A 5-point plan for cyber fitness

 

Connecting state and local government leaders

An effective cybersecurity plan must not just address the problems outlined in the 30-day cybersecurity sprint, but also the underlying issues that have kept agencies from fully complying with existing security programs.

What pivotal moment would make you finally buckle down and live a healthier lifestyle?

In cybersecurity terms, the massive data breach at the Office of Personnel Management, which compromised millions of federal employee records, including sensitive security clearances, is such a moment.  The breach has seemingly galvanized the federal government to finally whip its cybersecurity policy into shape.

United States CIO Tony Scott has directed all federal agencies to take a series of swift measures to lock down government systems. The 30-day cybersecurity sprint, addresses four major areas for change: intelligence operationalization, patches, privileged users and multifactor authentication.

“Recent events underscore the need to accelerate the Administration’s cyber strategy and confront aggressive, persistent malicious actors that continue to target our nation’s cyber infrastructure.” Scott wrote in a White House blog.

But a deeper look at the sprint suggests the government is not taking advantage of its existing cyber defense and is slow to embrace new technologies. Rep. John Ratcliffe (R-TX) said, “The White House is essentially calling on federal agencies to do in the next 30 days what they were already required to do.”

An effective cybersecurity plan must not just address the problems outlined in the sprint, but also the underlying issues that have kept agencies from fully complying with existing security programs.  Here are five issues that must be addressed:

1. Operationalize cyber-threat intelligence

Operationalizing CTI is the first and most important part of the White House plan.

But while the Department of Homeland Security has invested millions to aggregate threat intelligence, it has not been able to mature its capabilities to the point where it can employ this intelligence in real time.

Think about a threat indicator as a storm warning. There is no value in knowing a hurricane is coming if it takes five days to get to a shelter. Promising indicators are useless if they are not shared in a timely manner. The federal government needs to adopt CTI technologies that identify, prioritize and automate responses to cyber threats so risks are identified earlier and CTI is put to good use.

2. Deploy critical patches 

Agencies need to block what they know is bad before it can do any harm. However, deploying critical cybersecurity patches is often impossible given the current, laborious state of federal contracting.

Take the Continuous Diagnostics and Mitigation program, the first phase of which rolled out in 2013. While CDM tackles issues of cyber asset allocation, including forecasting, it cannot define the cybersecurity challenges the country may face five years down the road. Technology changes in real time, and the federal government must take advantage of these changes via innovative contracting that allows acquisition of new cyber defense tools the moment they are needed.

3. Employ two-factor authentication

The latest credit cards are protected by two-factor authentication that employs PIN and chip technology. The concept is simple. When it is harder to hack and use stolen data, that data becomes a less attractive target.

Federal agencies started deploying two-factor authentication for physical and logical access capabilities in 2004 under Homeland Security Presidential Directive 12. Ten years into this plan, two-factor authentication still isn’t fully implemented. However, there’s little flexibility when it comes to federal use because the policy is focused on being compliant, not on improving security infrastructure.

Cybersecurity is a billion-dollar industry, yet hacking is a relatively cheap undertaking. By making hacking harder and more expensive for hackers, government targets actually lose some of their value.

4. Monitor privileged users

Monitoring and restricting the actions of privileged users is a relatively new capability available to private industry, and not surprisingly, the government is only slowly adopting it.

When privileged users are restricted to the minimum activities necessary to do their jobs, security managers can monitor and detect anomalies easily. They can also determine actual exposure caused by a security incident. One of the most basic concepts behind this approach is removing Internet access from systems that administrators log onto. Privileged-user monitoring, when combined with two-factor authentication and encryption, reduces the attack surface.

5. Beef up the cyber workforce

Here’s the fifth point missing from the White House cybersecurity sprint. Not only is the cyber workforce woefully understaffed and underqualified, but the federal workforce also faces unique pressures. Attrition can be sky high, as talented individuals are frequently transferred to new jobs or simply leave an increasingly dispirited workplace. Government cyber experts need to be incentivized to stay in the public sector where they can innovate and nurture existing programs. That continuity alone would address many major security challenges.

DHS began to address standards and training with the National Initiative for Cybersecurity Careers and Studies, but the deeper problem is that the federal government isn’t an attractive workplace for highly skilled cyber personnel. Beyond issues of compensation and management, federal workers need the latest tools to do their jobs.

What’s the answer?

Stronger cyber defenses are attainable. Along with existing technologies, phenomenal new products are available to fight this war. But too often the government’s hands are tied by purchasing processes that can take years, while the cybersecurity landscape is changing by the minute. It’s time for agile contracting that delivers timely solutions.

Given the potential consequences of cybersecurity breaches, cyber defense is now homeland defense. We don’t take chances with our physical defense and intelligence, nor should we risk our cybersecurity.

NEXT STORY: Windows XP: The undead OS

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.