A recent GAO audit report, Actions Needed to Address Challenges Facing Federal Systems, pointed out something that should come as no surprise. And that is, federal agencies face several challenges when it comes to cybersecurity.
The audit report stated that, "federal and contractor systems face an evolving array of cyber-based threats" which " can be unintentional—for example, from equipment failure, careless or poorly trained employees; or intentional—targeted or untargeted attacks from criminals, hackers adversarial nations or terrorists, among others."
"Threat actors use a variety of attack techniques that can adversely affect federal information, computers, software, networks or operations, potentially resulting in the disclosure, alteration or loss of sensitive information; destruction or disruption of critical systems; or damage to economic and national security," GAO stated, noting that, "These concerns are further highlighted by the sharp increase in cyber incidents reported by federal agencies over the last several years, as well as the reported impact of such incidents on government and contractor systems."
Because of the risk posed by these threats, it is crucial that the federal government take appropriate steps to secure its information and information systems. However, GAO has identified a number of challenges facing the government’s approach to cybersecurity, including the following:
The challenges GAO cited include:
- Threats from both intentional and unintentional hacks;
- Implementing risk-based cybersecurity;
- Proper identity management;
- Access control, data breaches; and
- Improving incident response
While the GAO auditors’ findings by and large hit the mark, a very important question remains. And that is, where do we go from here?
There is no easy answer, as cybersecurity is an iterative process, and, as such, organizations and federal agencies need to address cybersecurity in an iterative fashion. The government has made a very good start, to be sure. So, while the GAO rightly pointed out the challenges, there are solutions in the works.
Both the Departments of Defense (DoD) and Homeland Security (DHS) have already done a lot of work to secure their networks and systems, and both have strong systems from an architectural point of view.
These agencies understand the idea of “security connected”—that it’s imperative to create an integrated strategy so systems can talk with each other. If you can connect your systems and architecture in a way that’s risk-based, then you’re doing the right thing. DoD is connecting systems and architectures in a risk-based fashion, which is what we see best-of-breed organizations doing in the private sector and government.
The GAO’s audit especially rang true for most civilian agencies. However, programs like Continuous Diagnostics and Mitigation (CDM) and the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework show the federal government is taking the right steps to strengthen its cybersecurity posture. Through CDM, DHS has been driving a process for civilian agencies to take stronger cybersecurity measures.
This is an example of the government thinking about risk-based security, appropriating money and putting individual departments and agencies in control of improving their security posture. CDM creates a construct so agencies can figure out the current state of cybersecurity within their organization. The program provides an integrated way to assess, prioritize and manage cyber risk.
It will, at long last, allow government agencies to know with more certainty what their security risk posture is at any given moment.
Additionally, CDM allows agencies not only to understand where their risks and vulnerabilities are, but also to be able to prioritize them, which is incredibly beneficial as very few organizations are prioritizing risk right now.
This is a proactive, beneficial step – looking at infrastructures, assets and vulnerabilities, then taking appropriate action to protecting them. Almost all agencies do some of what’s required by CDM already; CDM asks them to continuously look at the data systematically and report it upward.
Government agencies shouldn’t be expected to leap from A to Z immediately, and with CDM, they can move progressively through thoughtfully-designed steps to achieve a high level security posture. This is an important change from the model of report cards under the Federal Information Security Management Act (FISMA), which was more of a check-the-box approach resulting in report cards that often didn’t change.
Nevertheless, FISMA was a necessary first step in helping us get to the point where we are now with CDM. Most importantly, CDM will make agencies accountable for the security of their systems. In light of the many security breaches over the past year, CDM is more important than ever. It should be a national priority, as it will create efficiencies, cost-savings and, ultimately, a higher level of cybersecurity for civilian agencies – and any other entities such as state, local and tribal governments that choose to use it.
Another significant development directed by the federal government is the NIST Cybersecurity Framework. It’s an important step forward as it provides organizations a means to assess their cyber risks and provides a process for improving their organizational security posture.
Intel Security participated extensively in the development of the NIST Framework and fully supports its implementation. While NIST refers to the product as a “framework,” what it actually produced is a tool for organizations to evaluate where they are today, where they would like to be in the future, and how they are going to get to reach their desired security posture.
Essentially, the core functions of the framework are to identify, protect, detect, respond and recover. These simple core functions are particularly useful in communicating the state of an organization’s cybersecurity activities to senior leaders in non-IT businesses, enabling informed and integrated risk management decisions.
Like CDM, the NIST Framework can provide federal CIOs a risk-based model to analytically review their current state of cybersecurity and figure out what needs to be done. The process NIST used in developing the framework brought together companies and organizations from throughout the technology ecosystem, using a bottom-up rather than a top-down process … which was important in winning support for the resulting product. And, significantly, the framework is non-regulatory, so it maintains a lot of flexibility. As cybersecurity for the Department of Agriculture can be different from the Department of Justice, for example, having flexibility is an important feature.
CDM and the NIST framework are two concrete examples of how the government is starting to address many of the core challenges GAO’s audit addressed. Yet, despite steps taken by the federal government, cyber attackers still have the advantage … for now.
Large companies like Intel Security are putting a lot of focus on integrating security into a unified whole. It’s imperative to have an open ecosystem of integrated security products working in seamless orchestration. This ecosystem should include large companies as well as smaller companies to get the best of both.
What we have now in many organizations, though, is a hodgepodge of incompatible, orphaned or obsolete solutions. That scenario has to change. The security industry needs to move toward a consistent, strategic platform – a unified ecosystem.
By driving this kind of model forward, we can be better prepared to address cyber attacks.
Ken Kartsen is vice president-federal for Intel Security.