Network Firewalls, Network Access Control
What's Happening with the Trusted Internet Connection?
As of three years ago, an estimated 8,000 access points existed between federal networks and the Internet. TIC, instituted by the Bush administration in 2007, originally aimed to reduce the number of connections to about 50. The basic concept behind TIC is that by drastically reducing the number of Internet access points, the government could more easily monitor and identify potentially malicious traffic.
But Matt Coose, director of federal network security at DHS's National Cybersecurity Division, said in an interview with GovInfoSecurity.com (transcript below) that a more realistic goal is about 80 Internet connections. Coose said about 50 access points had been certified by DHS by late February. Still, as of late February, more than 2,000 non-compliant Internet connections still feed into federal networks, he said.
Why will the federal government end up with more TIC access points than originally foreseen? Coose said the growth in government systems and applications as well as increased Internet use by federal employees is behind the higher number. But the point of TIC isn't about a specific number of access points, he said, but the fact that the government is significantly consolidating its Internet connections.
"The strategy with TIC was to define a manageable number of access points, get those in place across the various agencies, and then just begin reducing and consolidating the external connections to run through those access points," Coose said.
In the interview, Coose:
Coose, a West Point graduate and former Army captain, was interviewed by GovInfoSecurity.com's Eric Chabrow.
ERIC CHABROW: The Trusted Internet Connection, or TIC as it is commonly called, is an initiative to reduce vulnerabilities in government IT systems, in part, by drastically reducing their network connections between federal networks and the Internet on the theory that fewer connections make it easier to monitor potentially damaging traffic. For those of who aren't familiar with the Trusted Internet Connection initiative, please take a few moments to tell us about it.
MATT COOSE: Your introduction was pretty much on the money. We are looking at reducing and consolidating external Internet connections, establishing baseline security capabilities, exits, access points, and then we have got a compliance function to go out and actually validate those activities that are occurring across the federal executive branch departments and agencies.
CHABROW: TIC was started in November 2007 by a directive by President Bush, is that correct?
COOSE: That is correct, yes.
CHABROW: At the time, how many Internet connections were there and how successful been in reducing those connections?
COOSE: Well, it's interesting that you started with that because one of the things that we are trying to get folks to focus on is a little bit less on the actual number of connections. I am sure, you know, bandwidth utilization is growing over time as more applications and systems come online with Internet Protocol version 6 [next generation Internet] and some of those things, so we are really focusing on more of a consolidation aspect. The strategy with TIC was to define a manageable number of access points, get those in place across the various agencies, and then just begin reducing and consolidating the external connections to run through those access points.
CHABROW: Still, I have seen figures as high as 8,000 points of entry to the Internet, these are for civilian agencies, correct?
COOSE: Right, executive branch agencies.
CHABROW: And were there about 8,000 back in 2007?
COOSE: That precedes my time here but I do think that is probably in the ballpark.
CHABROW: The initial goal was to get down to 50; I know you don't want to concentrate on numbers. Now I hear that perhaps the government would be satisfied with 100 and I do want to get to the other aspects of TIC, but I would still like to know how many TIC connections are there now?
COOSE: Currently, there are 50 approved access points across the 110 federal executive branch departments and agencies. We are in the process of refining that number. We are accepting requests from agencies that need more and we are vetting those and reviewing those for feasibility. You are right, I think at the end of the day we will end up between 50 and 100, and I think we are right about the 80 number right now and we need to continue to draw that consolidation over time.
CHABROW: Though there are 80 now there are still other non-TIC connections that still exist, is that correct?
COOSE: Correct, yes.
CHABROW: So you have any idea of how many there are or not?
COOSE: We have looked at several sources. We are collecting from directly agency input to our contracts and some of that stuff, the ballpark, and again this is why this isn't an exact science because circuits get ordered kind of every day, but I would say in the ballpark of the mid-2,000s.
The other problem with that is because, as you know, we are in the process of migrating from the older FTS contracts for telecommunication services to the Networx contract that General Services Administration has put in place. What we are seeing is as agencies migrate, orders are getting cancelled and reorders for a different vendor are on a daily basis. At the end of the day, the goal is to get everybody on the Networx and get them routed through those approved access points.
CHABROW: Is there a timetable when you expect to see all agencies using TIC?
COOSE: My estimate is that by the end of the calendar year 2010. There are a lot of complexities as you can imagine with 110 different departments and agencies and the networks that the have, there are always going to be some anomalies, but in general I would say by the end of calendar year 2010 I would expect that we would be close to 80 percent in place seeing traffic from the 110 different departments and agencies; 20 percent is going to be over time we have got to figure out the anomalous networks and how we are going to address those.
