US government Chief Information Officer (CIO) Tony Scott has been working with federal agencies to complete 30-day “cyber sprints” to patch gaping holes in US Government security after a second breach at the Office of Personnel Management (OPM) exposed personal details of millions of federal workers, leaving them open to blackmail and spear phishing attacks by cybercriminals.
During the 30-day period agencies were asked to patch all known vulnerabilities and shore up systems using information from Homeland Security, the Government department designated to protect the nation. This included scanning for ‘indicators of compromise’, tightening policy on privileged users, accelerating multifactor authentication, identifying high value data systems and making a risk-based assessment of current cybersecurity and physical security.
Agencies reported on their progress during this period. Scott will publicly share the results, highlighting which agencies have met these goals. In September, Scott’s office will distribute broader recommendations from the review on policy, procurement and technology. Some will be passed quickly, others will need Congressional approval.
The U.S. Office of Management and Budget (OMB) has also announced that all federal agencies will use HTTPS to improve website security. On the back of this, the House Energy Commerce Committee contacted the CEOs of Apple, Google, Microsoft and Mozilla voicing concern that Certificate Authorities (CAs) owned by national governments can issue certificates which could be used for fraudulent purposes. Although unrelated – these initiatives are linked.
The Committee is looking for industry direction to establish if limiting CAs can improve the way the certificate system is run.
Federal agencies will be required to inspect all inbound TLS/SSL traffic for potential risks as they move to 100 percent encryption. Agencies will need to search out malicious use of forged, compromised, or fraudulent certificates across the Internet. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, mobile devices and decrypt communications.
If, however, HTTPS isn’t implemented with an Immune System for the Internet that can identify certificates, safely deliver them for use with SSL/TLS inspection, and detect and stop the misuse of certificates for governments and enterprises. The use of HTTPS could increase security risks and more encrypted traffic will require cybercriminals to use HTTPS and either forge or compromise certificates to launch attacks.
Although positive, the OMB directive has holes. It does not specify a key or certificate management system to safeguard data. There is no reference to the U.S government’s National Institute of Standards and Technology (NIST) guidance issued two years ago for preparing for a CA breach. NIST guidelines are aligned with internationally accepted best practices and standards on computer security. This is what makes the Committee’s letters to the industry seeking advice on limiting CA’s intriguing.
Governments should be concerned about website trust. This is why we welcomed Google’s decision to block CNNIC, the Chinese CA, earlier this year, following the discovery that the state-run organisation had issued unauthorised certificates for Google domains that left it exposed to attacks capable of intercepting private communications.
Shockingly any CA, through fraud or compromise, could issue malicious certificates for .gov domains, .com sites and others. It is paramount that CAs cannot abuse certificates or issue malicious ones that could be used against the US or its allies. Google Certificate Transparency (CT) help – but only covers high-level extended validation (EV) certificates, and does not address misuse after issuance.
The US Government is moving in the right direction, but it is a double edged sword. More encrypted traffic is more appealing to cybercriminals. It is imperative that we have an Immune System for the Internet to protect cryptographic keys and digital certificates, and until this time we are fighting a losing battle against cybercrime. It appears that Scott and his team are running more of a marathon than a sprint.