What does TIC 3.0 Mean for Government Agencies and Cloud Security w/Guest Aaron Boyd of Nextgov - Ep 20
In December 2018, the White House released an updated draft of its Trusted Internet Connection policy (TIC 3.0), which is a program created by the federal government to consolidate the number of external internet connections within agencies so that IT teams can more efficiently manage security efforts. On this episode of To The Point Cybersecurity, we are joined by Next Gov’s Senior Editor to discuss the updated policy, how it will impact cloud security, and what is means for government networks.
Introducing Aaron Boyd of Nextgov
Arika: Hi and welcome back to To The Point Cybersecurity. This is episode number 20. I'm your host, Arika Pierce, along with my cohost, Eric Trexler. How you doing, Eric?
Eric: Hey, Arika. Doing well.
Arika: Can you believe we're at episode number 20?
Eric: I feel old. Well, wait a minute, I am.
Arika: Oh, no, just experienced, as we like to call it. Well, good. This week we have a guest. We have Aaron Boyd joining us from Nextgov. He's a senior editor there, covering technology issues in the federal government. Hi, Aaron.
Aaron: Hello. Hello everyone out there. Happy to be here.
Arika: Yeah, thank you so much for joining us. We have a couple of topics that we want to touch on today, Aaron, because you definitely are always writing about the world of technology and the world of cybersecurity in the federal space. So I want to jump into a few things you've recently written about, if that's okay?
Eric: If I could, before we get started. Aaron, how did you pick technology? How did you pick cybersecurity?
Aaron: Technology definitely picked me. I'm a lifelong nerd. I built my first Frankenstein computer from spare parts in grade school. It's always been a fascination of mine. It's certainly the future. So, as a reporter, I feel like a lot of us end up picking specialty areas versus general reporting. So, IT was a nice fit for me. And, as I was doing a lot of the IT reporting here in Washington, in DC, definitely cybersecurity is jumping out as a major issue for federal agencies, and everywhere, of course.
So, you really can't have the IT discussion without talking about cyber.
Trusted Internet Connection Policy, AKA TIC 3.0
Eric: Okay. Let's have that discussion, then. That's awesome.
Arika: Okay. So let's first start with a recent draft policy that came out from the administration. It's the Trusted Internet Connection Policy, also known as TIC 3.0. The reason why there's this program in place, the TIC program, was for the federal government to consolidate the number of external internet connections that government agencies have. So, I was doing a little bit of research into this issue.
Arika: I was surprised to learn that, for example, DHS has identified 228 different Cloud services that are being used by agencies. So when you have all of these points coming into the networks, that causes issues. So that's the point of this TIC policy. But the other issue is that it does make it harder of agencies to migrate to the Cloud, which we also know is a priority.
TIC 3.0 impact on government agencies
Arika: So, Aaron, you recently wrote about this in terms of what this framework looks like, the impact it's having on government agencies. Talk a little bit more about what your thoughts are and what direction we're seeing the program go. And if it's addressing some of the challenges that the agencies have raised in terms of the migration to Cloud.
Aaron: Sure. TIC is one of those interesting areas. The last time TIC was updated, to 2.0, was in 2008. So it's been a long time coming to get to 3.0. But as you said, the purpose of it is to ensure that when agencies, agency employees, are connecting to the internet, they're using a trusted connection, hence the name, and not getting spoofed man in the middle attacks, things like that, that could get in the way.
Cloud based networks
Aaron: As you mentioned, though, when it comes to Cloud and modern networks, that old framework doesn't really apply as much anymore. So what they're doing with the latest iteration, the new draft that's out from the Office of Management and Budget, is looking at several case studies, examples of how feds are using the internet, where they're connecting, and what is the best way to secure those connections.
Aaron: Right now, it's a draft policy update that is, once finalized, going to actually kick the ball over to DHS, who is then going to develop these use case scenarios as standard examples for how agencies can connect securely. And the comment period, actually, is still open on that draft policy until February 8th.
Eric: Did they extend it, Aaron?
Aaron: They did. It was of the ones that got extended due to the shutdown.
Eric: The shutdown.
Aaron: They gave it a few extra weeks.
Eric: The shutdown. Prolonging or delaying cyber activities everywhere.
The impact of new policies
Arika: I think that's interesting. Eric and I have talked about this a few times in terms of how do you protect the network perimeter when the boundaries are essentially disappearing? And so, I think that's the balance, the challenge, that these types of policies really have to deal with.
