Politics
Barney changed USCIS’s cyber culture by putting the user first
Shane Barney knew he had successfully changed the culture at the U.S. Citizenship and Immigration Service when it was time to debate the next year’s budget.
Barney, who left USCIS in May after serving the last almost seven years as the agency’s chief information security officer, said when the agency program offices fully funded his request for zero trust capabilities, he knew a transformation had occurred.
Shane Barney was the chief information security officer at the U.S. Citizenship and Immigration Services in the Homeland Security Department until May.
“When the zero trust executive order first hit under the previous administration, it was a huge cost to federal agencies. The day that they were discussing the funding needs that we had for zero trust, and they were significant. I mean, they were tens of millions of dollars, I couldn’t be there. I couldn’t advocate for it. I was out of the office, and I was really worried about it,” said Barney, who now is the CISO for Keeper Security, for an exit interview on Ask the CIO. “Well, the directorate heads decided ahead of time that zero trust was the most important thing for the agency to be doing. They had all allocated all the money I had asked for without me even being present or even defending it. That’s when I knew we had done something right.”
Barney called his boss, then USCIS chief information officer Bill McElhaney, and asked what happened at the meeting.
“He said, ‘You got all the money.’ And I was like, ‘What do you mean? I got all the money?’ We weren’t even there. He goes, ‘No, it was actually decided before the meeting even started. In fact, it was never even discussed. It was assumed,’” he said. “That told me everything I needed to know about where the culture of the agency was. They valued security so much that they understand the connection between what the business is trying to accomplish, and the importance of securing that at the same time, and it sold itself. I think part of me actually knew at that point that maybe my time at USCIS was probably coming to an end.”
Barney said he believes the program offices understood the value of security because USCIS was both an early adopter of zero trust concepts and because the agency survived a potentially catastrophic cyber incident.
A cyber incident wake-up
In 2015, a USCIS developer turned on one of its Amazon Web Services storage buckets in the cloud and made the data inside the bucket public instead of private. Barney said this mistake can be a common issue among security incidents, but in USCIS’s case, it meant potentially exposing 500 million to 600 million records.
“We just had to prove that yes, it was made public, but no one accessed it during the time that it was public. That was difficult because we actually hadn’t really turned on the logging necessary for us to do that. So lesson one was to get better about logging then. Then we started looking at it in detail, and I’ll never forget it, it’s 2:30 in the morning and I get a phone call from one of my security analysts and he goes, ‘Shane, listen, we didn’t really look at this as careful as we should have and yes, they made the bucket public, but they never changed the record settings themselves.’ So yes, you could go to the public record, and look at it, but the records themselves were still marked private, so you couldn’t see them. You couldn’t even know they were there,” he said. “We were actually secure without realizing we were secure. So it was a really important lesson for us in as we were pushing into the cloud.”
In the after-action report, Barney said USCIS realized how this potential incident happened and started applying automation to make sure it wouldn’t happen again.
“We just started developing in Python, and basically it was a simple script that scanned our enterprise at lightning speeds. If it found we had 20 public records, we had 20 buckets that were supposed to be public. If it wasn’t listed as one of those, it would automatically shut it off,” he said. “It was the first sort of a-ha moment for security automation for us. It dawned on us that the power of the cloud was automation. If your infrastructure is code, then your security is code too, and I literally changed the contract for my security operations center (SOC) made them all go out and become programmers, and we started building automation. We would automate it to the point where, yeah, we got an alert that something happened, but it’s already been taken care of and we moved on because if we know that something is a risk, and in this case making data public, I can automate against that risk, then I have an obligation to do that. If I do that, that means that my analysts and my SOC no longer have to watch for that, and they can move on to something else, and that became our driving force.”
Around the same time, USCIS was moving systems and applications into the cloud and Barney said the use of zero trust principles just made sense, including single sign-on as the foundation of identity management for the cloud services.
“You have to carefully align what you do as a cybersecurity program to what the end user goals are because if you create an environment that’s so restrictive and so difficult for them to do their jobs, they’re going to find workarounds, and those workarounds are going to introduce risk that you’re not even aware of, and it creates problems,” he said. “You’re better aligning those two, and even if you have to meet in the middle somewhere and give a little bit of a compromise on the security side, so you can meet the end users’ goals, that’s okay. That actually is going to get you further and give you more benefit back into the organization than you would have if you just forced your heavy handed security approach.”
Next challenge: Network segmentation
As for USCIS’s zero trust progress, Barney said the biggest remaining challenges remain around securing the network and the data.
The goal, he said, is to get the network under control through proper segmentation and proper transactional monitoring and controls.
“It is very, very, very, very difficult to do, and even more difficult, and if not bordering on impossible, but coming darn close is getting your data under control,” he said. “Now at USCIS we’re not unique with the data the hallmark of what they did, the organization that handles all the administrative side of immigration, on any given day, they’re interacting with 16 million or 17 million people around the world, and all their information was electronic at that point. All that information had to be correlated and brought under sort of an umbrella of zero trust, and in the zero trust world, and that means you’ve got to create meta tags around everything that you’re doing, and then those meta tags have to be correlated with sort of a central dictionary. That dictionary has to be maintained and updated, and if you make changes, those changes have to be able to ripple across your entire data verse and that’s very, very, very difficult stuff to do. So when we put forth our budget, the vast majority of the money that we were asking for at the time was to fix the networking piece and to fix the data piece.”
Barney said while USCIS still has a ways to go to meet all the requirements of zero trust, he’s leaving the agency in a good place.
One of the things he did before he left was changing the USCIS’s focus from managing risk to being intelligent about risk.
“Not all risks are created equal, and you need to understand when something is far more important for you to focus on, even if it’s not a higher or critical but it’s a bigger threat to your organization. That’s being intelligent about risk, and that’s the one thing we were just starting to try to drive forward,” Barney said. “It’s very, very difficult to do because it’s a data intensive activity. You need good cyber threat intelligence to make sure that you’re making good decisions corporately. Something we started doing, and we’re doing better at, was more of a threat hunt based culture. Part of our drive for automation was to get rid of the screen people watch for something to go red and alert then, and driving more of an automated approach to not just the alerting and monitoring piece, but also the entire incident response process.”
The post Barney changed USCIS’s cyber culture by putting the user first first appeared on Federal News Network.
