Sophisticated and invasive cyber surveillance tools, known as spyware, have proliferated in recent years with few controls and high risk of abuse.
As a result, President Biden signed an executive order in March that prohibits U.S. government agencies from using commercial spyware that presents a national security risk and targets U.S. personnel. As the EO notes, “commercial spyware can access electronic devices remotely, extract their content and manipulate their components, all without the knowledge or consent of the devices’ users.”
The growing exploitation of citizens’ and government sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development of an international technology ecosystem that promotes data integrity and the free flow of data and ideas, according to the EO.
To be sure, many of these spyware applications could be malicious, used to launch ransomware attacks, compromise data, or to gain intelligence for espionage. Some could be used for legitimate purposes like gathering diagnostics information from a device, and some could be just annoying. Whatever the case, it is important for information technology and security teams to determine where these tools reside on government and corporate systems and networks.
The biggest challenge for government SecOps teams is understanding what is on their systems and networks. They need a platform that can aggregate information from many sources, using artificial intelligence and machine learning to better understand data and provide a more comprehensive picture of what is really going on in their infrastructures.
Observability is critical to this conversation. A crucial component of stopping cyber-attacks and preventing system disruption is the ability to see across your entire environment. As government agencies move to cloud computing, their IT infrastructures have become more complex. They require unified visibility across different service providers, clouds, apps, devices and platforms.
Although the memorandum provides high-level guidance and definitions for spyware, agency leaders want to know how they can act now to identify and block spyware. SecOps teams should think in terms of short-, medium- and long-term tasks. Here are three steps to consider:
- Understand what is on your network. Network environments are complex and awash in telemetry data that must be analyzed to monitor health, performance, availability and security of the network and its components. It is imperative that agencies have a platform that understands what is in their ecosystem – from firewalls to laptops – because you cannot act on threats that you do not see. Agencies can monitor their ecosystem with endpoint detection and response (EDR) and extended detection and response (XDR) technology that identifies malicious information on endpoints. As part of the President’s Executive Order on Improving the Nation’s Cybersecurity, agencies are advised to implement EDR to improve the ability to detect malicious cyber activity on their networks.
SecOps teams can set up an inventory of what is on their networks and monitor devices and applications through a dashboard. Many government workers are connecting to agency networks via mobile devices. If a particular application on that device is sending out telemetry data that suggests it is spyware, SecOps can monitor that data flow. Spyware or other malicious applications can then be blocked and removed from the device.
- Establish a remediation policy. This is most likely done in concert with the first step. If a security team now knows that a piece of spyware is sending out telemetry information, they need a well-defined understanding of what to do in response. This is especially important because there might be beneficial applications with observability or spyware-like capabilities within them. Agency leaders might not want to be as draconian as turning off that entire What they must determine is how critical this application is to their mission and what task the application is performing. Perhaps the fix is to shut off certain streams of that data.
- Validate software before it is deployed. The long-term goal is for agencies to be more proactive in making sure that malicious software or vulnerabilities are not introduced to their infrastructure in the first place. To that end, agencies need built-in controls that validate software throughout the software development cycle. For commercial software, a software bill of materials (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is working to advance SBOM by focusing on expanding the scope and operational effectiveness of SBOM, while also promoting the adoption of new tools, technologies and use cases.
Continuous monitoring through observability
Our adversaries — in this case, cyber-criminal organizations and nation-state actors — are relentless, constantly developing new techniques to steal sensitive data, attack the software supply chain, and target critical infrastructure. Agencies must keep up with the latest cybersecurity technology and continuously monitor their infrastructure for spyware and malicious activity to be effective in the long term.
This is why observability is so critical. SecOps teams must be able to determine what is blatantly spyware. The software is probably sending out specific information and capturing data. All this type of data — application, network and device information — must be correlated and analyzed for a better understanding of what’s going on within the entire IT infrastructure. Ultimately, DHS’ Continuous Diagnostics and Mitigation Dashboard, which integrates all observability data into their dashboard as a centralized view and correlation of data, provides a foundation that helps the entire federal government’s ecosystem.
George Teas is vice president of public sector solutions architecture at Elastic.