The question of when, not if, you will experience cyberattacks and security lapses in government and industry is relevant. In recent times, there has been a significant increase in the surface area available for cyberattacks due to the integration of OT and IT systems and the growing connection offered by the Internet of Things. Furthermore, the threat actors themselves—hacktivists, nation-state governments, criminal groups, and insider threats—have become increasingly competent and skilled units with deep financial resources.
The harsh truth is that criminal hackers are constantly developing their skills and strategies, making cyber breaches a dynamic threat. These days, cybercriminals use more sophisticated evasion strategies, some of which are even capable of stopping the operation of malware detection software. Code injection and memory space modification as an exploit kit is injected into the target system; frequently, these thieves use stolen certificates that are sold on the dark web or underground market to get past machine learning code and avoid anti-malware detection.
Adding new developments in generative artificial intelligence is making for a precarious digital ecosystem. To confront and contain cyber-threat challenges, both industry and government need to step up their vigilance. The way to do this is by using proven frameworks to help mitigate risks.
The dynamic process of evaluating risk and strengthening defense is known as cyber resilience. Cyber resilience is deemed “important for mission-essential systems that support our national security, homeland security, essential government services, and the critical infrastructure that supports the nation’s economy,” according to a joint DNI/DHS report. Cyber resilience is the quality of a system that guarantees it can carry out its vital tasks even in the face of cyberattacks. Cyber resilience should be incorporated into the architecture of systems that deliver or support services that are critical to the operation of the business or that demand high or constant availability. Cyber Resilience and Response (dni.gov)
Back in 2020, the Defense Department, Defense Innovation Unit and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency signed a memorandum of understanding to collaborate on a range of cybersecurity initiatives. “CISA and DIU have complementary missions and capabilities that both reinforce the Department of Homeland Security and DOD and are additive to one another,” said Jeff Kleck, director of Cyber, DIU. “Together we collectively reach across a broad swath of national interests related to cybersecurity.” Activity between DOD and DHS CISA has since then expanded on many areas. DOD, DHS Collaborating on Innovative Cybersecurity Solutions > U.S. Department of Defense > Defense Department News
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, understands the value of industry and intergovernmental collaboration from her experience in the defense and intelligence communities. In testimony before the House Homeland Security Committee on “Evolving the U.S. Approach to Cybersecurity: Raising the Bar Today to Meet the Threats of Tomorrow” she summed up the mission:
“At CISA, our mission is to lead the National effort to understand, manage, and reduce cyber and physical risk to our critical infrastructure. Our vision is a secure and resilient critical infrastructure for the American people. At the heart of this mission is partnership and collaboration. Securing our Nation’s cyber and critical infrastructure is a shared responsibility, and has never been more important than it is today. At CISA, we are challenging traditional ways of doing business and are actively working with our government, industry, academic, and international partners to move from traditional public-private partnerships to public-private operational collaboration.” HHRG-117-HM00-Wstate-EasterlyJ-20211103.pdf (house.gov)
An initiative Director Easterly helped steer, CISA’s Joint Cyber Defense Collaborative (JCDC), enables the government, the private sector, and U.S. international partners to come together to develop joint cyber defense plans and to drive robust operational collaboration. JCDC includes specific government agencies designated by Congress for the joint cyber planning office, including the Department of Homeland Security, U.S. Cyber Command, the National Security Agency, the Federal Bureau of Investigation, the Department of Justice, and the Office of the Director of National Intelligence, and the Department of Defense because of its unique expertise.
Collaboration is key to being operationally resilient and begins with a focus on risk management and the allocation of resources and training to various threat scenarios. Maintaining effective preparation and operation of systems also necessitates a tailored collaborative approach enhanced by automation tools.
To garner more insights on the specifics of what it is to be operational cyber resilient from both industry and governmental perspectives at DOD, I interviewed Tracy West, the Director of Analytics and Cyber Solutions at Serco, where he is responsible for delivering analytic, technology, and cybersecurity solutions and services to government clients. Prior to Serco, he supported the Department of Defense, other U.S. Government agencies, and private sector businesses with specialized cybersecurity and resilience expertise. Tracy also led and contributed to project teams applying the Risk Management Framework and integrating cyber security and resilience for major defense acquisition programs.
