In the cloud era, government can only be as secure as its supply chain

While regulation is often seen as antithetical to technological progress, the supply chain is an area where clearly-defined, reasonable directives have had a tremendously positive effect on the security and technological leadership of the US government.

supply chain
Thinkstock

In the past year, we’ve seen the U.S. federal government taking a leadership role in adopting new cyber security standards in several key areas. These gains are the direct result of several mandates issued in the past two to three years.

Now, a bill currently under consideration in the House would give DHS the power to ban federal contractors that present cybersecurity risks.

There’s no doubt that federal contractors need to be held to the same stringent cybersecurity standards as the federal government itself. However, the House bill’s “ban hammer” is a blunt instrument.

A better approach is illustrated by the White House and the Department of Homeland Security, whose specific, actionable, and carefully written mandates to federal agencies have produced remarkable improvements in the government’s cybersecurity posture.

Anatomy of a well-structured mandate

Starting in 2015, a policy directive from the White House required agencies to begin adopting HTTPS for encrypting web connections. Then in late 2017, the DHS’s binding operational directive (BOD) 18-01 specified technologies for improving email and web security, and BOD 18-02 provided a framework for agencies to inventory and secure their high-value assets.

The most impactful of these directives, BOD 18-01, had all the ingredients needed for a successful technology mandate. It included clear, specific instructions; provided plenty of technical background material to support agencies in complying; and spelled out an explicit timeline. Most importantly, it centered on open, proven standards whose implementation status is easy to measure.

The timeline is purposefully aggressive, with many milestones falling within 30 to 60 days of the issuance of BOD 18-01 to create focus and because of associated risk of not implementing the three required standards. An understandable grievance is that the directive has no associated budget allocation to help agencies with compliance. Given the timeline and lack of budgeting, mandating that every federal agency implement new security technologies could even be viewed as unrealistic. .

And yet BOD 18-01 has succeeded wildly, thanks to the specificity and care with which it was drafted. To take just one example: When the directive was first issued on October 15, 2017, barely 18 percent of U.S. federal domains had begun the process of authenticating themselves (using the mandated standard, known as DMARC); today that number stands at over 70 percent. What’s more, over 40 percent of federal domains have completed the authentication process and are now protected from being impersonated by phishing attackers pretending to be them. There’s much more work to be done, but the progress to date is remarkable.

A similar story holds true for encrypted web sessions. In mid-2015, a little more than 25 percent of government domains supported HTTPS; that had risen to about 75 percent by the end of 2015, thanks to the White House-issued policy. Today, thanks to the additional provisions of BOD 18-01, about 65 percent are using HSTS and are encrypted by default.

All this goes to show that the federal government can be nimble and tech-savvy when planning and directives are crafted with deep knowledge of the technologies in question and the will to see it through. Clearly-defined goals with aggressive yet reasonable deadlines — backed up with plenty of tech-savvy supporting information — have been key to the government’s success in increasing the security of both web-based and email communications. And these directives have put the government in an undisputed leadership position.

Let’s use this playbook

However, there’s one area where the government remains vulnerable: The contractors who provide an enormous proportion of government services to, and on behalf of, federal agencies.

For instance, a recent survey of the U.S. government supply chain by the Government Accountability Office found that many vulnerabilities exist in the government’s IT supply chain. These include the existence of malicious or counterfeit software and hardware as well as defective or misconfigured services. In response, GAO recommends that three of the agencies it studied (Justice, Energy, and DHS) take specific actions to “develop and document policies, procedures, and monitoring capabilities that address IT supply chain risk.”

Hackers know that a target is only as secure as its weakest link. For instance, when you look at the email authentication rates among the top 100 federal contractors (by dollar value of their 2017 contracts), their progress lags significantly behind their public-sector counterparts. To a hacker, that represents opportunity. If an agency they’re targeting is impervious to impersonation via email and has locked down its websites with mandatory encryption, hackers may find another way in via more-vulnerable contractors.

Indeed, while regulation is often seen as antithetical to technological progress, this is an area where clearly-defined, reasonable directives have had a tremendously positive effect on the security and technological leadership of the U.S. government.

Instead of a “hammer” approach, it would be more productive to extend the same requirements to the contractors that do business with the federal government, helping ensure that they, too, lock down their websites and email domains, and eliminate one more set of weak links. The key is making sure that those requirements are specific, detailed, actionable and have an aggressive yet realistic timeline.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.