The findings of a recent high-profile review of cybersecurity in the federal government makes one thing clear: A new approach to cybersecurity is needed. While we are seeing important advances in cyber tools and techniques, agencies cannot simply buy their way to better security.
The review, conducted by the Office of Management and Budget and the Department of Homeland Security, determined that 74 percent of federal agencies had cyber programs that were either “at risk” or “high risk” – and that, by and large, agencies are not equipped to determine how malicious actors seek to gain access to their systems and data.
Many people, like U.S. CIO Suzette Kent, are calling for swift action: “This is unacceptable and an aggressive action plan has been developed to address the issues,” Kent wrote in a blog post announcing the release of the “Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States.”
OMB has identified four key actions it believes necessary to address cybersecurity risks:
- Increase cybersecurity threat awareness among federal agencies by implementing the Cyber Threat Frameworkto prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency security operation centers to improve incident detection and response capabilities; and
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.
All four actions are necessary, but they are not sufficient. Instead, more needs to be done to provide true situational awareness: that is, the ability to track all activity across the enterprise in real time. That’s where an integrated defense architecture comes in.
The Need for an Integrated Defense Architecture
Federal agencies have long taken a best-in-class approach to cybersecurity, meaning that whenever a problem emerges they buy the tool that seems best for the job. The problem is that they typically give little or no thought to how that tool works within the larger cyber architecture, leaving them with countless blind spots where malicious actors can work undetected. There is a real need to consider how these solutions integrate more holistically within the overall architecture.
With an integrated cyber defense approach, agencies will use any number of best-in-class products – but always with a focus on how those products work in concert. As a result, agencies can ensure that they have both strong capabilities in key functional areas as well as better overall situational awareness. This cohesive approach not only provides a higher level of security, it also can be less costly to create and maintain. Essentially, agencies are able to buy-down the risk inherent in their systems across the enterprise.
In developing this integrated cyber architecture, agencies need to focus on security at the workload and data level, rather than the network perimeter. That is because the increasing adoption of cloud and mobile solutions has extended that perimeter to wherever end-users access data, be it in the field, at a home office or at an airport gate. With a traditional network-centric perimeter defense, that just means more blind spots.
As the OMB report makes clear, cybersecurity remains a difficult challenge for federal agencies.
While the latest generation of cyber solutions has great potential to drive improvements in key areas, agencies should not look for any given technology or methodology to fix their problems.
Instead, they need to shift their focus from technologies to architecture. They need to develop the right combination of compliance (e.g., with the framework), tools, analytics and intelligence to offer more visibility across the enterprise. That is the end-game here: situational awareness.
Without that architecture, agencies will continue to sink resources into promising new technologies without ever seeing the expected results.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
