One challenge facing federal IT managers in an ever more connected world is finding “shadow IT”, the type of IT an agency CIO or CISO did not purchase or authorize, has been unaware of, yet connects in myriad ways to the networks the official is responsible for.
Until fairly recently, the term referred to devices – desktop computers, laptops, Internet-connected printers and so on. Now, though, the definition has to expand to include things like unauthorized cloud services and any kind of hardware that might have a sensor to connect to the Internet of Things (IoT).
“IT is now enabling not just data and services, but functions from refrigerators to autos to factory floors,” said Eric Goldstein, Senior Counselor to the Under Secretary at the Homeland Security Department. “It’s a new generation of devices that gives adversaries a broader attack fabric and risk of lives.”
Goldstein was a panelist at the MeriTalk Cybersecurity Brainstorm session “Running in the Shadows: Discovering, Managing, and Securing Hidden IT Threats.”
Commerce Department CIO Steve Cooper suggested the concept of shadow IT as it applies to the federal government should be “anything inside our information security boundaries … that doesn’t fall under the direct purview of the CIO.” That could be other programs, corporations, even private citizens that access government data, he said.
“There’s lots and lots of IT out there, purchased by many different components not associated with the CIO’s office,” Peter Fonash, CTO for the DHS Cybersecurity and Communications Office, said. “I think CIOs are trying to rein that in, but they won’t ever be completely successful.” That’s all right, he said; CIOs shouldn’t completely stifle that because they, too, want the innovation coming from new applications.
Cooper credited FITARA (the Federal IT Acquisition Reform Act) with giving him the ability to get a handle on his department’s shadow IT challenge.
“I have [leveraged] my FITARA authority,” he said. “It’s a CIO review, that basically most could think of as similar to the old Fedstat, where [the Office of Management and Budget] would sit down and do a programmatic review. [It’s] intended to be informal, collaborative, collegial. It’s not intended to trip people up … We’re getting started maturing our own internal process, but without FITARA I’m not sure I could have gotten started.”
James Yeager, Tanium’s Federal Director, noted that there’s a “curious paradox with shadow IT – you don’t know what you’re not measuring. But continuous monitoring is the best countermeasure for CIOs to leverage.” He continued: “Continuous monitoring helps CIOs and CISOs to better monitor the health and performance of their IT assets, tools which also help them find access points, even IT enclaves, they were not aware of.”
Network access control is another way to identify shadow IT, Cooper added. “That type of approach, leveraging that class of software, is incredibly valuable as we lose the ability as human beings to detect stuff connected to the network. Increasingly, leveraging technology becomes, I’d argue, mission critical.”
Fonash observed that software-defined networks hold potential for great cyber defense, provided you can keep track of the assets, but there are things beyond any CIO’s control, such as one’s supply chain. “Target was compromised by an HVAC service provider,” he pointed out. And the Internet of Things will only add to the complexity.
“IoT isn’t governed by anyone, but there’s no one in charge, no one responsible for security … and that’s going to be connected to your IT environment,” Fonash said.
“I want to get out of the infrastructure business; I don’t want to do that any more. I want to go out into the government community cloud,” Cooper said. “But there’s a question. Am I still going to be held accountable for what happens to ‘my’ infrastructure when it’s out there in the commercial environment? … If something happens, am I going to be the one called up on the Hill to explain? Is it GSA? OMB? Is it the contractors?”
Cooper suggested the NIST framework is going to have to be extended in some kind of collaborative partnership. “I think we are going to need the assistance and guidance of attorneys, both in the government sector and industry, [regarding] who has liability.”
After listening to the commentary from agency CIOs, Yeager added “CIO’s need to focus on the timeliness and speed of their monitoring methodology and capabilities. If their organization is not leveraging a true real-time approach, where cycle times are measured in seconds/minutes, then they’ve have already lost. Shadow IT presents bad actors with a window into the organization’s soul and they only need a moment to wreak their havoc.”
