President-elect Donald Trump’s new administration should toughen identity management across all U.S. federal systems by forcing the use of strong authentication systems for logins, says the report of a national commission on cyber security issued last week.
It was just one of a number of recommendations including improving the security of connected devices (Internet of Things) made and sold in the U.S., creating a label that rates the security of all technology products and services to help buyers, and launching a new national cybersecurity awareness and engagement campaign.
The 12-person commission, which included a former IBM CEO, the current CEO of MasterCard, the vice-president of Microsoft Research, the chief security officer of Uber and other security experts, said the new administration should launch a national public–private initiative to increase the use of strong authentication to buttress the use of insecure usernames and passwords.
“An ambitious but important goal for the next administration should be to see no major breaches by 2021 in which identity—especially the use of passwords—is the primary vector of attack,” the report urges.
“A review of the major breaches over the past six years reveals that compromised identity characteristics have consistently been the main point of entry,” the report notes.”We are making it far too easy for malicious actors to steal identities or impersonate someone online.” However, it says variety of factors inhibit the commercial adoption of large-scale identity management frameworks that offer stronger and more usable authentication, including convenience and the lack of uniform standards. So commissioners called on the new administration to launch a national public–private initiative to set standards to allow an increase the use of strong authentication to improve identity management.
By the beginning of 2018 all Internet-based federal government services provided directly to citizens would require the use of strong authentication. In addition employees and contractors of all federal agencies should be required to use of strong authentication.
As part of that effort Washington should create an interagency task force directed to finding “secure, user-friendly, privacy-centric ways” in which agencies — such as states where drivers’ licences and birth certificates are issued — can serve as one authoritative source to validate identity attributes.
Unfortunately the report doesn’t define strong authentication, perhaps because there isn’t one accepted across the security industry. But it could include securing identity using biometrics, authenticated mobile phones, USB keys, near-field communications (NFC) and Bluetooth low energy (BLE) devices and wearables. According to Wikipedia, strong authentication isn’t necessarily multi-factor authentication.
One definition of strong authentication is two or more of (i) something only the user knows (static password, code, personal identification number), (ii) something only the user possesses (a token, smart card, mobile phone); (iii) something the user is (a biometric).
According to a government spokesperson, in Canada the federal government requires that IT systems processing sensitive information and systems used for remote access use a strong authentication mechanism. This includes an enterprise-level Public Key Identifier (PKI) solution from SecureKey for authentication and access. As for public access, since 2012 the government has made mandatory a cyber-authentication service. The government says the service enable a secure, single sign-on for approximately 10 million credentials being used by individuals and businesses to over 80 secure online programs.
The U.S. report comes as Public Safety Canada conducts a public a consultation on national security laws and policies that raises some of the issues in the U.S. report. Canadians have until Dec. 15 to make submissions. A public town hall will be held Dec. 6 in Winnipeg. Meanwhile the government is also reviewing the federal cyber security strategy following a public consultation that ended in October.
Trump didn’t immediately respond to the commission’s report. He has said in the past one of his priorities upon becoming president will be to order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure. He hasn’t said if the work of the commission — ordered by President Barack Obama in April — fulfils that.
Obama set up the commission after the discovery in 2015 of a huge data breach at the Office of Personnel Management which has the files of millions of current and former federal employees, some of whom had sensitive security positions, and the 2013 leaking of confidential government documents by NSA contractor Edward Snowden.
Obama asked the commission for recommendations on securing the digital economy while protecting privacy; ensuring public safety and economic and national security; fostering discovery and development of new technical solutions; and bolstering partnerships between federal, state, and local governments and the private sector.
Over seven months the commission looked into federal governance, critical infrastructure, cyber security research and development, the cyber security workforce, identity management and authentication, the Internet of Things, and public awareness and education.
One recommendation Trump might ask Prime Minister Justin Trudeau’s advice on is to consolidate the federal government’s basic network operations. This consolidated network would be run by a newly established cybersecurity and infrastructure protection agency. This might sound like Ottawa’s shared services initiatives to slash the number of federal data centres here. However, Shared Services Canada, which oversees the consolidation, has been criticized for the speed of its work
Other recommendations of the U.S. commission include:
–the new president should issue a National Cybersecurity Strategy within the first 180 days of his administration;
–moving U.S. federal agencies from a cybersecurity requirements management approach to one based on enterprise risk management. “Such an approach would help eliminate the misperception that cybersecurity is auxiliary to, rather than a core part of, every agency’s mission,” says the report. “It would properly put discussions of cybersecurity risk on the same level as other enterprise-wide risks. It would also reinforce the move away from a culture concerned only with meeting minimum standards.”
–working with the private sector to create a roadmap for improving the security of national digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure. An immediate goal should be enhancing the nation’s ability to detect and resolve purposeful wireless disruptions and to improve the resilience and reliability of wireless communications and data,” says the report;
–=On connected devices the commission urged Washington and the private sector to join forces “rapidly and purposefully to improve the security of the Internet of Things (IoT). The goal should be to achieve security by default in all connected devices and to ensure that the consumer and integrator alike know what security capabilities are, or are not, contained in these devices.
“To facilitate the development of secure IoT devices and systems, within 60 days the president should issue an executive order directing the U.S. National Institute of Standards and Technology (NIST) to work with industry and voluntary standards organizations to identify existing standards, best practices, and gaps for deployments ranging from critical systems to consumer/commercial uses—and to jointly and rapidly agree on a comprehensive set of risk-based security standards, developing new standards where necessary.” In addition, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) should develop guidelines for IoT cybersecurity and privacy best practices for rapid deployment and use.
Finally, Washington should look at the current state of U.S. law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days on whether there are legal incentives for companies to design security into their products;
—federal R&D funding for cybersecurity should increase by approximately U.S. $4 billion over the next 10 years for federal civilian agencies;
–to improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services — ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.
–within the first 100 days of the new administration, the White House should convene a summit of business, education, consumer, and government leaders at all levels to plan for the launch of a new national cybersecurity awareness campaign;
— the president should initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020. Washington should also develop a mandatory training program to introduce managers and executives to cybersecurity risk management topics—even if their role is not focused on a cybersecurity mission area—so that they can create a culture of cybersecurity in their organizations.
–the appointment of an Assistant to the President for Cybersecurity, reporting through the National Security Advisor, to lead national cybersecurity policy and coordinate implementation of cyber protection programs. This would elevate the current position of federal Cybersecurity Co-ordinator and make it on par with the Assistant to the President for Homeland Security and Counterterrorism. This cyber security czar should have responsibility for bringing together the federal government’s efforts to protect its own systems and data and to secure the larger digital economy.
Avivah Litan, a security analyst at Gartner, said she is encouraged by the report. However, she believes requiring strong authentication for access to federal systems is not enough. “The fraudsters and other bad actors have been beating multi-factor strong authentication implemented at banks and other companies (e.g. SWIFT, government defense contractors, etc.) for many years. Strong security requires a layered authentication and fraud detection approach. Simply relying on strong authentication will give these federal systems a false sense of security.”
Putting a security rating level on products is “a great idea,” she added.
Ruchir Kumar, KPMG Canada’s manager of cyber security, said the report “provides good recommendations for organizations that are operating in the cyber world.” The recommendation that IoT devices carry a security rating is great, he said. “Right now there’s a need for something that labels a device before its brought onto the network. The challenge I feel is there is no framework that can be adopted by vendors that measures how the device needs to be secure to a level.” In the meantime KMPG urges manufacturers to include security in the design of all networked devices. Devices that don’t meet an organization’s threat model can’t be plugged in.