Today’s frequency of adversarial disruptive cyber attacks has the Homeland Security Department focused on innovative research and development models. For the Customs and Border Protection, network security is the core if its overall mission.
“Being a CISO, we spend a whole lot of time preparing for something that we really, really hope never comes,” said CBP Chief Information Security Officer Alma Cole at the DHS Science and Technology Cyber Security Showcase and Technical Workshop on July 12 in Washington, D.C.
DHS’s S&T Directorate established the Cyber Security Division to improve the security of the nation’s information infrastructure and networks. One way CSD is doing this is by coordinating R&D in DHS among the R&D community, with department customers, government agencies, international partners and the private sector.
For CBP, security is critical for assuring the systems its front officers rely on to defend the country are available and running, despite adversarial attacks. Yet, Cole said, CBP is challenged with strengthening security as it transitions to cloud technology and away from its parameter defense model.
“We’re trying to do less with less,” Cole explained. “We have, oftentimes, less resources, however we really do need to start making better decisions about how we do security and how we manage our risk.”
The cloud transition means refocusing on authentication, encryption, integrity validation and building security into the cloud development pipeline. All of which, Cole said, requires more digital research and knowledge.
“As we develop applications and publish them into the cloud and put them into containers, once we get that down, we know that the baselines are solid and we can monitor the integrity of those baselines to ensure that nothing actually happens to them,” he said.
The baselines need to be ready for the next build so new applications work well with everything else already in the network. This way, CBP can push out new applications or replace previous ones rather than patching and morphing in its current environment.
“That creates lots and lots of risk and lots of unknowns,” Cole said.
CBP is also challenged with its air-gap networks, which are computers and networks not directly connected to the internet or to any other connected devices. In CBP, these are things like cameras and sensors, which did not require as severe security controls because they weren’t connected.
“That assumption’s not holding true anymore,” Cole said. “More and more, we’re looking to connect those air-gapped systems.”
CBP needs to bring those legacy technologies onto a more advanced, connected network, and find the most effective way to shield everything else from those assets. This can be done with a zero-trust model for cybersecurity (developed by Forrester), which assumes all traffic is untrusted. This way, security is built into the DNA of IT architecture through situational awareness, and vulnerability and incident management capabilities.
DHS also relies on continuous diagnostic and mitigation for enhanced visibility and governance during a cloud transition. It helps shed light on dark spots in security so organizations can better understand everything in its network and how it's all interacting. Ultimately, CBP wants to ensure it is engineering solutions that by design recover or reengineer if something goes wrong.
“That sort of assumption is designed into the solution so we can continue to run despite having security issues or intrusions or problems,” Cole said.
Cole is also tackling the technology portfolio rationalization. Many security tools are brought in to do one thing, and may not even be used properly for that task because it hasn’t been configured correctly or requires additional tools.
“What we really are trying to do is reduce the number of technologies that we have to manage, and then try to get those into a very, very mature state,” Cole said, in order to get all the value out of them. Then, CBP can focus on properly defending what is inside its network, rather than trying to be an “inch wide and a mile deep with everything in touch with security and security monitoring.”
This requires cooperation from the R&D community. While the solution doesn’t need to be a single product, Cole believes there needs to be better integration. If a single tool has a valuable function for CBP but doesn’t work well with anything else in the environment or requires separate management, this creates further challenges. However, if the R&D community can bring something in that works with the other technologies, is integrated, doesn’t require a separate team or console for management, and can work seamlessly with the other tools CBP is currently maturing, it will benefit the department greatly.