Vulnerability assessment


There has been significant, but certainly incomplete,
news coverage of the hacking from, some claim, China
of the computer systems of the U.S. Office of Personnel Management.
While we wait for details of how much data was lost and how significant that loss is,
there is a key issue that I haven't yet seen addressed in the media, but should be:

Who in the United States government is responsible for doing
vulnerability assessments
on government computer systems,
by which I mean assessing
how significant the divulging of the data in the systems would be
how well guarded the systems are from such a data breach.

I believe the CIA in general has the responsibility for assessing U.S. vulnerabilities,
but on the other hand NSA has always had responsibility for U.S. communications security,
and to some extent that has broadened into computer security with the establishment of Cyber Command.
And, of course, the Department of Homeland Security has some responsibilities inherent in its title.

So between the CIA, NSA/CyberCom, and DHS,
just who is responsible for assessing the vulnerabilities of U.S. government systems?

Wyden questions efforts to prevent OPM hack
By Katie Bo Williams
The Hill, 2015-08-12

Sen. Ron Wyden (D-Ore.) is demanding to know what measures a key counterintelligence agency took to protect Office of Personnel Management records before a massive hack earlier this year.

The National Counterintelligence and Security Center has yet to disclose what actions it took leading up to the hack that exposed more than 20 million federal personnel records, an oversight that Wyden says is cause for concern.

Wyden asked for answers in a letter to agency head William Evanina, and referred to “significant warning signals regarding the security of OPM’s networks."

"The fact that such sensitive information was not adequately protected raises real questions about how well the government can protect personnel information in the future, especially as the security clearance process moves toward conducting ongoing evaluations and incorporating publicly available electronic information,” Wyden wrote.

NCSC supports counterintelligence efforts across a number of different agencies.

The senator posed three specific questions, asking
if the agency had identified OPM’s security clearance database as a risk prior to the attacks,
if it had made any recommendations for protecting OPM’s information and
if it had considered cutting down on how long OPM kept background check records to reduce risk.

"I would like to know what actions the NCSC took prior to these OPM security incidents and what the NCSC will be doing to prepare for future attacks that will similarly target personnel and background investigation information,” Wyden wrote.


[It is not clear to me how much NCSC is responsible for these issues,
vice the individual agencies, e.g., OPM.
Further as to "if it had made any recommendations for protecting OPM’s information",
it seems clear to me that the expertise of NCSC is and should be in areas of intelligence,
not in the very, very technical area of how best to provide computer security.]


NSA Director: Expect More Hacks As Big As the OPM Heist
By Aliya Sternstein
Nextgov.com, 2016-01-22


"OPM, in some ways shows, although you could have said the same thing from the Anthem health insurance hack” of December 2014, that "data is increasingly a commodity of value all on its own," [Admiral Mike] Rogers, leader of NSA and U.S. Cyber Command, said Thursday.

Five to 10 years ago, "we thought there's just so much data here, no one could put it all together,” he said. “Its very size makes it very difficult for an adversary to generate knowledge or understanding out of it.”

Now, so-called big data analytics has the power to digest information in ways that let industry observe consumer habits to tailor advertising and let spies uncover abnormal behaviors to spot persons of interest.

"What you saw at OPM, my comment would be, you are going to see a whole lot more of," Rogers said during remarks at the Atlantic Council. The computer intrusion captured biographies on 21.5 million national security employees and their families.

To protect itself, the Defense Department is itemizing the military's stored away files and re-examining how they are secured, he said. It is a task that will not be completed in a short time period, Rogers added.

“We're asking ourselves:
What are our large data concentrations?
Where are they?
Are they appropriately protected?”

he said.
“In the world we are living in now, as opposed to the world we lived in when we created some of them, do we need to look at things a little differently?"

[Good idea.
But why wasn't this addressed earlier?
Admiral Rogers argument
"we thought there's just so much data here, no one could put it all together”
seems really ignorant,
considering that his fellow admiral John Poindexter's Total Information Awareness project
offered just that sort of capability back in 2003
and was very well known.
But not to NSA? Impossible.

Red teaming means thinking
"If we can do something, then so can our adversaries.
How do we defend ourselves against that sort of capability?"
That should have been done with Poindexter's TIA.
Why wasn't it?
(Calling Mike Hayden.)]

Civilian agencies, similarly, are hustling to meet various deadlines for identifying their most prized data, under an October 2015 White House Cybersecurity Strategy and Implementation Plan.

Andy Ozment, assistant secretary of the Department of Homeland Security Office of Cybersecurity and Communications, told Nextgov last week the real challenge will be afterward, when agencies work to insulate the files from less secure nodes on their networks.