Feds seek centralized threat analysis with CTIIC

The Obama administration, seeking to increase the quantity and quality of its cyber intelligence and enhance its ability to respond quickly to cyber attacks, will create a new Cyber Threat Intelligence Integration Center (CTIIC). Lisa Monaco, the Assistant to the President for Homeland Security and Counterterrorism, formally announced the creation of the new agency on February 10 during a Director’s Forum at the Wilson Center entitled “Cyber Threats and Vulnerabilities: Securing America’s Most Important Assets.” The new Center will not perform data collection, but instead will aggregate and analyze data collected by the numerous other government entities (and, potentially, private sector firms as well). With this specialized role, the administration is positioning CTIIC as complementary, not duplicative, to existing functions across government that conduct various cybersecurity activities. The new Center will be under the direction of the Director of National Intelligence – an organizational positioning likely driven at least in part by the need to include cyber-attack response within its sphere of operations. No civilian agency (even DHS) holds the authority to launch proactive or reactive attacks against cyber adversaries, but these capabilities both exist and are authorized for the U.S. Cyber Command and other specialized branches of the military and intelligence community.

The potential for “mission confusion” certainly exists in the federal government. There is already a National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security and a National Cybersecurity Center of Excellence (NCCOE) at NIST. The former, like the U.S. Computer Emergency Readiness Team (US-CERT) it manages, focuses its attention largely on security threats and vulnerabilities applicable to the U.S. government, although private sector organizations are certainly able to communicate with NCCIC and benefit from its analysis. The NCCOE, in contrast, serves businesses with information about security solutions leveraging commercially available technology. There are of course numerous programs with a role in cybersecurity and defense — including the FBI, NSA, DHS, DoD, CIA, and other civilian, military, and intelligence agencies.

What seems to be different about the newly proposed center is the intention to address state actors (Monaco specifically mentioned China, Russia, Iran, and North Korea) and non-state-based hacking groups like Anonymous. Historically, private sector organizations have been reluctant to either share threat and attack information with the federal government or to subject themselves to government regulations and oversight. With the notable exception of companies with roles in critical infrastructure sectors like energy and transportation and those in closely regulated industries such as health care and financial services, private sector firms have few federal obligations to publicize anything that happens within their computing environments. Although almost all states have enacted some type of regulation requiring companies to notify individuals if their personal information is compromised in a security breach, these rules generally do not mandate full disclosure of the nature of any successful attacks or the vulnerabilities that were exploited. Monaco noted during her speech that during the Sony Pictures incident, the government quickly shared cyber threat information in the form of attack signatures with private sector firms so that they could update their defenses and, presumably, try to avoid falling victim to a similar attack. The administration clearly would like more communication from the private sector in these areas that it currently gets. A neutral observer might accurately suggest that private sector organizations are likely to reach out to the government and share information only when they have been compromised and need help, but not as a routine preventative defense practice. Not everyone accepts the implied assertion that the government has better or more complete information than private security researchers, but the definitive attribution the administration made in naming North Korea as responsible for the Sony hack seemed to indicate that the government had more evidence to go on than any of the security analysts that came to different conclusions.

During the delivery of her prepared remarks, Monaco offered a simple rationale for the new center: “Currently, no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policy makers with timely intelligence about the latest cyber threats and threat actors.”

In a Q&A session following the speech, Monaco responded to a specific question from the event moderator regarding recent criticism that the CTIIC is nothing more than another layer of government bureaucracy and is, simply, unnecessary. She reaffirmed the administration’s position that there is a critical gap in current government analytical and information sharing capabilities. The goal for the administration is more complete and more rapidly produced actionable intelligence regarding threats. It remains to be seen whether the Center will be able to overcome the reluctance of individual agencies and programs to hand over their information to the Center, but the administration continually cites the positive example of the National Counterterrorism Center formed in response to the 9/11 attacks.

There is almost unquestionably a logical argument to be made that an existing agency working in the cybersecurity realm – perhaps DHS or NSA – could simply have their scope of responsibility expanded instead of creating a wholly new piece of the federal organization structure. It is far from clear, however, that effecting a change in mission for an existing agency would be any easier to bring about than carving out a newly defined one. For instance, the updated Federal Information Security Modernization Act (FISMA) passed with bipartisan support at the end of 2014 divides security oversight among multiple agencies, giving most operational security responsibilities to DHS. But FISMA only applies to federal executive agencies (not to the legislative or judicial branches of government let alone the private sector) and it also exempts many aspects of military and intelligence operations because it does not apply to “national security systems.” The administration’s take is that coordinated analysis of threat and attack information from all available sources is a crucial but missing piece in the government’s strategy to more effectively address cyber threats.

