One of the best moments of U.S. Citizenship and Immigration Services’ Adrian Monza’s career was the day the agency received a 40-pound box filled with the shredded remains of its mainframe’s hard drive.
The chopped-up pieces meant USCIS had one less piece of old technology with high security risks.
Now, USCIS is undergoing a “very significant” modernization, said Monza, USCIS’ cyber defense branch chief, so system vulnerabilities are again fresh in everyone’s mind.
“One of the challenge points, just looking at what’s going on in the … larger ecosystem is the susceptibility of the software supply chain,” Monza said.
He noted that right now supply-chain attacks are often focused on financial databases, but he warned that agencies need to be prepared to defend themselves against a potential attack.
“It’s only a matter of time until someone gets the bright idea and says, ‘Hey this is a great way into government systems as well,’” Monza said. “And, so, focusing on identifying that supply chain and securing it is really a focus for us.”
The modernization effort at USCIS is making its officials more aware of its risks in the system development process.
“One of the things that we’ve seen as we’re trying to modernize systems is that we’re pushing a lot of development and then that’s training our ability to assess what’s going on,” Monza said.
On the Department of Defense side, the Air Force has done several rounds of penetration testing to identify vulnerabilities in its system over the last four years, Air Force Chief Information Security Officer Wanda Jones-Heath said.
“We found a lot of success,” Jones-Heath said. “We know that we have some issues and we’ve fixed those."
Another aspect of agency cybersecurity is continuous monitoring of the agency’s environment, which Jones-Heath said the Air Force has deployed across the service. Through the monitoring tool, she can view the Air Force’s cybersecurity posture. All these tools allow Jones-Heath “to be able to stay ahead of the episode,” she said.
Still, agencies must manage decades-old legacy systems that run key operations, which agencies don’t always completely shut down. Jones-Heath said that, in terms of security on legacy systems, “you have to meet them where they are.”
Jones-Heath said the service layers security measures on Air Force legacy systems. In some cases, she said, nothing can be done to improve the legacy system.
“Then you go and look at the threats. If the intel threat doesn’t give you a picture of ‘is it being attacked?’ or anything like that, then you just monitor it and make sure that as patches come out, you patch,” Jones-Heath said.
Monza said that USCIS has a different approach to the security of legacy systems.
“The job’s not done until the old system is unplugged,” Monza said. He added, “you can’t just keep having browned-out systems left on your network. There’s still vulnerabilities … you have to turn the old systems off.”
Jeanette Manfra, assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said the federal government needs to expand modernization beyond the legacy systems and into the entire procurement process.
“We’re trying to talk about it broader — [it’s] also modernizing our policies, our acquisition system … supply chain,” Manfra said. “Lowest price technically acceptable [is] probably not the most secure solutions that you’re going to get.”
She added later, “We’re trying to get everybody to think about, what do we really care about? ... How do we prioritize resources to make ourselves overall more secure and how do we become more flexible and resilient as a government?” Manfra said.
As for the tiny remnants of the UCIS mainframe, Monza said it still sits in his boss’ office to serve as a reminder that systems must ultimately be turned off for agencies to stop worrying about them.