A recent GAO audit report pointed out something that should come as no surprise: federal agencies face several challenges when it comes to cybersecurity. The challenges GAO cited include: Threats from both intentional and unintentional hacks; implementing risk-based cybersecurity; proper identity management; access control, data breaches; and, improving incident response.
GAO’s findings by and large hit the mark, but the important question remains: Where do we go from here?
There is no easy answer; cybersecurity is an iterative process, and as such, organizations and federal agencies need to address cybersecurity in an iterative fashion. The government has made a very good start, however, the GAO rightly pointed out challenges, there are solutions in the works.
Both the Departments of Defense (DoD) and Homeland Security (DHS) have already done a lot of work to secure their networks and systems, and both have strong systems from an architectural point of view. These agencies understand the idea of “security connected”—that it’s imperative to create an integrated strategy so systems can talk with each other. If you can connect your systems and architecture in a way that’s risk-based, then you’re doing the right thing. The DoD is connecting systems and architectures in a risk-based fashion, which is what we see best-of-breed organizations doing in the private sector and government.
The GAO’s audit rings most true for civilian agencies. However, programs like Continuous Diagnostics and Mitigation (CDM) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, show the federal government is taking the right steps to strengthen its cybersecurity posture.
Through CDM, DHS has been driving a process for civilian agencies to take stronger cybersecurity measures. This is an example of government thinking about risk-based security, appropriating money and putting the individual departments and agencies in control of improving their security posture CDM creates a construct so agencies can figure out the current state of cybersecurity within their organization. The program provides an integrated way to assess, prioritize and manage cyber risk. It will at long last allow government agencies to know with more certainty what their security risk posture is at any given moment.
Additionally, CDM will allow agencies not only to understand where their risks and vulnerabilities are, but also to be able to prioritize them, which is incredibly beneficial, as very few organizations are prioritizing risk right now. This is a proactive, beneficial step – looking at infrastructures, assets and vulnerabilities, then protecting them. Almost all agencies do some of what’s required by CDM already; CDM asks them to continuously look at the data systematically and report it upward.
Government agencies shouldn’t be expected to leap from A to Z immediately, and with CDM, they can move progressively through thoughtfully-designed steps to achieve a high level security posture. This is an important change from the model of report cards under the Federal Information Security Management Act (FISMA). That was more of a check-the-box approach, resulting in report cards that often didn’t change.
Nevertheless, FISMA was a necessary first step in helping us get to the point where we are right now with CDM. Most importantly, CDM will make agencies accountable for the security of their systems. In light of the many security breaches over the past year, CDM is more important than ever. It should be a national priority, as it will create efficiencies, cost-savings and ultimately a higher level of cyber security for civilian agencies– and any other entities such as state, local and tribal governments that choose to use it.
Another significant development directed by the federal government is the NIST Cybersecurity Framework. It’s an important step forward as it provides organizations a means to assess their cyber risks and provides a process for improving their organizational security posture. Intel Security participated extensively in the development of the NIST Framework and fully supports its implementation. While NIST refers to the product as a “framework,” what they actually produced is a tool for organizations to evaluate where they are today, where they would like to be in the future and how they are going to get to that desired security posture.
Essentially, the core functions of the framework are to identify, protect, detect, respond and recover. These simple core functions are particularly useful in communicating the state of an organization’s cybersecurity activities to senior leaders in non-IT businesses, enabling informed and integrated risk management decisions.
Like CDM, the NIST Framework can give federal CIOs a risk-based model to analytically review their current state of cybersecurity and figure out what needs to be done. The process NIST used in developing the framework brought together companies and organizations from throughout the technology ecosystem; they used a bottoms-up rather than a top-down process, which was important in winning support for the resulting product. And, significantly, the framework is non-regulatory, so it maintains a lot of flexibility. So, Just as cybersecurity for the Department of Agriculture can be different from the Department of Justice, flexibility is an important feature.
CDM and the NIST framework are two concrete examples of how the government is starting to address many of the core challenges the GAO addressed in its audit report. Yet, despite steps taken by the federal government, cyber attackers still have the advantage – for now. Large companies like Intel Security are putting a lot of focus on integrating security into a unified whole. It’s imperative to have an open ecosystem of integrated security products working in seamless orchestration.
This ecosystem should include large companies as well as smaller companies to get the best of both. What we have now in many organizations is a hodgepodge of incompatible, orphaned or obsolete solutions. That scenario has to change. The security industry needs to move toward a consistent, strategic platform – a unified ecosystem. By driving this kind of model forward, we can be better prepared to address cyber attacks.
Ken Kartsen is vice president, federal, at Intel Security.
