[BreachExchange] How to Improve Federal Cybersecurity Efforts

[Audrey McNeil]

http://www.nextgov.com/ideas/2018/03/how-improve-federal-
cybersecurity-efforts/146593/

Last year was another banner year for cyber hackers and bad actors. A
recent report found that the number of data breaches reached 1,202 in
2017—a 50 percent increase since 2015.

Breaches on both public- and private-sector networks resulted in millions
of Americans having their personal and financial data compromised. The
private sector was particularly hit hard with the massive Equifax data
breach impacting 145.5 million people.

But federal agencies also continue to face major challenges. The
Transportation Security Administration and the National Security Agency
both experienced serious breaches, even as the federal government has taken
steps in recent years to help prevent such successful attacks. These
ongoing cyber breaches suggest agencies aren’t doing all they can within
the established cybersecurity frameworks and initiatives that abound across
government today.

The public sector can, and should, play a larger role in helping ensure
massive breaches like those at Homeland Security Department, Office of
Personnel Management and even Equifax don’t happen again. It’s time for
federal chief information officers and IT professionals to start looking at
these initiatives as more than just a guideline, but critical to the
success of our nation’s security. Here is how federal agencies can improve
their cybersecurity efforts in the coming year.

Better Adhere to the Cybersecurity Executive Order

A major cyber-focused directive promulgated in 2017 was President Donald
Trump’s cybersecurity executive order. In it are three key elements that
need to be taken seriously in the year ahead.

The first is accountability. The order holds agency heads accountable for
“risk and magnitude of harm.”  So far, security has been a bureaucratic
obstacle for most agencies, an empty exercise in administration, with
little or no consequence for failure. Holding agency heads accountable
makes cybersecurity a top priority, and in theory, creates consequences for
those who fall short.

The second element is upgrading the federal cyber workforce. Government
agencies have far less flexibility than the private sector when negotiating
salaries, but there are some advantages as well. Cybersecurity
professionals in the government, particularly in the military and
intelligence communities, are on the front lines of protecting our nation,
which serves as a motivational factor in the workplace. Also, because
cybersecurity (like all technology) changes rapidly, ongoing training and
education are essential. Cybersecurity professionals are curious by nature;
reward active minds with education.  Additionally, in some environments,
cybersecurity folks can legally work in offensive operations, which is a
fascinating opportunity not regularly available in the corporate world.

Third is the emphasis of modernization, an effort often assumed to diminish
security concerns. However, recent survey results show a surprising, and
sometimes controversial, reaction from chief information security officers.
Many believe that while modernization is an overall boon, it can actually
complicate security concerns. For instance, the move to the cloud is a key
element in modernization and in the long run will improve the security
posture of most government systems. In the short term, however, CISOs will
need to adjust to the reality of new ways of operating that will take time
and patience.

Update Priorities Based on Current and Future Technology Trends

Adoption and execution of federal cybersecurity guidelines can move the
federal government closer toward a stronger cyber posture. To start, agency
CIOs should focus on the basics. They can do this by identifying assets
such as systems, networks, data, devices, applications; knowing where data
resides, lives, and goes; knowing its sensitivity levels and privacy
requirements; standardizing and documenting system configurations; and
implementing a stringent patch management program.

On the other end of the spectrum from the basics is staying current.
History shows that bad actors are early adopters, and tend to use new
technology as soon as possible. If your agency doesn’t move ahead, your
adversaries will zoom past you.  Look at machine learning solutions. Stay
on top of developments in blockchain. Wrestle with IoT solutions. Be a
moving target.

Streamline the IT Acquisition Process

Agency CIOs should look to industry partners to make the most out of their
people, processes, and resources. Is your security budget really
inadequate, or can you reallocate funds to make it more effective?
Typically, too much money goes to bureaucratic assessment efforts. Agencies
should look to automate wherever possible.  More importantly, don’t just
shelve IT products, system assessments, and metrics reports. Use what
you’ve paid for, and act on the results and recommendations from those
efforts.

Agencies are going to continue to face attacks from hackers. In all
likelihood, 2018 will be just as challenging as 2017. That’s why it’s
important to leverage the frameworks in place to face these ongoing and
evolving challenges head on, and we can improve the nation’s cybersecurity
posture together.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180312/44f76b49/attachment.html>