Tracy’s experience also includes roles at Air Force Space Command, where he served as the Cyberspace Operations Senior Manager and Senior Manager of Network Operations. Prior to his time at Air Force Space Command, Tracy worked at the United States Air Force, where he held a wide range of cyber operations positions, including a command and an assignment as a Command and Control Operations Officer on the Joint Staff.
Tracy said cyber risk management is at the core of optimal cyberspace operational resilience, particularly in OT/ICS operating settings. To achieve this, a framework for cyber resilience must be developed that evaluates situational awareness, complies with regulations, harmonizes policies and training, maximizes technology integration, encourages information sharing, creates mitigation capabilities, and upholds cyber resilience in the event of an incident. He stresses that “Technology, people, and processes must all be operationally resilient.”
He says that based on those principles, Serco deployed a platform called ASSURE for DOD that removes the need for labor-intensive, manual operations by automating assessment and reporting processes and offering a centralized platform for risk analysis. This ability to focus on risk analysis and mitigation is crucial as the government is still facing significant difficulties due to the lack of a sufficient competent cybersecurity workforce.
For anyone functioning in the digital realm, it makes sense to be proactive rather than reactive. To strengthen defenses and close gaps, there are several well-established cyber risk management pathways to take.
Certainly, one of the key priorities for mitigating both present and future threats in cybersecurity is developing an adaptive framework that includes resilience because of the dynamic nature of the digital ecosystem and the potential ramifications of a breach. Concise and rapid data analytics surely are a significant component of any risk management effort.
These days, as the cyber-threat scenario changes, the government is pushing frameworks to improve risk management. Zero Trust, Defense in Depth, and Security by Design initiatives are examples of those programs.
To protect resources (assets, services, workflows, and network accounts), Zero Trust places a strong emphasis on identity and access control that is maintained by suitable authorization and authentication.
Layers upon layers of redundant preventive security instruments and actions make up the Defense In-Depth security process.
Since the Internet was not established with any security in mind, Security By Design mandates security as an intrinsic element of every network and system that is being constructed, especially when replacing dated legacy OT and OT systems.
These three pillars of government cybersecurity risk management need not stand alone. In fact, they all should be incorporated together in the cybersecurity framework strategy to identify gaps, mitigate threats, and build resilience in the case of an inevitable cyberattack.
When it comes to cybersecurity, all branches of government, business, nongovernmental organizations, industry, and the general public share the same resilience mission. Resilience encompasses all that you are aware of regarding your objective. Monitoring threats and strengthening defenses are integral steps.
Tracy West cites the Continuous Diagnostics and Mitigation (CDM) Program at DHS CISA as an excellent example of maintaining an operational cyber resilience strategy designed to strengthen the cybersecurity of networks and systems cooperatively used by federal civilian agencies. The CDM program helps member agencies strengthen, refine, and monitor their security postures via dashboards, integration services, and cybersecurity tools. He said CDM is a natural fit to help facilitate risk resilience processes with Zero Trust, Defense In-Depth, and Security by Design.
He said, “It’s a bold world out there. How are we going to respond and how do we make sure that the operators can respond? This requires a baseline set of security procedures, the effectiveness of which is subsequently and continually assessed. It will also be vital to continuously invest in people, processes, and innovative technologies; enhance cooperation between the public and private sectors; and implement proactive integrated operational risk management strategies to counteract the growing cyber risks.
Tracy also recommends translating the expertise and capabilities from DoD to DHS because DoD had much more investment and has been deploying sophisticated platforms and technologies for many decades. DHS can learn from their experiences.
He notes the importance of carrying the no-fail approach for military systems to our national critical infrastructure. For operational resiliency, knowing the whole planning process with all of the different players, the vendors, the developers, and the people who own the systems up to the top management of the program is imperative.
Cyber threats will persist in changing as the attack surface and hacker sophistication increase. Thankfully, the federal government, and notably DHS CISA can help address and help mitigate those growing dangers by leveraging DOD technologies and collaborating with industry to bring processes and technology that have been tested in national security to the civilian side of government.