to DeWitt, Homeland Security should be at the forefront of modernizing federal systems. Brett also mentioned that maintaining these older systems as the federal budget allows is another reason that federal information and information systems are so vulnerable. Brett mentioned that when conducting a cybersecurity review, the NIST cyber framework should be examined and collaboration between industry and the executive branch using this framework can help examine where there is risk.
This event was well-attended and the panelists were successful at integrating industry and policy solutions to better protect federal information from current vulnerabilities that have plagued the Federal Government. While there is no such thing as absolute security, Ddata-centric security is a critical layer that should be deployed within the Government.