High-profile hacks have been making headlines all year in the media. Corporations have taken most of the punishment with Home Depot, Chase and Target lighting up news feeds but the government has also been in the news, with the Postal Service's recent loss of 800,000 accounts.
Fact is every organization has IT services today, but the value of their data ranges considerably. The Federal Reserve facilitates 2.8 trillion dollars of transactions daily. The Commission on Fine Arts approves architectural plans for DC monumental core. That's not to say one agency is more important than another but rather one's work can have vastly different payoffs after a cyberattack.
How can one government standard accommodate that variation in risk? For that answer, let's look at the history of attempts to improve cybersecurity, the current approach and then a best-practice case study that showcases these principles.
A walk down cybersecurity's memory lane
Cybersecurity standards aren't anything new but publishing them out in the open is a bit of a brave new world for government. Back in 1988, cybersecurity only resided in minds of sci-fi novelists and a doctoral student at Cornell named Robert Tappan Morris (the same guy who helped found Y Combinator many years later).
Photo courtesy MIT MIT professor Robert Tappan Morris.
He created the first internet distributed computer virus -- dubbed the Morris Worm -- which affected large parts of the nascent internet. It also moved DARPA to establish a skunk-works program with Carnegie Mellon University called CERT (Computer Emergency Response Team) to respond to future cyberattacks, the first of its kind in the world.
CERT would continue operating in the darkness until the Bush administration signed FISMA (Federal Information Security Management Act) of 2002 into law, establishing pubic standards for cybersecurity for the first time. It also brought CERT into the orbit of government agencies, now becoming the official 24/7 cyber SWAT team.
These efforts, while effective, didn't fully solve the problem. The battle has become less about detecting threats but rather how to translate best practice security to every agency.
NIST Cybersecurity Framework
Back in 2013, the Obama administration took concrete steps to address just this concern. It tasked NIST, the government standards body, to develop a framework for cybersecurity rather than a rote standard. The thinking here was that standards haven't been working well enough, so putting a buffet of options before each agency would allow them to calibrate security measures to their own liking.
Lawrence Jackson, White House President Barack Obama greets his new White House Cyber Security Chief Howard A. Schmidt, Dec. 17, 2009.
Early signs point to the concept working. NIST held a series of conferences that over 3000 people attended throughout 2013, a great example of the public-private partnership both sides have long advocated.
A closer look at the three-part framework shows why it's succeeding where others haven't: flexibility. The framework's core gives agencies what amounts to a spreadsheet that lays out their operations and then specifies implementation tiers to help manage risk. All agencies have to do is create a profile that matches their core needs to the risk tiers, and then implement the guidance they created for themselves. But nothing brings the framework home like seeing it in practice.
Browserstack's Approach
Browserstack is a great resource for developers that has radically simplified testing websites across the myriad of desktop, tablet and mobile devices. And I should know: I've been a customer of theirs for years now. As good as their product is, they too suffer cyberattacks and recently had a breach in November, around the same time the Postal Service also got hacked.
Browserstack Browserstack Logo
What's constructive here is to see the different responses between the organizations. I reached out to both for interviews, with the USPS' David Partenheimer and Browserstack's Divyesh Jain responding. Partenheimer was unable to give additional information beyond noting that the FBI is investigating, but Jain was forthcoming. Their responses were a great example of why USPS lost 800,000 accounts while Browserstack lost only around 5,000.
Jain explained the Browserstack has a security team the monitors their stack continuously. I'll quote some of his comments here as they represent textbook examples of the NIST framework's five step process "Identify, Protect, Detect, Respond and Recover" being implemented in the private sector:
[Our alerting system] sends messages to key personnel when any unusual activity is detected. This particular breach was caught because the attacker locked a database table during the attack. This action triggered alerts, which allowed [us] to spring into action and limit the breach as fast as possible.
Recovery was similarly good:
We took down the service for a few hours, however the entire team was focused on getting BrowserStack back up and running. We were concerned about our customers who had no knowledge of the breach, and who would only see a service unavailable screen on logging in. The team worked around the clock for several days, taking down each of the components, examining it for security vulnerabilities, and reinstating it on the cloud. If anything, we saw that the crisis brought together the team.
External communications only added to the comprehensive response:
The attacker sent an email to some of our customers, and it was our first and only concern to reassure them that their data was safe. However, since there was a security breach, we opted to wait until there was more information so we could communicate with clarity and honesty. We then sent out an email to all our customers, apprising them of the breach, how we handled it, what was compromised, where we went wrong, and finally how we planned to avoid breaches in the future.
Analysis
The aim of the NIST directive guides organizations to establish their own best practices instead of forcing their hand with regulation, a government tactic that proved disastrous in the past. The deregulation of derivative trading in 2000 asked the financial industry to do much the same, eventually leading to the Great Recession. Will it be any different for cybersecurity?
The Obama administration has made the measure non-binding, instead asking agencies to assess themselves and apply this NIST framework. Certain agencies have long since exceeded these cybersecurity measures, like the Federal Reserve's NIRT (paywall). Other agencies languish with outdated procedures.
No directive can make up for the budgetary pressure many civilian agencies continue to endure at the hands of sequestration and other fiscal orders. And modern cybersecurity legislation collects dusts in Congress but not for a lack of trying; Tom Carper, who heads the Homeland Security Senate subcommittee has three bills ready for a vote. Here's hoping 2015 marks a turning point when Congress makes good on their funding promise and agencies continue to embrace NIST's framework.
[UPDATE: Senator Tom Carper was the chairman of the Senate Committee on Homeland Security and Governmental Affairs in the 113th congress. The cybersecurity bills this article advocated on behalf of were passed by Congress and signed into law by the President on December 18th, 2014. Thanks to Jill Farquharson, Senator Carper's Press Assistant, for the clarifications.]