Comment from email: American Technology Council Request for Comment - Level 3 Communications Response

[konklone]

Good Afternoon,

Level 3 Communications is pleased to provide the attached response to the American Technology Council Request for Comment. We appreciate the opportunity the council has afforded industry to address IT Modernization and look forward to continuing to support your efforts.

Best Regards,

Meg Coker Director, Capture Management Level 3 Communications Level 3 - ATC RFC Response to Questions.docx

[konklone]

[Inlining a best-effort version of the attached comment below. If there were links in the original, they are not maintained in the below version. Download the original attachment in the issue above to see the original comment.]

---

American Technology Council (ATC) Request for Comment (RFC)

Introduction

Level 3 Communications, Inc. (NYSE: LVLT) is a Fortune 500 company that provides local, national and global communications services to enterprise, government and carrier customers. Level 3's comprehensive portfolio of secure, managed solutions includes fiber and infrastructure solutions; IP-based voice and data communications; wide-area Ethernet services; video and content distribution; data center and cloud-based solutions. Level 3 serves customers in more than 500 markets in over 60 countries across a global services platform anchored by owned fiber networks on three continents and connected by extensive undersea facilities.

The report is well thought out and comprehensive in scope and vision of efforts to transition to a modern secure enterprise.  It does a very good job in encompassing needs at scale, trimming and DE duplication of capabilities and focus on cloud and mobile incorporation and allowing for a software defined perimeter based approach to data security.

As a GSA Networx contract holder and follow on EIS contract holder, Level 3 offers the following responses to questions for the American Technology Council (ATC) Request for Comment (RFC).

Key Questions and Answers

1. What are major attributes that are missing from the targeted vision? (Appendix A, Appendix B)

Level 3 Response:

Appendix A comments:

A. Supply Chain Risk Management:

We recommend the inclusion of Supply Chain Risk Management respective to software and hardware assets, in accordance with NIST SP800-161.

B. Compliance:

We recommend the inclusion of compliance with 32 CFR part 2002. This will incorporate recommendations of NIST SP 800-171, which includes specifications for encryption of data at rest and data in motion.

C. User Access, Group Policies and Controls: 

Next generation layer 3 security is further strengthened through real time user access and control policies in use in security next generation security concepts as apply to software defined perimeter.  Furthermore it allows for better enrichment of user activity with respect to data access and can help to determine attempts at unauthorized access, or improper use of credentials.  Standardization of user access and controls that are incorporated into various business processes enable layer 3 software defined perimeter operationally which results in real-time detection of breach attempts. While this is discussed in the foundational capabilities in Appendix A when recommending least privilege and multifactor authentication, it warrants further definition in order to obtain the proper conditions when looking at further applying principles of Nash Equilibrium such as in the proposed pilot in Appendix D.

D. Continuous Digital Foot printing of external facing assets and third party dependencies:  

An added attack surface that has not been considered in the holistic modernization is basic inventorying and continuous monitoring of external facing digital assets such as websites, third party embedded code (SaaS), expired web certificates and external facing cloud, VPN, and other web facing applications.  Most advanced and persistent cyber attacks culminate outside an enterprise control point such as man in the middle and shadow domaining.  Incorporating awareness in the threat posture by subsuming this capability within NCPS or other function will greatly enhance visility and integration into process workflow of anomalous asymmetric cyber behaviors and it is the awareness required to properly answer the next iteration of protection questions that will arise after modernization has been achieved. This is a crucial component in understanding and trimming attack surface, heartbleed being a famous example.  When a third party component was discovered to be vulnerable, there was no current inventory of dependencies which resulted in sever lag time to patch the vulnerability.  Given this pertains mostly to web-based systems, external sites and web-facing SaaS and IaaS plugins this may be addressed elsewhere, but it is timely for it to be included in this conversation.

E. Business Process Mapping:  

This process illuminate common and like functions in agencies to illuminate areas to streamline, further enhance perspective in cyber vulnerabilities, and sets the stage to answer the next order of questions. To ensure outcomes and set the stage for continuous improvement, business process mappings of agency workflows and patterns should be included in the discussions to provide more granularity, and to answer next order security questions such as recovery capability in the event of an outage, or more identify other areas to streamline and gain metrics of effectiveness.  Since IT and program assessments are already occurring, going one step forward and having a living business process map developed concurrently allows for better insight into next level innovations.  This will also illuminate the risk posture of user access and other 2^nd^ and 3^rd^ order questions for which the stage can be set given the scale of the undertaking.  This should include measurement of uptime and scheduled maintenance to enrich secondary and tertiary planning.

