As technology and associated threats evolve, cyber-attacks on federal networks are increasing in frequency and sophistication. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s first civilian cybersecurity agency, is responsible for leading federal efforts to protect the nation’s critical infrastructure from cyber and physical threats. This requires strong coordination and collaboration among a broad spectrum of government and private sector organizations.
CISA has a unique authority under the Federal Information Security Modernization Act of 2014 to direct federal agencies to take specific action to safeguard federal information and information systems from a known or reasonably suspected cybersecurity threat, vulnerability, or risk.
Since 2014, DHS has issued eight Binding Operational Directives (BOD) covering a range of topics, from securing high value assets, to implementing enhanced email and web security capabilities, to removing potentially harmful products from federal networks.
While BOD implementation is mandatory only for federal agencies, CISA’s directives include common sense guidance and mitigation steps that any organization can utilize to enhance the security and resilience of their networks and systems.
CISA’s overarching goal is to promote effective cybersecurity and motivate all of our partners and stakeholders to improve the collective health of the cyber ecosystem. Our nation’s cyber adversaries are aggressively targeting both public and private networks, so government efforts need to address the risks to both.
This public-private partnership was exemplified in January, when industry alerted the government to a sophisticated global Domain Name System (DNS) hijacking campaign. Through rapid coordination, we discovered that malicious actors had obtained access to accounts controlling DNS records and made those accounts respond to the actors’ infrastructure before relaying data to the real address.
By controlling an entity’s digital address, malicious actors could obtain legitimate digital certificates and decrypt intercepted data, with everything appearing normal to users.
This is roughly equivalent to someone lying to the post office about your address, so that all of your mail is first sent somewhere else—where it can be opened and tampered with—before being hand-delivered to your mailbox by the intruder.
Because of our responsibility to protect Federal systems, we felt an urgent response was required to address the risk. So we crafted a set of actions or near-term mitigations for Federal agencies to take to protect their systems.
The directive also provided our non-federal partners clear actions they could take to better position themselves should they one day be the target of a similar campaign. And even though these partners are not subject to the BODs, the feedback they have provided is clear: “Great work. We’re paying attention. Do more.”
Industry was also instrumental in the development of BOD 18-01, which directed federal agencies to implement specific security standards widely adopted in industry to ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users from phishing emails appearing to come from government-owned systems.
In April 2019, the Internet Society’s Online Trust Alliance released its annual report on the security and privacy of more than 1,200 consumer-facing websites. For the first time, U.S. government websites outscored sites from all other sectors. This marked a dramatic turnaround from the previous year, when government sites finished dead last.
BOD 18-01 was the driving factor in this turnaround. And despite its limited applicability to federal agencies, CISA’s ‘special sauce’ is not a secret. We’ve published the steps taken by the federal government (cyber.dhs.gov) and will continue to promote the approach to all of our stakeholders.
Through public-private partnership, we will continue to address the most serious and enduring cyber risks to the United States and our international partners. Working as a team in a ‘collective defense’ model, we can shift the advantage back to the defender and make the internet a safer place for everyone.