Cybersecurity in government is under fire.
Last week, the U.S. government suffered a massive network breach that potentially affected millions of federal workers. That’s after it experienced several other digital security compromises in the last year.
Washington, D.C.-based think tank Brookings Institution has said the government’s focus on cybersecurity in their IT plans is “abysmal.” And even govies themselves concede innovation has been stagnant. Indeed, in a recently released poll from (ISC)2, nearly half of the 1,800 federal workers surveyed reported that security hasn’t improved over the last two years. At the same time, more than two-thirds said they didn’t know whether the Federal Risk and Authorization Management Program was having any impact.
With that in mind, about 30 leading government and private sector IT leaders — including chief information, technology and information security officers from a dozen federal agencies, and chief technology officers and executives from a dozen leading IT companies — met at FedScoop’s headquarters last month for a not-for-attribution discussion about the top things to consider as the government mulls cybersecurity, particularly in the cloud.
In all, officials felt optimistic that they could bolster their systems’ defenses. But the challenges remain as agencies face an ever-changing cyber landscape and internal cultural issues that technology may not fix.
“We have lots of money if we stop doing the wrong things,” one government official said when asked about funding constraints.
1. Refine the approach: Assume you’ve been breached.
Several panelists agreed that govies needed to take a closer look at how their agencies are tackling cyber.
For one, federal IT professionals must transition from performing event analysis to user-behavior analysis when faced with cyber threats. One panelist called it moving to a protect-detect-respond strategy. Developing strategies for recovering from a breach is also critical. In fact, agencies have to assume they’ve had a breach, one participant said.
“It’s about how you get the mission back up after the attack. It almost doesn’t matter what you have up front,” he said.
At the same time, cyber criminals need something that would dissuade them from trying to get into the networks. “There’s nothing that makes the bad guy feel that he might want to do something else with his time,” one participant said, speaking about certain government systems.
Panelists also talked about adopting NIST’s cybersecurity framework, a voluntary guide released last year to help organizations improve their cybersecurity, and worried about the lack of adoption of the Einstein, an intrusion detection system for the federal government.
They also expressed the need for a way to measure cybersecurity.
2. Improve training and awareness.
Culture can have a major impact on an agency’s cybersecurity stance. That means effective training is a critical component of security.
Several panelists said federal workers need to learn how to practice better “cyber hygiene,” which can be as simple as using stronger passwords and knowing not to click on links in suspicious emails. After all, the weaknesses often lie not in the cybersecurity staff but in the rest of the agency, they said.
Workers also need to understand that compliance to existing security programs, like FedRAMP, does not guarantee security, several participants said.
“It’s a good starting point, but unless you’re doing a risk assessment and mitigations to meet that risk … that’s how you start achieve a secure environment,” one panelist said.
3. Encourage dialogue.
The panel also discussed how to improve interactions between agencies and contractors. The lack of transparency about the security in place in private cloud systems is holding up some government contracts, one government representative said.
“When you move to a cloud, you get push back from vendors in terms of proprietary systems, propriety information,” she said. She added, “We know … what the federal requirements are, and we know that we will lose our ability to provide assurance to [the Department of Homeland Security] and [the Office of Management and Budget] that we’re meeting those requirements. ”
She added, “There needs to be some dialogue.”
Members of industry said they needed to do a better job explaining to agencies what safety precautions their clouds use.
4. Set realistic objectives.
Agencies need to look at their infrastructure and staff to determine how to most effectively address threats, panelists said.
Several leaders noted that IT offices suffer from limited staff and tools. One participant suggested that agencies should work together to strengthen their cybersecurity stance.
“If agencies could share and not be restricted, a lot of innovation would happen,” one participant said.
Meanwhile, several panelists said that agencies need to have a better understanding of what is feasible.
For one, several people commented that the government was demanding more out of cloud environments than from their legacy systems. One government official said, “We never really show how bad legacy is compared to how much more secure any professional security industry partner is,” he said.
One participant noted that most people think data is safer in legacy systems — a misconception, he said, as the breach from Edward Snowden shows.
There’s no doubt, participants said, that existing systems require significant changes.
But that change may not be completely moving to the cloud. In fact, several panelists said that the government may not be able to move everything over. So, agencies should consider how best to protect a hybrid cloud-legacy system as they’re developing plans.
As one participant said, we need a “facelift,” not a “lift and shift.”