WSJ: The Government Model: Network Security at the State Department

http://online.wsj.com/article/SB10001424053111904353504576566802789426680.html

SEPTEMBER 26, 2011

The Government Model

The State Department's approach to cybersecurity is so innovative and effective that companies are clamoring to copy it

By SIOBHAN GORMAN

The State Department has pioneered an approach to network security that makes it easier for managers in large organizations to identify trouble spots, prioritize them and get them fixed fast.

The program's effectiveness, in fact, has made it an unexpected model for big firms looking to bolster computer security.

Responsible for protecting computer networks for 400 U.S. embassies and offices across 24 time zones, State faces a cybersecurity challenge that in many ways mirrors that of a multinational company. Its program scans computers throughout the department every three to four days to detect security vulnerabilities, compiles the data in one place and provides grades to each office.

"We know anywhere in the world what our risk is," says John Streufert, State's chief information-security officer and one of the program's four creators.

The program differs from commercially available network-monitoring programs in that it uses a market-based approach to create incentives to fix security gaps. It quantifies a range of security risks and "monetizes" them into a "common currency" that assigns the most points to the highest-priority security gaps to be fixed, Mr. Streufert says. Those points are factored into a site's grade daily, so the security officials can repair the biggest gaps first, he says.

Since launching the system three years ago, State has received a growing number of inquiries from an array of companies, including Microsoft Corp., General Electric Co., J.P. Morgan Chase & Co., the computer security firm RSA and Heartland Payment Systems Inc., a credit-card payment processor and victim of a major cyber attack a few years ago.

At least 40 organizations have requested the software code for State's program, which Mr. Streufert gives away free.

Not Perfect

Efforts to safeguard State data aren't airtight, as the 2010 release of thousands of sensitive diplomatic cables by WikiLeaks showed. The theft of that data, however, involved a classified Defense Department network that the State Department doesn't manage and allegedly was the result of the Pentagon's failure to prevent a soldier from downloading the information.

But Mr. Streufert's program has limitations, too. It focuses on fixing known security vulnerabilities, which means that previously unknown modes of computer attack won't be detected. Security specialists say 80% of cyber infiltrations occur through known security gaps.

It only scans computers that run Windows, and not routers or other network equipment that cyber attacks target, according to a Government Accountability Office assessment released last month. That report also found that the program didn't scan all machines every three days, as it is designed to do.

State officials say the agency is expanding its system to include routers and other devices. It also says that all available automated scanning programs have technical shortcomings and that it is working with providers of those programs to improve its program. It is also working with the National Security Agency to more regularly incorporate information about new threats.

Wake-Up Call

The impetus for State's program came in 2006, when it received a series of failing grades on government security assessments.

"It was embarrassing for us to have five failing grades," Mr. Streufert says.

He was hired that year, in part, to dig State out of its security hole, and two years later his department launched a program that would continuously monitor for security gaps.

A four-person team, including Mr. Streufert, developed the system, which scans all of State's computers and reports back on the security gaps it finds, which range from outdated antivirus software to failures to patch up known software vulnerabilities. Scans of different systems may occur at different times.

The system also calculates grades on an A through F scale for each embassy or office based on the number of security holes it turns up. A dozen factors go into each grade, such as missing software-security patches, age of passwords, improper computer settings and status of sensors monitoring network security. Grades are updated three times a day.

In the program's first year, the number of security gaps detected fell about 90%. The embassies and offices were receiving mostly A and B grades. So, in March 2010, State made it three times as difficult to get an A.

The new grading scheme again prompted significant changes at State offices. When Detroit's passport office was receiving D's, State demanded that the contractor operating the office replace the local computer-network administrator. Detroit is now one of State's highest-performing offices.

Along with a grade, each embassy gets a report that shows which vulnerabilities exist on specific computers in their office, so they know exactly which computers are most in need of attention. The system rates security gaps based on their importance and penalizes an embassy more for failing to fix a high-priority security gap.

"If I want to fix something, I know exactly what I need to fix to change the grade," says John Gilligan, a former Air Force chief information officer who has closely followed State's efforts.

Setting Priorities

The prioritizing of security gaps proved to be one of the most important elements of the program, Mr. Streufert says. Security managers sought to quickly fix security gaps that had the greatest impact on their office or embassy's overall grade.

For example, after the high-profile 2009 cyber attacks on Google Inc., State assigned a high priority to the software fix that would prevent that mode of attack. Within six days, 85% of its computers had the fix.

"Almost no private-sector organization can do this," Mr. Streufert says. "The bulk of American corporations and government are treating all weaknesses as if they are the same."

The prioritizing of security gaps to be fixed is one of the most innovative elements of the State Department model, says Susie Adams, chief technology officer for Microsoft Corp.'s federal practice. "The biggest problem is: You have a finite number of resources, so how do I know what to do first?" she says.

Microsoft has followed the State program closely because Microsoft software was among those that State built upon when creating its program.

Microsoft has taken recommendations based on State's experience and folded them into the latest version of its System Center 12 program to be released later this year, Ms. Adams says. That program is designed to help organizations track and manage security gaps not only on desktop computers but also on Apple iPads and other mobile devices. It will also extend to information stored in remotely accessible cloud services.

EMC Corp.'s RSA security division, which sustained a cyber attack earlier this year, has also tracked State's work and used lessons from State's experience to tailor its own products to the specific needs of government agencies, says RSA's chief security officer, Eddie Schwartz.

At Heartland, engineers are using portions of State's software code as they build their own system to monitor security gaps, says Chief Security Officer John South. The most useful element of the State system for Heartland, he says, was the ability to view the security status of all devices in the network in one place--and prioritize the greatest security gaps.

"Anytime I can see the risks and the threats faster," he says, "that's of great benefit to us."

Ms. Gorman is a staff reporter in The Wall Street Journal's Washington bureau. She can be reached at siobhan.gorman@wsj.com.