Aaron: Back in September, I spoke with Mark Bond, who leads this effort for DHS. And, he was talking about that exact problem. Because most of the tools that agencies are going to use to ensure they have a secure connection aren't really going to change. A great quote: yes, we have a hammer. Yes, we're still hammering nails. But now suddenly we're like, what are we making out of these hammers and nails?
Aaron: So, the general security architecture for agencies isn't necessarily going to change in the latest update to the policy. What it is, how you use those things, like firewalls, antivirus and demark and other aspects of cybersecurity in this era now, where you have ... it's not just ... the perimeter is disappearing in a way that now we have unlimited perimeter. You have every end device is now computing and everything's connected to the Cloud.
Working without set perimeters
Aaron: So when you don't have a set perimeter to protect, how do you use all these tools that you have to still make sure that you're safe?
Eric: Right. I show that some of the use cases suggested are Cloud, support for SDUN or software to find wide area networks. So, remote offices way outside Washington DC or traditional areas with a couple of users maybe even have trusted connectivity back. Remote users connecting from home. Certainly since 2008, Cloud, remote office, wide area networks, and the remote users connecting from home, those scenarios, those use cases, have increased in prevalence. Time for an update.
Aaron: Most definitely.
Arika: Well, it'll be interesting to see what these new use cases that DHS does, what they put out. Because, obviously, a lot has happened, a lot of changes have occurred since 2008 when the last policy came out.
4 different areas for policy changes
Aaron: I think that's one of the big things that they're hoping for during the comment period. So if you look at the draft policy, they list ... let's see here. I have it pulled up here. And they list four different large areas, Cloud, as you mentioned, Eric. Specifically they want to look at infrastructure as a service, software as a service, and email as a service. They want to look at agency branch offices, as you mentioned as well. So, if you're not at the headquarters office, what are you doing? Remote users for tele-work and the like, and then, how the traditional TIC from years past has been applied to ... and can still be applied going forward.
Eric: The initial concept, as I understood it, was really to funnel all internet access through a number of gateways to really inspect that traffic. I think with encryption that we've seen in the last five years really becoming prevalent for that traffic, that becomes much more challenging. And we, at Force Point, I would say, definitely look at getting closer to the end user, which sounds like that's what they're doing, too.
Eric: You have to. I mean, really difficult to inspect encrypted traffic. Even more difficult to inspect traffic that doesn't go through your dedicated connection.
Security beyond the desktop
Aaron: But in today's day and age, you can't just say, you have to be at your desk to connect to the internet. You have to open it up. You have to allow people to work where they need to work, otherwise what's the point of all this technology?
Eric: No, you're right. I mean, 2008, that was a year after iPhone came out. Really, the proliferation of the smart phone, remote connectivity, remote access is probably the default these days, in many cases.
Arika: Well, a sidebar, I kind of miss days when you could only just work at your desk.
Aaron: Yeah, no more snow days.
Arika: Right, right, right. I mean, I just got off of a six hour flight. And the wifi was bumpy in certain parts. And I was getting irritated about the fact that I could not work while I was on the plane. So, 2008, you just had to really sit back and enjoy those types of situations.
Eric: Keep hoping. I'm not sure they're coming back, Arika.
Cybersecurity workforce issues
Arika: No, I don't think it is. I don't think it is. Okay, Aaron, let's put it to another area that you've recently written about. You wrote an article that came out on February 5th that ... I'm just going to read the title because I think I like the title quite a bit. It says, Former Official Says Throwing More Bodies Into Cybersecurity Won't Help. So, really, here you're talking about some of the cybersecurity workforce issues that we hear a lot of discussion about, especially right now. We're post shutdown where there's been also talks about the impact the shutdown will have on the recruitment in various areas of government, including cybersecurity, which has definitely been a challenge.
Arika: So talk about this former FBI official, what he said in the article. Because his examples and case studies and what have you, that he gave, I thought, were quite compelling when you think about it. It's not about just bringing tons of more people into the industry; right?
Aaron: Right. And then, I think it's important to preface these comments in this story with that last statement you made. This is about the number of cybersecurity professionals in the industry at large. It's interesting, I actually published a story today that is all about a survey of federal IT professionals who say that they don't have enough staff and that's their biggest problem. That's actually a separate issue. This is can the federal government recruit and retain people? That is a singular issue that the government has.
The silver bullet of adding more people
Aaron: Then you look wider, though, one of the big silver bullets that people always talk about is the need to get more ... to increase the number of cybersecurity professionals in the sector. There's been a lot of numbers thrown around. The one I cited in the story is that there's three million needed cyber professionals worldwide. That's the gap.