Anthem breach enabled by compromising administrator credentials

As an internal investigation continues into the massive data breach reported last week by Anthem, the company has confirmed reports that administrators who discovered the breach in late January noticed unusual activity on Anthem’s database systems – specifically that queries were being run against the database using the authenticated accounts of Anthem administrators. This information suggests that the attackers were able to access the database and retrieve data from it because they were in possession of valid administrator credentials. What’s less clear is how or when those credentials were compromised, or what level of authentication was required of administrators logging on to the database. If it turns out, as some observers have surmised, that one or more of Anthem’s administrators was victimized by a phishing attack, then this would also suggest that database administrators require only usernames and passwords to authenticate to the database. Presumably the successful attackers also needed to penetrate the insurer’s network perimeter in order to directly access the database, so perhaps a review of remote access logs associated with the compromised accounts will help confirm or refute the source of the attack.

Much has been made in the press of the fact that the data stolen from Anthem was not encrypted (which is recommended but not required under HIPAA). If the retrieval of the data occurred using administrator accounts, however, then any database-, drive-, or server-level encryption of data at rest would have been irrelevant because such data is typically decrypted on-the-fly when it is accessed by authorized users. The type of encryption advocated to protect health data is most useful to mitigate the physical theft of computers, hard drives, or removable media (such as backup tapes), or to safeguard sensitive data contained in database extracts or files to be electronically transferred from one location to another.

From the beginning, Anthem has characterized the breach as the result of “a very sophisticated external cyber attack.” Nothing the subsequent reporting or purported expert analysis has yielded evidence to the contrary – in fact there are indications that the breach itself may have been the culmination of an effort that began many months earlier with a concerted and prolonged attack consistent with an “advanced persistent threat.” To help with its investigation of the breach, Anthem has engaged security consultant Mandiant, a firm probably best known in security circles for bringing to light the allegedly Chinese government-sponsored cyber espionage group the company terms “APT1.” Although it is most likely a coincidence, according to initial reports from the Anthem investigation Chinese hackers are the leading suspects behind the breach.

VMware exec Tony Scott named new Federal CIO

The White House announced on February 5 that Tony Scott will become the new Chief Information Officer for the federal government, filling a position within the Office of Management and Budget (OMB) that has been vacant since Steven VanRoekel resigned the post last fall. The appointment of Scott – who comes to OMB from virtualization technology market-leader VMware, where he was senior VP and CIO – provides a clear indication that the administration remains serious about modernizing the way it invests in and manages its information technology resources, particularly including the use of cloud computing services.

Scott will presumably be tasked with continuing the work of his immediate predecessors, including Vivek Kundra, who as the Obama administration’s first federal CIO established the government’s “cloud first” strategy and oversaw the creation of the Federal Risk and Authorization Management Program (FedRAMP) that enabled cloud service providers to demonstrate the implementation of security measures sufficient to satisfy federal government requirements. After a brief stint in academia at Harvard’s Kennedy School, Kundra showed he believed in the value of the FedRAMP program by joining software-as-a-service powerhouse Salesforce.com, which attained an authorization to operate (ATO) under the FedRAMP program in May 2104.

HealthCare.gov shares consumer data with lots of third parties

Update: Less than a week after the AP, EFF and multiple media outlets brought to light the data sharing described below, the government appears to have altered the website code on HealthCare.gov so that no personal data is now shared with third-party tracking sites. Presumably the government has a continuing business interest in measuring the performance of the website and collecting aggregate statistics about its usage, and will continue to get some information of this type through Akamai and other web infrastructure vendors associated with the site.

As reported by the Associated Press this week and confirmed through testing by the Electronic Frontier Foundation (EFF), some personal information provided by users of the government’s HealthCare.gov website is automatically collected and sent to more than a dozen third-party companies, including online advertising and social media sites. According to the EFF, among the personal attributes sent to third-party sites are age, zip code, income, and self-reported status for things such as whether a consumer is a parent, a smoker, or pregnant. These data elements are all items that consumers enter on the insurance exchange site as part of the process of either determining eligibility for coverage or actually applying for insurance through the federal marketplace. Once a user has created an account on HealthCare.gov, but before anything other than demographic data is requested, the site presents and requires users to agree with a privacy statement that begins, “We’ll keep your information private as required by law. Your answers on this form will only be used to determine eligibility for health coverage or help paying for coverage.”

