I have the distinct advantage of having a career thus far that has included not only working in the private sector, but also serving my country in the federal government as the country’s first Chief Commercialization Officer. In addition, I not only worked in the federal government, but spent considerable time working at the state, county and city levels. I would wager that I have had more “sales pitches” thrown at me than the vast majority of folks reading this simple article (with the gray hair to prove it!). I learned a long time ago to explain things – whether it be to a president of the United States or an “average Joe” – in a simple, straightforward way because I learned that if a person couldn’t describe something to most 8-year-olds, they probably didn’t understand it. (Note: As a laser physicist-type who became a businessman, this is a motto I struggled to live by early on!)
Cyber attacks emanate today from a variety of sources: competing nations that wish us harm and cyber-criminal entities, as well as individuals seeking military, economic and financial gains. Cyberspace has evolved into a highly sophisticated, interdependent, and technologically dynamic environment. The genuine vulnerability of command and control networks around the world presents real challenges to securing even the federal government from cyber-attacks. Cybersecurity threats show no signs of slowing down, either. Many experts have commented that “it’s not a matter if, but when” cyber threats will occur to create widespread harm.
Cybersecurity is a frequently used term, but a term that has not fully matured as a defined practice or function. The relationship of cybersecurity to existing security terms, such as Information Assurance, Information Security, and IT Security, is shown in Figure A below – demonstrating that cybersecurity cuts across ALL of these disciplines.
Figure A: Cybersecurity cuts across a variety of disciples when viewed in a systematic way.
One of the most important aspects of cybersecurity is the requirement to monitor and analyze current cyber threat protection activities and establish a continuous improvement capability. Figure B delineates a “Cybersecurity Continuous Improvement” diagram, demonstrating that this deliberate activity enables an organization to remain “ahead of cyber threats” and take action before there is a breach or data loss.
Figure B: Graphic depicting cybersecurity improvement.
Many organizations expend the effort to place sensors and logging tools throughout their enterprise, but fail to collect the most pertinent data. Additionally, organizations often collect useful source data and fail to fully apply the information processing cycle to develop actions that are operationally relevant, which can be integrated into existing operations and cyber threat protection architectures.
Over the last two decades, the digital revolution has transformed our global society. Cyber space has become as much a part of our everyday lives as our physical world. Despite cybersecurity receiving increased international attention, we are still playing a “game of catch-up.” The operations of most public- and private-sector organizations have become so deeply entangled with cyber space that making wholesale changes to data structures and processes to improve cybersecurity presents a major, ongoing challenge.
The conventional approach to securing computer systems against cyber threats involves design mechanisms such as firewalls, authentication tools, and virtual private networks that create a protective shield. However, these mechanisms almost always possess vulnerabilities. It is critical for an organization to develop a continuous improvement capability to ensure cyber threat defense remains updated and effective in preventing cyber attacks from damaging systems or allowing the stealing of sensitive data. Strategic continuous monitoring (with real-time data feed) combined with cyber threat analysis can establish a continuous improvement capability producing cyber threat prevention information that is actionable and operationally relevant. The “Information Processing Cycle” (see Figure C) below shows how collection of pertinent data can be transformed into cyber threat information as a key component of continuous improvement.
Figure C: Systematic approach to building a cybersecurity capability.
Data mining has become one of the key features of many cybersecurity initiatives. Often used as a means for detecting fraud, assessing risk, and product retailing, data mining involves the use of data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. In the context of homeland security applications, data mining can be a potential means of identifying terrorist activities through money transfers and communications and to identify and track individual terrorists themselves, such as through social network analysis and situational awareness. While data mining represents a significant advance in the type of analytical tools currently available, there are severe limitations to its utility, not to mention the negative connotation of data mining with the public-at-large. Cybersecurity with situational awareness in the social cloud is the only real potential for securing classified and highly sensitive information to aid the safety of the public and our country.
Email Is the Centerpiece
Email is the centerpiece of an organization’s information system. Almost every role in a modern government organization relies fully on their email system, with its messaging, calendaring and file sharing. For most organizations, their work revolves around the information flow of their email system. They have full trust and reliance on the services provided by the email system.