CHABROW: Let's talk a little bit about how does TIC work. How do agencies connect to a TIC? Where are these TICs located? Who manages the TIC?
COOSE: There are two models really for agencies to participate in the initiative, really there are three but the third is a combination of the first two.
One is to be a TIC Access Provider (TICAP). In that case, primarily the larger agencies will establish their own access points, their own TICs. They will stand them up; they will run them; they will monitor them, and they will have their own internal SOC (security operating center) and NOC (network operating center) functions.
The other model is what we call seeking service agencies, primarily the smaller agencies. And the way that they participate is they will go through a TICAP who is a multiservice provider so there is one TICAP that is offered to provide service to other agencies, or they will go through one of our MTIPS vendors, that is Managed Trusted Internet Protocol Service, those are the network vendors that offer MTIPS services.
CHABROW: Let's talk a little bit about the evolution of the Trusted Internet Connection in critical security capabilities terms of what needs to be done. For example, I believe there are 51 that need to be implemented?
COOSE: TIC 1.0 architecture, which is the current architecture, there are 51 critical capabilities that lay out really NOC-SOC functions that need to be implemented at the TICs. We found that architecture was done with an interagency group a year or two ago, and then we have got a compliance person that goes out onsite and assesses whether or not those capabilities have been stood up. Agencies have made significant progress to date on doing that; again, these are the TICAP agencies. The ballpark average I think has been about 80 percent across the board of the 12 TICAPs that we have done onsite compliance assessments for to date, but about 80 percent of the 51 capabilities are in place so that is kind of across the average of the agencies that we looked at.
Back in September 2009, about three agencies that we have looked at had told us they have 100 percent of the 51 in place, another nine had said they have 90 percent or more of those capabilities in place and another three have said they have got 80 percent or more. So, very good progress in terms of he agencies that are implementing TICs out there and standing up those capabilities.
CHABROW: Can you describe what some of these capabilities are? Are the simple? Are the complex?
COOSE: They range. Some of them are managerial in terms of you have got to have a SOC capability that is staffed 24x7 with qualified resources, others get into more technical filtering of inbound/outbound SMTP messages, so it kind of runs the gamut. Some of them are highly technical and some of them are more kind of functional and managerial censure that NOC-SOC capabilities are in place.
CHABROW: Some of these involve Einstein, which monitors traffic coming into the government, as well as the with the U.S-CERT, is that correct?
COOSE: Correct. Yes, one of the 51 actually is deployment of Einstein II.
CHABROW: Just for those who may not be familiar, what defines Einstein II from the original Einstein and then a third version coming out, too?
COOSE: Einstein II is the advanced intrusion detection capability. Einstein III is more of the proactive intrusion prevention.
CHABROW: Is that something that could eventually be added down the road?
COOSE: Absolutely. That is one of the points that I wanted to make with you is that as you know, threats evolve on a daily basis so we realize that we have got to keep this dynamic and so we have got working groups in place. I keep mentioning TIC 1.0 architecture; we are about half way through the development of the TIC 2.0 architecture. Data Cross, the interagency working group that has met several times this year and has got planned meetings for the next couple of weeks, to develop a 2.0 architecture that is just going to incorporate a few more critical capabilities because we want a mature the baseline of things we have put in place to that end.
CHABROW: Can you give an indication of what some of these more critical capabilities will be?
COOSE: I don't want to talk to that yet because it is still in a working group at this point, but if you look at the different threats that you are seeing that is definitely a large source of input for us and how we kind of develop the defensive capabilities we want to put in place.
CHABROW: You say there is a working group at the agencies, is the White House involved either through the Office of Management and Budget or the new Cybersecurity Coordinator Howard Schmidt?
COOSE: We have been working very closely. Howard has actually been very active as well as Federal CIO Vivek Kundra. So we do work very closely on all of the DHS initiatives with those two leaders. We are basically partners in these efforts across the board.
CHABROW: How do you know if TIC is working to help secure government IT?
COOSE: One of those things that we are really enabling here is situational awareness across the federal enterprise. The Einstein 2 deployment, all that information feeds our U.S.-CERT organization, which is the operational arm of NCSD. It has been apparent to date, we've increased the traffic that they are seeing quite significantly through the TIC initiative, but we are seeing a lot of activity and we are able to reach out to NOCs and SOCs now that those capabilities are in place to help mitigate what we are seeing out there. By being able to see from an enterprise perspective what is going on, we are able to more proactively warn the other agencies that may not be having the activity yet that it is coming so they can take appropriate steps. I think that is a really good indicator that security posture is increasing and we are actually improving the security of the federal government.