A 5-point plan for cyber fitness

What pivotal moment would make you finally buckle down and live a healthier lifestyle?

In cybersecurity terms, the massive data breach at the Office of Personnel Management, which compromised millions of federal employee records, including sensitive security clearances, is such a moment.  The breach has seemingly galvanized the federal government to finally whip its cybersecurity policy into shape.

United States CIO Tony Scott has directed all federal agencies to take a series of swift measures to lock down government systems. The 30-day cybersecurity sprint, addresses four major areas for change: intelligence operationalization, patches, privileged users and multifactor authentication.

“Recent events underscore the need to accelerate the Administration’s cyber strategy and confront aggressive, persistent malicious actors that continue to target our nation’s cyber infrastructure.” Scott wrote in a White House blog.

But a deeper look at the sprint suggests the government is not taking advantage of its existing cyber defense and is slow to embrace new technologies. Rep. John Ratcliffe (R-TX) said, “The White House is essentially calling on federal agencies to do in the next 30 days what they were already required to do.”

An effective cybersecurity plan must not just address the problems outlined in the sprint, but also the underlying issues that have kept agencies from fully complying with existing security programs.  Here are five issues that must be addressed:

1. Operationalize cyber-threat intelligence

Operationalizing CTI is the first and most important part of the White House plan.

But while the Department of Homeland Security has invested millions to aggregate threat intelligence, it has not been able to mature its capabilities to the point where it can employ this intelligence in real time.

Think about a threat indicator as a storm warning. There is no value in knowing a hurricane is coming if it takes five days to get to a shelter. Promising indicators are useless if they are not shared in a timely manner. The federal government needs to adopt CTI technologies that identify, prioritize and automate responses to cyber threats so risks are identified earlier and CTI is put to good use.

2. Deploy critical patches 

Agencies need to block what they know is bad before it can do any harm. However, deploying critical cybersecurity patches is often impossible given the current, laborious state of federal contracting.

Take the Continuous Diagnostics and Mitigation program, the first phase of which rolled out in 2013. While CDM tackles issues of cyber asset allocation, including forecasting, it cannot define the cybersecurity challenges the country may face five years down the road. Technology changes in real time, and the federal government must take advantage of these changes via innovative contracting that allows acquisition of new cyber defense tools the moment they are needed.

3. Employ two-factor authentication

The latest credit cards are protected by two-factor authentication that employs PIN and chip technology. The concept is simple. When it is harder to hack and use stolen data, that data becomes a less attractive target.

Federal agencies started deploying two-factor authentication for physical and logical access capabilities in 2004 under Homeland Security Presidential Directive 12. Ten years into this plan, two-factor authentication still isn’t fully implemented. However, there’s little flexibility when it comes to federal use because the policy is focused on being compliant, not on improving security infrastructure.

Cybersecurity is a billion-dollar industry, yet hacking is a relatively cheap undertaking. By making hacking harder and more expensive for hackers, government targets actually lose some of their value.

4. Monitor privileged users

Monitoring and restricting the actions of privileged users is a relatively new capability available to private industry, and not surprisingly, the government is only slowly adopting it.

When privileged users are restricted to the minimum activities necessary to do their jobs, security managers can monitor and detect anomalies easily. They can also determine actual exposure caused by a security incident. One of the most basic concepts behind this approach is removing Internet access from systems that administrators log onto. Privileged-user monitoring, when combined with two-factor authentication and encryption, reduces the attack surface.

5. Beef up the cyber workforce

Here’s the fifth point missing from the White House cybersecurity sprint. Not only is the cyber workforce woefully understaffed and underqualified, but the federal workforce also faces unique pressures. Attrition can be sky high, as talented individuals are frequently transferred to new jobs or simply leave an increasingly dispirited workplace. Government cyber experts need to be incentivized to stay in the public sector where they can innovate and nurture existing programs. That continuity alone would address many major security challenges.

DHS began to address standards and training with the National Initiative for Cybersecurity Careers and Studies, but the deeper problem is that the federal government isn’t an attractive workplace for highly skilled cyber personnel. Beyond issues of compensation and management, federal workers need the latest tools to do their jobs.

What’s the answer?

Stronger cyber defenses are attainable. Along with existing technologies, phenomenal new products are available to fight this war. But too often the government’s hands are tied by purchasing processes that can take years, while the cybersecurity landscape is changing by the minute. It’s time for agile contracting that delivers timely solutions.

Given the potential consequences of cybersecurity breaches, cyber defense is now homeland defense. We don’t take chances with our physical defense and intelligence, nor should we risk our cybersecurity.