Aaron: Steven Chabinsky, who is a former Direct of the FBI Cyber Division, and he was also a Senior Advisor to the Director of National Intelligence while he was in government, he was speaking at an event the other day where he says that's the wrong way to look at it when you're talking about the larger sector. If you just talk about throwing bodies at the problem, as our headline said, that's not addressing the root cause of why we have so many issues in cybersecurity.
Aaron: One of the ... he had some colorful quotes that he threw out. One of the ones that I thought was great was, he said, it's like having an arsonist in the neighborhood and saying we don't need to get the arsonist, let's get more firefighters.
Eric: I love that one, also.
Arika: Yeah, that was a good one.
Does everyone belong on the front lines of the cyber war?
Aaron: Yeah, it's just ... the whole idea being, as he was putting it, was that industry, businesses, every day citizens are on the front lines of this cyber war, as many like to call it. And that's not the way it should be.
Aaron: Another version he used was referencing the water crisis in Flint, Michigan. You wouldn't expect the people to take control over cleaning the water. That's why they pay taxes. They want it done at the reservoir level. This is a collective thing that the community should be taking care of, not an individual thing.
Aaron: So, his point, when it comes to cybersecurity, is it's the same issue. If you focus on just throwing more people at it, then you're focused on the right of boom side of things, where the events have happened and we need to clean it up, or we know that there's a crisis and we need to strengthen our defenses. Those aren't bad things to think about. But his point was, it's distracting from what he believes we need to be thinking about, which is we need to start at the root cause. Why are these attacks happening? And how can we harden our systems overall to mitigate this crisis?
Eric: Okay. So, what do we do?
Alternatives to just adding more people
Aaron: Well, he didn't have too many great ideas that he shared at the conference I was at. But, he was talking about a recent tabletop exercise and subsequent report from the Foundation For Defending Democracies. And they go through quite a lot of options for not just how to improve information sharing, which is another one of those ones that gets talked about as a silver bullet, but probably isn't really one. But how to improve getting the industry to share more with government and the like. And what can be done to re-engineer the frameworks for how government supports private industry to really get to the heart for problem and stop these attacks.
Eric: I love the premise of the article here. I love what he's saying. The challenge is, what do you do?
Eric: The industries had white listing for years, which was a good way to harden the systems, to only do what they were able to do. The problem is, the adversary's always going to find a way in because we have something they want. There are a multitude of challenges. When you look at the nation state problem, it's always more cost effective to steal its intellectual property than to create it. So as long as they feel ... as someone feels they can do that, they'll do that.
The relative cost benefit of cybercrimes
Eric: If you look at hacktivist, if you look at, I don't know, organized crime, anybody, as long as it's cheaper for them ... and not just cheaper financially, but cost, penalties, jail time, whatever it may be. As long as it's cheaper for them to steal it or to do something malicious where there's an interest for them and they can do it, they can get away with it, they're going to do that. So what do you do?
Aaron: Yeah. And extrapolate that problem to national security secrets, classified research intel, critical infrastructure if you're doing traditional warfare or even just economic warfare. These are things where, for an adversary, that's priceless. You can't make it expensive enough to dissuade China from trying to steal the next big tanker designs or something like that.
Aaron: I think you're right. For a lot of the lower level stuff, the basic economics, even up to Fortune 500 companies and the like, we can make the value proposition too high, so it's not worth it for them. But when we get to critical infrastructure and national security, they're going to keep trying no matter how much it costs.
Eric: I think, even, when you get to the consumer. If you can steal a hundred thousand logins, it makes it profitable for them.
Centralization and Automation?
Eric: If somebody wants to take the DNC offline, and there's value in that, they'll find a way to do that. I agree with you. It doesn't make sense to hire more firefighters. By the way, we don't have enough firefighters. We will never have enough firefighters. It's absolutely the wrong way to look at the problem. I just don't know what the answer is. We need to automate. I believe that is a critical capability we need to enable. We probably need to do some more centralization and get more control and understanding of our environment. But that's certainly not foolproof, either.
Eric: But you're absolutely right. We're not going to get enough firefighters. They don't exist and they never will.
Aaron: And the other side of the coin, anything designed to give someone access, the legitimate people access, someone else can get access, too. There is no perfect security, physical, cyber, or otherwise. Unfortunately, I don't have any answers for you here. It's an intractable problem where I think we can continue to get better. But until there are norms for this kind of thing where we say this is the way we do things, and this is what we're not going to allow, it's going to keep happening.
Eric: Aaron, I'd like to thank you because you just guaranteed podcast 21 and on.
Eric: Job security. Thank you very much.
