October - 20209GOVERNMENT CIO OUTLOOKmalicious actors had obtained access to accounts controlling DNS records and made those accounts respond to the actors' infrastructure before relaying data to the real address.By controlling an entity's digital address, malicious actors could obtain legitimate digital certificates and decrypt intercepted data, with everything appearing normal to users. This is roughly equivalent to someone lying to the post office about your address, so that all of your mail is first sent somewhere else--where it can be opened and tampered with--before being hand-delivered to your mailbox by the intruder. Because of our responsibility to protect Federal systems, we felt an urgent response was required to address the risk. So we crafted a set of actions or near-term mitigations for Federal agencies to take to protect their systems.The directive also provided our non-federal partners clear actions they could take to better position themselves should they one day be the target of a similar campaign. And even though these partners are not subject to the BODs, the feedback they have provided is clear: "Great work. We're paying attention. Do more."Industry was also instrumental in the development of BOD 18-01, which directed federal agencies to implement specific security standards widely adopted in industry to ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users from phishing emails appearing to come from government-owned systems. In April 2019, the Internet Society's Online Trust Alliance released its annual report on the security and privacy of more than 1,200 consumer-facing websites. For the first time, U.S. government websites outscored sites from all other sectors. This marked a dramatic turnaround from the previous year, when government sites finished dead last.BOD 18-01 was the driving factor in this turnaround. And despite its limited applicability to federal agencies, CISA's `special sauce' is not a secret. We've published the steps taken by the federal government (cyber.dhs.gov) and will continue to promote the approach to all of our stakeholders. Through public-private partnership, we will continue to address the most serious and enduring cyber risks to the United States and our international partners. Working as a team in a `collective defense' model, we can shift the advantage back to the defender and make the internet a safer place for everyone. Matt HartmanMatt Hartman
< Page 8 | Page 10 >