The same email systems that let information flow so freely can also be detrimental and allow undesirable information to flow just as freely. Social engineering is the easiest way to get a virus behind the firewall – just send someone an enticing email with a viral payload. As a result, government agencies’ sensitive information can flow outside with the same ease as well.
Numerous add-on and afterthought products exist that attempt to solve the issues that email brings to organizations. Some are effective while some are easily thwarted. The result is a hodgepodge of bolted-together parts that leave the IT administrator hoping it might be good enough. It’s a pretty sad state of affairs.
The design of enterprise email systems needs to be revisited. It needs a creative approach to information flow –one that incorporates information security and privacy as core requirements. It needs to be a system that is simple and trustworthy.
The solution needs to be a security-first, full-service email system, designed to meet the risk-tolerance levels of the most demanding and security-conscious government organizations, capable of:
- Built-in, always-on email transmission and store encryption removes reliance on end users to make security decisions like whether or not to encrypt an email.
- Reducing exposure to threat vectors like spam and phishing by employing a whitelist approach to control email traffic.
- With information rights management that measures and enables organizational control over message and file transmission and access permissions thereto.
- Role-based access controls that prevent arbitrary administrator access to email system resources, services and data.
- With both private and public crypto algorithms available. Key storage should be in either dedicated hardware devices or software-defined devices with multiple levels of encryption.
- Enables information assurance and eases regulatory compliance, with not being disruptive to operations and providing a positive return on investment, with multiple protocols connecting the system securely to already used and familiar email client software, regardless of operating system or device type.
- A single management console for email system and its built-in security allows administrators to be more efficient.
- Dependable and automated security and eliminated exposure to email-borne threats improves the end user experience, reduces workplace stress, and increases productivity.
- Eliminating spam and phishing threat vectors through a deployment configuration that removes the necessity for common employee security decision-making.
Need Breach PROTECTION, not just Detection
Folks need a PREVENTION tool for endpoints, not just breach detection. Halt the detonation or the first-stage attack, stopping zero-day, polymorphic, and file-less malware in its tracks is paramount. Stopping the harm from polymorphic and trending file-less malware attacks is a priority and you need to possess a solution to stop these attacks. The solution needs to carry a “light footprint” and should not interfere with performance at the endpoint, while scaling to hundreds of thousands of endpoints. This kind of prevention system needs to protect computers, laptops, tablets, and VDIs running Windows operating systems from XP through Windows 10. It also needs to run on ATMs, POS devices and similar systems critical for government and business.
It should be noted that the Small-Medium Business/Government (SMB/G) sectors are the most under-supported sectors for anti-malware solutions. For example, small businesses can neither afford nor manage the complex and costly solutions that the largest of enterprises might implement. For example, analysts have reported that the SMB sector is therefore targeted by adversaries who understand the target companies have limited malware defense, and that 40-50 percent of SMBs cannot recover from an attack once a breach occurs.
Cyber Security is a Team Sport
The complexity of maintaining secure networks, systems, and offices makes it virtually impossible for one entity or sector to achieve success without the assistance of others. By working together, the government, with the assistance of the private sector, can leverage the vital skills, expertise, and assets that each provides to reduce cyber risk. While cyber-attacks will continue to increase, organizations can achieve better security by working with experienced partners to prevent cyber-crime before it happens and defend against cyber-attacks when they occur. It is only through partnership across the public and private sectors that will we achieve our mutually beneficial goals.
I would like to express my sincere appreciation to all those I had the honor to work with at the city, county, state and federal government levels who reinforced in me to “keep it simple.” In addition, I would like to thank all those private-sector folks who pitched me on their new technology, products and services while in government, as it enabled me to appreciate all the creativity and inventiveness out in the private sector. Special thanks to folks at companies like IBM and many others who offered me whitepapers, concept drawings and other documents to use to educate folks on practical cybersecurity. Thanks to the folks in the White House and U.S. Department of Homeland Security for their encouragement during my time working there.