The Right Approach to Deliver on the President’s Cybersecurity Executive Order
Posted June 12, 2017
According to reports in USA Today, an astonishing 96 percent of all federal agencies rate themselves between “somewhat vulnerable” and “very vulnerable” to cyberattack. In fact, 65 percent have suffered a data breach in recent years — a full 34 percent just within the past 12 months.
As homeland security advisor Tom Bossert said: “I think the trend is going in the wrong direction in cyberspace, and it’s time to stop that trend—and reverse it on behalf of the American people.”
Already Under Attack
Just like almost every country around the world, the U.S. has seen more than its fair share of cyberattacks in recent years.
The Internal Revenue Service has been fighting bogus tax returns filed by fraudsters leveraging stolen identity data for decades — to the tune of $42 million in losses from fraudulent refunds just this tax year.
In 2015, the Office of Personnel Management was struck by one of the most significant cyberattacks in the nation’s history, exposing financial and investment records, the names of children, relatives, friends, neighbors, and home address histories for 22 million people.
In late May, the New York Times reported that it only took one attempt by Russian hackers using common social engineering tactics to make their way into the computer of a Pentagon official. By the time it was discovered, the attack had exposed up to 7,000 Defense Department computers to spyware.
So, will the executive order on cybersecurity recently signed by President Trump fix all this?
A Plan for a Plan
In truth, the executive order is not exactly new—nor is it really a plan at all. It’s more of a plan to come up with a plan.
That’s partly because executive orders can only instruct agencies to prioritize or perform activities they already have authority to fulfill. To that end, the executive order calls for key agencies to produce official reports on their current security postures for an official assessment on whether the country is truly prepared to defend itself against cyberattacks.
The executive order does emphasize three priorities the President deems critical:
- Protecting federal networks
- Updating outdated systems
- Migrating all agencies to a unified cybersecurity framework
Specifically, the third element calls for an update to a framework first proposed by the National Institute of Standards and Technology (NIST) as part of the Cybersecurity Enhancement Act of 2014 signed into law by President Obama.
However, any eventual plan to deliver on the executive order across all 190 federal agencies is going to take considerably more than the $61 million allocated for all counterterrorism efforts, including cybersecurity, in the President’s proposed budget.
According to reports, some federal agencies use IT infrastructures that are 30 to 50 years old. In fact, the Commerce, Defense, and Treasury departments still rely on Microsoft operating systems from the 1980s and 1990s. Those operating systems haven’t been supported or updated by Microsoft in years.
One need only look at last month’s WannaCry ransomware attack, which crippled 200,000 businesses, government agencies, hospitals and power and transportation systems spanning 150 countries to get a clear sense of what kind of trouble could be coming our way.
Despite these challenges, there is definitely cause for hope. If an eventual plan follows the evolving NIST framework, it could tackle the most important success factor for improving cybersecurity —verifying that users who access critical systems and networks are indeed who they claim to be.
Burden of Proof
An updated section of the NIST framework addresses evolving authentication and identity-proofing requirements calls for a mechanism to do just that. However, identity verification only works if authentication is more than just a matter of ensuring users sign in with legitimate login credentials. In fact, government systems shouldn’t rely solely on such credentials at all.
In its 100-page publication titled, “Securing and Growing the Digital Economy,” the NIST wrote: “Identity, especially the use of passwords, has been the primary vector for cyber breaches—and the trend is not improving, despite our increased knowledge and awareness of this risk.”
“Our reliance on passwords presents a tempting target for malicious actors,” the report states. “Consequently, we are making it too easy for those who seek to do harm, whether they be nation-states, well-organized criminal groups, or online thieves.”
The use of passwords has become essentially useless after nearly 4 billion personal credential files were stolen in 2016, on top of billions more before that. As a result, it takes just minutes for cybercriminals to harvest names, addresses, social security numbers, usernames, passwords and other “static” forms of identity information from the dark web. Credentials based on that information have been rendered practically useless on their own as proof of identity.
The Age of Digital Identity
Thankfully, government agencies are not the first to see these challenges. Competitive pressures in private industry, particularly in the Banking, Retail and Payments sectors, forced companies long ago to innovate. Of course, banks and the like have profit motives that government does not, but their goals (not simply their challenges) in many respects share many common elements.
First, all organizations need a cost-effective approach to protect critical business systems and to preserve the trust of their constituents. The system should make security better, not harder for trusted users. The solution also needs to accommodate various legacy systems that simply can’t be replaced all at once. This makes a layered approach to identity verification most ideal. Budgets are limited, so an ideal approach must generate operational efficiencies. Finally, cyber criminals have proven adept at evolving tactics. Organizations need a proven approach to evolving security measures even faster.
At ThreatMetrix, our digital identity solutions have evolved based on these requirements to produce a solution to identity verification that is now highly refined, durable and cost-effective. Our solution uses global shared intelligence that can’t be faked. Every hour, we analyze transactions from more than 200 countries across the globe and provide that intelligence back to our customers in real time and within a framework to accomplish end-to-end identity verification, authentication and secure payments.
Our digital identity solutions are built on dynamic data, not static information. Our digital identity network actually gets smarter with each transaction it analyzes, and that happens around a thousand times every second of every day. It’s a highly unique approach. There’s simply nothing else available that approaches the size and scope of our Digital Identity Network. It is, by far, the best way to accurately verify an identity before allowing an individual access to your systems.
We hope the new directive shines light on these solutions for government agencies to exploit in their efforts to protect our nation from a potentially devastating cyberattack.
To learn more about how government agencies can use digital identity-based authentication to protect critical infrastructure, click here.