No easy answers
Eric: We don't have any great answers, either. It's a great way of looking at the problem. But as a society, we need to figure out how to do more with fewer firefighters.
Arika: I agree. And I think ... sometimes I feel like organizations, including the government, we gravitate towards the answers that just seem easier, and that's why, perhaps, we tend to be gravitating towards let's just get more cybersecurity professionals, that's going to stop it. But, obviously, it's not. So it's really getting at the heart, the root, of the problem. That's why I like the firefighter analogy, because that really makes it clear.
Eric: This is a global problem; right? I mean, we're speaking in the context here of government. But, everybody has this problem. Even the banks, the financial institutions that have the best and most capability today. They still have personnel challenges. There aren't enough people out there.
Aaron: Yeah. And I don't think Steven's point was to say we don't need more people. To your point, we need firefighters, we need cybersecurity professionals, we need the people doing this work. But it's just how you frame the problem. Should we keep trying to douse the fire, or find away to stop the arsonist?
Doing more with less
Eric: That's exactly the way I read it. How can we do more with fewer firefighters? User training is probably the best thing we can do to drive that problem to the edge and prevent credential theft, prevent impersonation of legitimate workers. A lot of user prevention, user education. It's ... I don't know. It's not quite perfect on the analogy. We're not turning people into firefighters, but maybe we're preventing some of the fires, so we do need less firefighters.
Aaron: For me, that's my version of Chavinsky's issue. Mine is getting user training, user hygiene. I think you're entirely right. It's necessary and good users are always the weak link. But, there's, especially in large organizations where an attacker gets so many bites at the apple with a phishing email, for instance. Even people well trained, they're going to get caught. I could tell you, every cybersecurity CEO I've spoken to has a story of when they've been phished. So, for me, it's funny. Because that's actually ... I take the same point. Yes, we need cyber hygiene, we need training. But if that's your focus, you're going to lose the game. We need to get to a place of zero trust.
Taking users out of the equation
Aaron: I talk about flipping McClod Shannon's maxim on its head, that the enemy knows the system as soon as you stand it up. The user ... you should be able to create systems where the users don't have to know anything security wise. If we can find a way to truly take the user's ignorance and inability to see the attack coming out of the equation, I think that will get us further than talking more and more about user training.
Aaron: But again, until we find that silver bullet, it's the best we've got.
Eric: Well, the other thing we're looking at, and we're studying hard here, not to do a commercial, but I really do believe in the idea, is looking at user profiling and creating risk scores. So you, the user, you do the best you can. Let's say you make a mistake. Let's say something happens. You have no idea. You closed a window and all of a sudden, you launched a piece of malware. Understanding the user behavior and looking for the abnormal event.
Flagging the right events to switch from automation to manual interventions
Eric: When you see that, flagging so that you can deploy a firefighter or some level of automation. So the users do the best they can, but when they do make a mistake or something happens that they're not even aware of, it's out of context. It's not in the norm, if you will, for them. And then we're allowed to deploy firefighters.
Eric: We'll see. We'll see.
Arika: Yeah, we'll see.
Eric: It's a start. I do love Steven's ... I do love Steven's thought track. Because we're not going to have enough firefighters. And we hear it all the time from customers, whether they're commercial or government, I don't have enough people to solve this problem. And I think you're never going to, so let's solve it a different way. Let's look at different techniques.
Eric: Great article.
Aaron: I've got to give props to Steven for framing it in a way that everybody can digest and understand.
How to connect with Aaron
Arika: Yeah, it was well done. Well done. Well, thank you, Aaron. We're actually just out of time. Where can our listeners find you if they want to, on social media or to read some of the other great issues that you've covered in the crazy world of cybersecurity and technology?
Aaron: Sure. Most of my days, I spend way too much time on Twitter at federal_IT, so federal IT, you'll find me there.
Arika: How'd you get that handle? You must have had it for a long time.
Aaron: I jumped right on it when I first started reporting on this stuff and I got lucky. And then, you can find my work daily on nextgo.com where we talk about federal IT issues at large. Everything from acquisition to cyber to modernization.
Eric: Great articles.
Aaron: Thank you.
Arika: Excellent. We'd love to have you back on again, Aaron. And I kind of dashed through some of the articles, the other topics that you cover. So we appreciate your time today.
Aaron: Sure. Happy to be here.
Eric: Aaron, keep writing. Thank you.
Arika: And thanks to our listeners who tuned in this week. Please do subscribe to the podcast, rate us, let us know what you want to hear us talk about. And, until next week, this is To The Point Cybersecurity.