The key to preventing another catastrophic federal systems breach is greater commitment to cybersecurity from federal workers, IT officials said Tuesday.
Despite the fallout of the recent breaches at the Office of Personnel Management that comprised the personal information of more than 22 million federal employees and background check applicants, cybersecurity in some aspects is beginning to get the organizationwide attention it deserves, from entry- and mid-level employees to the senior leadership, federal IT executives said during a pair of panels at AFFIRM’s Cybersecurity Summit.
“We just haven’t learned basic cyber hygiene,” said Donald Davidson, chief of outreach, science and standards in Defense Department CIO’s Office. Since the OPM hack, DOD is going back to basics for cybersecurity, he said, which means focusing more on user cyber hygiene and discipline — like using stronger forms of authentication, and learning to recognize and avoid phishing attempts. “We’re not doing the basics of cybersecurity well in lots of ways.”
During the federalwide cyber sprint ordered by U.S. CIO Tony Scott after the breaches were made public, Transportation Department CIO Richard McKinney said it “brought to my entire department’s attention that something is going to have to change.”
“Everybody is part of that,” McKinney said.
Though cybersecurity is often equated to a technical skill reserved for IT security teams, if federal employees accessing networks every day aren’t educated on possible threats, they become easy targets, the panelists said.
“People are our biggest challenge at the end of the day,” Treasury Department CIO Sonny Bhagowalia said. “We’re only as good as the individual users, not just the cyber defenders. Professionals know what’s going on, but we’re busy.”
“History teaches us that a lot of times it’s the basic techniques someone has to block against,” he said. “We’ve got to make sure there is cyber hygiene and all of the training that goes with it.”
For that reason, McKinney said during the sprint he blocked department personnel wanting to access the network who didn’t use a personal identification verification card to log on. By doing so, he boosted his agency’s use of strong authentication for system access to 100 percent.
“All of the sudden, something that was so hard was doable in a short period of time,” he said.
McKinney said it helped that he received backing from high-ranking department officials. Many fellow panelists agreed that was critical for improving cybersecurity.
“This change in upper management focus is really the thing we need, because the techies know what needs to be done. But they can’t get that management backing,” said Randy Marchany, chief information security officer at Virginia Tech.
While many chalk up the breaches to technical shortcomings like missing patches, Thomas DiBiase, deputy CISO at the Department of Homeland Security, said agencies need to be more focused on “reinforcing to our senior executives that they have responsibilities in regards to protecting the systems and information.”
In the wake of the OPM breaches, said Ben Scribner, director of DHS’ National Cybersecurity Professionalization and Workforce Development program, “I’ve seen amongst CFOs and others that cybersecurity is part of their enterprise risk management considerations, and I think that will help us going forward in the future to be more proactive.”
Progress is being made, several panelists said — it’s just a matter of looking at it in a positive way, like the fact that the federal government is blocking “millions and billions of access attempts, successfully,” Bhagowalia said.
“We’ve actually made a lot of progress in a lot of areas,” he said. However, the federal government is held to “the highest standards in the world; others are not.”
“They only have to be right 1 percent of the time” with their attacks, Bhagowalia said. To defend against that, “with all the laws and the two-year cyber budget time and all the things that we’ve got to do, we’ve got to be right 100 percent of the time.