F. Continuous Exercises to test remediation, response and recovery capabilities of High to Low Value Assets and of business processes:

Currently this initiative will help to raise the bar in security, but will not eliminate threats altogether.  There should be national level exercises to continuously advance the usage of security technologies and response capabilities in order to ensure a resilient and effective cyber production and information sharing environment.  Furthermore there should be manual processes identified that can enable functioning in the event of an outage of critical assets.  This may be an outside the scope recommendation but essential in maintaining resilience and identifying unnecessary dependencies.

Appendix B comments:

G. Government-Wide Visibility and Classified Indicator: We agree it is possible that the detect components of EINSTEIN^1^ and EINSTEIN^2^ may be accomplished using existing Commercial-Off-The-Shelf (COTS) technologies. Copies of NetFlow, Syslog and other related cyber event information could be forwarded to DHS for post-event analysis. In addition to classified indicators, EINSTEIN^3^ components perform levels of protection (e.g. DNS sink holing, email filtering). It is our opinion that EINSTEIN^3^ (E^3^) services must continue to function as they are currently (inspect, detect, protect). It is expected that DHS has metrics detailing the efficacy of classified indicators. We believe the ATC should receive related information from DHS prior to making a decision to discontinue the use of classified indicators.

H. Proportionate Security: While generally not considered to be a HVA, email will continue to be a considerable target of cyber hacking. Phishing schemes, DNS based malware and infected attachments are perpetuated via email. It is expected that there will be cases where DHS will continue to have classified indicators of an email attack pattern and that email flows should continue to be processed by E^3^ or E^3^ equivalent systems – including the capability of utilizing information provided by classified indicators to identify cyber threats imposed through email.

1. What are major attributes that should not be included in the targeted vision? (Appendix A, Appendix B)

Level 3 Response:

No comment.

1. Are there any missing or extraneous tasks in the plan for implementing network modernization & consolidation?

Level 3 Response:

A. Cross Reference Initiatives, Compliance and Objectives: A matrix of existing guidance and documentation from OMB, NIST, DHS stated within the report should be included to cross reference initiatives, compliance and objectives.

B. Allowance for Next Generation TIC technologies under NCPS and MTIPS: There should be allowances for next generation Trusted Internet Connection technologies in which more than one TIC exists (up to 5) in various regions in order to accommodate increase in traffic from use of cloud and virtualized applications.  In the next generation TIC model, the 5 TICs act as one, and are updated simultaneously increasing performance, load balancing, efficiency and security.

4. Are there any missing or extraneous tasks in the plan for implementing shared services to enable future network architectures?

Level 3 Response:

As the government looks to reduce costs and streamline efficiencies, shared services can appear to be the best way to realize those goals. However, while the shared services model supports common applications that can span across agencies such as email, it is important to not lose sight of the following when assessing the shared services approach.

A. Mission and Requirements: Agencies have differing missions with different requirements that can make it a challenge to provide a one size fits all service.

B. Shared Services: Operationally, shared services can leave the agencies removed from the support structure of the shared service.

C. Standard Operating Procedures: Standard operating procedures are a necessity for the management of the shared service.

D. User Access: User Access and group policy and Business process mappings to define parameters and levels of access, measurement of access and user behavior juxtaposed to access to applications and data sources.  

E. Digital Footprint: Digital footprint that maps external dependencies of web facing or connecting assets to enrich the actual attack surface area for the basis of completing the threat picture and trimming digital facing attack surface (i.e. abandoned sites, like domains, website certificate expirations, and third party code such as WordPress, or other plug-ins).  This is ever more necessary as a foundational capability as agencies migrate to the cloud.

4. What is the feasibility of the proposed acquisition pilot?

Level 3 Response:

A. Email as a Service Pilot: The Email as a Service pilot seems to be an example of ‘low hanging fruit’ that has been successfully instituted within branches of DoD. Using the bulk acquisition of email licenses creates a management requirement, perhaps with GSA as the administrator/controller of licenses and negotiator of license pricing. The duration of the pilot may not provide insight to long term price erosion of email licensing trends.

B. Cloud Infrastructure Fundamentals: The pilot does not address the wider cloud infrastructure fundamentals presented in Item 1 of the Implementation Plan, nor does it address security concerns we have identified in Question 1.

C. Nash Equilibrium: To summarize, applying Nash Equilibrium will naturally rally the market to apply standardized cloud based email solutions while preserving whole of government volume discounts. If the proposed pilot’s goal is to lower the cost of deployment to cloud based email while maintaining security standards without paying additional cost, then it will work well. The question becomes how does this balance out intermediary functions such as DMARC implementation and user access control issues, or other technologies that enrich identity to prevent fraud in email usage. 

