Responsible concern
The Homeland Security and Governmental Affairs Committee report is certainly concerning, yet not surprising given the recent exponential escalation of cyberthreats, in particular ransomware attacks. The last few years have presented challenges to agencies that were not considered or anticipated in the government’s cybersecurity planning and execution efforts in 2019. A couple of recent events have accelerated these issues.
First, a global pandemic forced hard problems to be solved very quickly. The necessity to move rapidly to unplanned remote workforce models increased the security problem. Second, cloud adoption significantly increased during and post-COVID to further exacerbate cybersecurity challenges. Data is everywhere and hard to track. Designing a comprehensive data security program is a difficult task to begin with, let alone building one under duress. Still, that is not an excuse for where the report suggests we are today.
What should federal agencies do better?
The report identified six major recommendations, ranging from an Office of Management and Budget (OMB) memorandum prescribing a risk-based model to budgeting to leveraging more shared services models. These are all great fundamental observations and recommendations.
Implementing a Zero Trust architecture is a way to make significant inroads against cybersecurity challenges. The National Security Agency (NSA) defines Zero Trust as:
“...a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses. The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.”
If every agency is held accountable at the executive level—along with a timeline and budget implications against the adoption of a comprehensive Zero Trust architecture—then federal government agencies may make measurable progress. The National Institute of Standards and Technology (NIST), Department of Defense (DoD) and the Department of Homeland Security (DHS) are now fully endorsing the Zero Trust model, so it comes down to execution at the department and agency levels.
Budgets are always an issue when speaking with department and agency executives. Let’s be clear, government cybersecurity environments are very complex due to years of technology sprawl and integration and deployment challenges, and skilled labor shortages don't help. As federal cybersecurity supply chain vendors, we need to apply what we’ve learned over time by establishing SLAs and performance-based contract budgets and incentives to help improve the overall system. If the government is as highly motivated as its vendors, the government cybersecurity system will improve.
We’re on a better track
With setbacks, we tend to rise to the challenge. The good news is that the U.S. government, via The White House Executive Order on Improving The Nation’s Cybersecurity, has acknowledged the areas of federal cybersecurity that should be prioritized by agencies. It’s not only descriptive in its guidance but is also prescriptive and aligns well with what the government’s cybersecurity authoritative sources (NIST, NSA, DoD, DHS, etc.) have been promoting for quite some time. The key theme going forward will be implementation of data security-focused Zero Trust architectures, which NIST, NSA and the DoD have been very vocal about for a while.
Once the best practices defined by the authoritative sources are deployed, the federal cybersecurity ecosystem will be in a much better state. However, time isn’t on our side. Cyber adversaries don’t have to deal with congressional approvals, political agendas, bureaucracy, budget issues, etc. As has been said by many in the industry “the adversary only has to be correct once while the defender has to be right every time.” We must change the narrative to make it more difficult for adversaries to attack our infrastructure, and if they do attack, we must have well-defined consequences.
Federal cybersecurity vs. private sector cybersecurity
We hear this question often: Is the federal government more secure than the private sector? It depends on the department or agency and to whom you are comparing them to in the private sector. One can argue that the U.S. federal government sustains more cyberattacks than any other single private sector entity in the world. Then again, if you break it down by department or agency, your mileage may vary. Every department or agency has a different level of maturity in its cybersecurity defense operations, various technologies, and skill sets. The financial sector typically has the best cyber defense technologies and talent and its ability to invest in state-of-the-art defensive capabilities and move quickly is an advantage over the government cybersecurity efforts. Other industries, such as healthcare and (surprisingly) software, have more recently been exposed as softer targets and have some catching up to do.
So, is America’s sensitive data safe?
Assuming you subscribe to the idea that time is a critical variable in the federal government cybersecurity defense equation ... to stay ahead of the adversary, you must be able to adapt in near real time to the threat of the day and expanding attack surfaces. Now think about the government’s acquisition process, its ability to attract and maintain cybersecurity talent, enterprise scale deployment challenges, continuous monitoring requirements, politics, budget constraints, competing priorities, etc. While government cybersecurity measures are not likely moving at the speed of the adversary, the good news is awareness is high and measures like implementing a Zero Trust architecture can help move us closer to where we need to be.