Consumers visiting HealthCare.gov are directed to multiple privacy notices, including the HealthCare.gov privacy policy, an individual Privacy Act statement, and a sort of frequently-asked-questions page explaining how individual information collected on the site is used. These pages also make reference to two privacy-related documents that the government is required to publish under current regulations: a privacy impact assessment (PIA) and a system of records notice (SORN). While a copy of the SORN covering the health insurance exchanges established under the Affordable Care Act is available online, the PIA is not, since the most recent PIA information for all systems maintained by the Department of Health and Human Services (HHS) is from the fourth fiscal quarter of 2012. None of these sources of HealthCare.gov privacy information mentions sharing consumer data with commercial third-party organizations, although one – the site’s privacy policy – refers to the use of “Web measurement software tools” that continuously collect information from site visitors. The privacy policy, however, states in bold text that “No personally identifiable information is collected by these tools.”

The EFF and others examining this data sharing behavior seem to accept as a given that the data being “quietly” shared (that is, without any explicit notice to consumers) is personal health-related information that should presumably be protected by existing regulations and restrictions on information sharing. In responses to questions from AP, the administration chose to defend the information sharing by noting that the third parties receiving the data are prohibited from using the data for purposes other than serving consumers on HealthCare.gov, although it’s not clear what the basis of such prohibition would be, since these commercial firms are not bound by either the Privacy Act or HIPAA. It is possible that each of the third-party organizations with which the government is sharing consumer details has executed a data use agreement or entered into another type of contractual agreement with the Centers for Medicare and Medicaid Services (CMS), the HHS agency responsible for administering the insurance marketplace. Such contractual obligations would augment existing regulations constraining the secondary use of information collected by federal agencies (including the restrictions on marketing added to HIPAA by the HITECH Act). What seems strange is that none of the many privacy notices and descriptions of information sharing practices provided by the government actually address sharing the kind of data that AP and the EFF identified.

The legality of this undisclosed information sharing hinges on whether the data in question actually fall under the definition of personally identifiable information (PII). The official government definition of PII comes from OMB Memorandum 07-16, which says PII is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.” Although the government has not offered an assertion to this effect, the argument could be made that the attributes being shared are not personally identifiable information because they cannot be used to individually identify anyone. It is the second part of the government’s PII definition that is troublesome for the HealthCare.gov data sharing, because many of the third parties receiving the data already have in their possession large quantities of consumer information that could presumably be matched with the data coming from HealthCare.gov. The government should be acutely aware of this possibility, since one of its long-time privacy advisers is a leading researcher in “re-identification,” and because HHS’ Office of the National Coordinator for Health IT has funded research about re-identifying individuals from datasets that have purportedly been de-identified. Even if the data elements sent to major web analytics, advertising, and social media companies are not personally attributable as transmitted, it should not be very challenging for these firms to combine HealthCare.gov data with other public or commercial data sources (including their own databases). If such matching is feasible for even one of the third parties, then HealthCare.gov is not only failing to comply with its own privacy policies, but possibly violating several federal privacy regulations.

Changes coming for federal infosec managers

Information security managers in federal government agencies should expect to see new obligations and rules on security management practices in 2015, with changes brought about by the Federal Information Security Modernization Act (FISMA) that became law at the end of 2014 and from updates to key guidance from NIST, OMB, and DHS. The most relevant changes include:

• Implementing and maintaining continuous monitoring, likely enlisting the assistance of DHS and its Continuous Diagnostics and Mitigation (CDM) program, which is available to all agencies under a GSA-managed blanket purchase agreement. Each agency was supposed to have developed and submitted to OMB their information security continuous monitoring strategy (ISCM) last year, so with strategies in place, execution is the focus for 2015.
• Updating incident notification and reporting practices, to comply with requirements issued by US-CERT and to meet new requirements (particularly for reporting to Congress) included in the 2014 update to FISMA.
• Modifying security control assessment procedures following guidance in NIST Special Publication 800-53A Revision 4, released in December. Compared to the prior version, the revised assessment procedures break down security objectives (derived from security control descriptions in Special Publication 800-53) into a more fine-grained and explicit set of criteria to be used in security control assessments. The new guidance also includes assessment procedures for the privacy controls first added by NIST in April 2013 with 800-53 rev. 4.
• Adapting security management reporting procedures to satisfy new OMB and DHS requirements, including still to-be-determined changes to OMB Circular A-130, Management of Federal Information Resources, called for in the new FISMA law “to eliminate inefficient or wasteful reporting.” These revisions to A-130 may not be made until much later in the year, but they are expected to substantially alter the documentation and checklist-driven practices associated with system certification and accreditation under the current A-130 Appendix III, which was last updated in 2000.

Collectively, these anticipated changes (plus whatever prescriptive guidance DHS may issue under its newly codified authority over agency security operations) will make 2015 a year of transition for federal system owners and program managers (and their contractors) as the government tries to mature its information security management practices.