6. Additional Information:

A. In Summary: In order for the government to successfully apply forward modernization to leap ahead innovations and security within the civilian computing paradigm is to begin simultaneously a continuous study of its entire attack structure. This report does an excellent job of addressing the current visible issues of next generation devices, mobile, cloud adoption, encryption, and data level protections and prioritization. We believe in order take advantage of leap ahead technologies (as opposed to like for like transition under EIS) that there must also be focus on Software Defined Perimeter capabilities that add layer 3 protection and additional level of multilevel authentication tying permissions to a device. In order to do this, or other levels of increased security and visibility need to be applied. There must at the same time be attention paid to the three new concepts we introduced overall in our comments being:

• User access, group controls, and permissions.

• Continuous mapping of internal devices, external facing websites, third party dependencies, and other internet facing and related assets (such as like domains).

• A system for continuous business processing and workflow mappings in order to have a foundation to garner the next generation of efficiencies and security, while illuminating the data flows of today to ensure as complete visibility and protection as possible on the enterprise while looking for opportunities to automate.

B. New Contracting Tools to Jumpstart Federal IT Transformation

By David Young

Discussions about the nation’s critical infrastructure usually focus on aging networks, some more than 50 years old. A most stunning fact was highlighted in a recent a Government Accountability Office report, which revealed some Defense Department control systems still use 8-inch floppy disks to store data related to nuclear operations.

Government efforts to modernize the information technology infrastructure have been going on for years, yet many agencies continue to spend the majority of their IT budgets on legacy technology. The Department of Homeland Security (DHS) has designated November as Critical Infrastructure Security and Resilience (CISR) month to raise awareness around these essential systems.

Procurement evolution\ As of April, federal agencies had bought \$1.03 billion in network and telecommunications services under the General Service Administration’s (GSA) Networx, a contract vehicle introduced to help agencies access a broad range of domestic and international network services. It helps agencies buy the latest in networking technology while keeping costs down. While Networx provides agencies a foundation to modernize IT infrastructures, it was drafted a decade ago and now cannot satisfy all agency IT needs.

Enter Enterprise Infrastructure Solutions (EIS), the GSA’s follow-on contract to Networx when it sunsets in 2020. EIS will debut in 2017, giving agencies a three-year window to make the transition. It promises to open doors for agencies, including access to cloud and expanded security services—two areas critical to the future viability of government agencies.

Transformation versus transition\ EIS also will provide an important opportunity for government agencies and critical infrastructure: a chance to transform IT to handle the many demands of modern society while future-proofing technology. Currently, many agency networks are a patchwork of old and new systems, cobbled together in a way that makes them ripe for a number of issues, from poor security to lack of efficiency and often, terrible end-user experiences. With EIS, agencies could do a like-for-like transition, substituting old technology with new, an approach that can result in a smaller upfront investment and let federal IT managers bring network technology into the 21st century.

The advantages of transforming technologies during the EIS transition period are tremendous:

• GSA provides a number of support resources to help agencies implement new technologies.

• It has established an ample three-year window for the transition from Networx to EIS, giving agencies plenty of time to buy and implement newer network technologies.

• If they transform now, agencies can minimize the impact on end users by reducing future needs for a technology refresh.

Network technologies every agency should have\ What might transformation look like? It will vary by agency, but a few key network technologies every agency should employ include:

• Ethernet: Many agencies still use TDM/SONET for data transmission, which comes with a number of drawbacks, including lack of scalability to meet fluctuating bandwidth requirements. Ethernet has a flexible infrastructure that can scale bandwidth between 1 Mbps to 10 Gbps without the need for new equipment.

• Network-based security: Just as cyber-attacks have become more prevalent and sophisticated, so have security tools. EIS can take advantage of available advanced security services, with particular importance placed on cloud-based network security programs.

• Cloud computing: Agencies produce and store a colossal amount of data and no longer can rely on data centers and more personnel to manage it all. An emerging number of cloud options meet the rigorous security demands of the government. This is perhaps why some are speculating government agencies are adopting cloud at a faster rate than corporate America.

Critical infrastructure is only as good as its IT infrastructure\ A chain is as strong as its weakest link, and the same is true of the 16 critical infrastructure sectors. Think about this dichotomy: Smartphone users update the software almost quarterly, yet systems responsible for keeping the lights on, the water running and protecting society still run on what many consider ancient technology.

Given their importance to our overall well-being as a nation, officials must be vigilant in examining every single nut and bolt of critical infrastructure operations. Agencies with patchwork quilts of various hardware, software and connectivity solutions are at a much greater risk for security and reliability issues. It’s essential agencies take advantage of the EIS contract vehicle when available next year.

David Young is regional vice president over the Government Markets Group at Level 3 Communications.