Read on Twitter
1/ Unless the USG dramatically changes its approach to reviewing software, just doing more "vetting" of vendors will be 100% useless in catching issues like SolarWinds.
Currently, it's all designed to raise the "floor" and avoid table-stakes stuff.
Currently, it's all designed to raise the "floor" and avoid table-stakes stuff.
2/ Agencies and FedRAMP review vendor-supplied documentation, scan results from generic tools, and attestations to various "best practices".
It's done using a maximalist, mindless checklist that NIST (and OMB, through FISMA metrics) inflicts upon federal agencies.
It's done using a maximalist, mindless checklist that NIST (and OMB, through FISMA metrics) inflicts upon federal agencies.
3/ This approach meets everyone's local incentives:
Agencies get the CYA of saying they followed federal policies, so it's the policies that need updating.
OMB and Congress get quantitative, auditable artifacts optimized for their non-technical oversight and visibility.
Agencies get the CYA of saying they followed federal policies, so it's the policies that need updating.
OMB and Congress get quantitative, auditable artifacts optimized for their non-technical oversight and visibility.
4/ But it's not optimizing for actual security outcomes. This gigantic basic-error-avoidance compliance apparatus is all-consuming to the people on the ground.
None of this leaves time, money, energy, or imagination for *technical*, *qualitative* security analysis or investment.
None of this leaves time, money, energy, or imagination for *technical*, *qualitative* security analysis or investment.
5/ At CISA, and in security teams at large agencies, we need the skills -- and oversight incentives! -- to do things like hand-review source code, do deep analysis of binaries, and write their *own* code to (e.g.) do bespoke monitoring tailored to agencies' unique infrastructure.
6/ Some might think: "Agencies shouldn't have unique infrastructure! Why can't [CISA/NSA/'the cloud'] just host everything for agencies so we can defend it once?"
But agencies have unique missions that *must* be done and done well. Their needs and risk tolerances diverge widely.
But agencies have unique missions that *must* be done and done well. Their needs and risk tolerances diverge widely.
7/ If Congress or Biden's OMB respond to SolarWinds by just making agencies "vet harder", they will be perpetuating the cycle that led to this catastrophe.
Breaking it requires relaxing constraints on strict auditability, and investing in raising the USG's security *ceiling*.
Breaking it requires relaxing constraints on strict auditability, and investing in raising the USG's security *ceiling*.
8/ Among other things, this means:
a) Reskilling/hiring *engineering* capacity into CISA and agency teams.
b) Reorienting IGs & GAO to look for evidence of long-term security investment.
c) Abandoning SP 800-53 in favor of intense 1st/3rd party red teaming and vuln assessment.
a) Reskilling/hiring *engineering* capacity into CISA and agency teams.
b) Reorienting IGs & GAO to look for evidence of long-term security investment.
c) Abandoning SP 800-53 in favor of intense 1st/3rd party red teaming and vuln assessment.
9/ This is a wildly non-exhaustive list of things that would improve federal security.
But fundamentally, it means acknowledging that the current approach *is not working*, has *never* worked, and that something new is desperately required as we hurtle headlong into the 2020's.
But fundamentally, it means acknowledging that the current approach *is not working*, has *never* worked, and that something new is desperately required as we hurtle headlong into the 2020's.
10/ I left out:
d) Don't require software be bug-free (which is impossible). Architect systems so that their bugs matter a lot less.
This is how election security works: voting machines are mediocre, but paper ballots and audits make that tolerable. https://twitter.com/konklone/status/1340391969281822720
d) Don't require software be bug-free (which is impossible). Architect systems so that their bugs matter a lot less.
This is how election security works: voting machines are mediocre, but paper ballots and audits make that tolerable. https://twitter.com/konklone/status/1340391969281822720
11/ Agencies will say they "assume breach", but follow-through on zero trust / least privilege remains rare.
For example: monitoring "sensors" should be constrained to have read-only access, through permissions enforced by independent components. But rarely happens.
For example: monitoring "sensors" should be constrained to have read-only access, through permissions enforced by independent components. But rarely happens.
