In the wake of the OPM hack, the federal government is rethinking cybersecurity and how to apply it to digital operations.
But IT chiefs, working to secure scores of agencies and departments with near limitless data, are faced with an abundance of challenges and opportunity.
“While it’s unfortunate that [the OPM hack] happened, it’s elevated cybersecurity to the forefront of the conversation right now,” said Carlos Segarra, chief information security officer for the Department of Housing and Urban Development.
Segarra was among a panel of government information officers invited to discuss the increasing challenges of cyber-securing the government at the Association for Federal Information Resources Management’s monthly speaker series on Sept. 17.
“I think people understand that we all have a role to play in cybersecurity and we want to be held accountable,” Segarra said. “I think the accountability piece of it, from the CISO to the CIO to the business managers, has come to the forefront.”
The group talked about the challenges facing the federal government as agencies are becoming continued targets of cyber warfare.
“To me, security in the government is nothing more than what quality was in manufacturing,” said Jim Quinn, Homeland Security lead system engineer for the Continuous Diagnostics and Mitigation program. “It is a necessary thing that you have to do in order to be successful in business.”
Quinn added that the challenges for securing government operations have been present since it went online, but the OPM hack spotlighted the need to prioritize cybersecurity, especially as the government continues to serve as a major cache of data.
“We’ve sort of gotten ourselves in a bad security posture, because we’ve been underinvesting in, for a long period of time, addressing these relatively simple problems,” he said.
And while the necessity of strong cybersecurity is now apparent, Bray said the government’s growing storage of data and the availability of software online ensures that federal operations will continue to be the target of hackers looking for valuable information.
“There are certain assets that we have accumulated that we need to take a hard look and say, ‘Do we need to have all of those records online,’” he said.
“The second trend to [to watch] is tools that used to be available only to very sophisticated actors, increasingly falling in the hands of individuals who are able to use them to cyber-detriment," Bray added. I think those two trends make me a little more pessimistic about the future.”
At least one of the prescriptions that could be applied, the panel said, is a horizontal development of cybersecurity, where the government builds across-the-board protections and adapts them to scale. One of the ways this can achieved, Quinn said, is through the continuous diagnostics and migrations policies.
“To simplify things, the agencies now are getting that subject-matter expertise with the cross-government model and are not having to rely on just their own scope,” Quinn said.
Segarra agreed that due to the scarcity of resources for cybersecurity within departments, the ability of the federal government to offer services across agencies is paramount when it comes to risk assessment. As he put it, "my 10 [cyber analysts] aren’t risk experts.”
Another shift, Bray said, would be away from the legacy systems the government has been using, full of old code susceptible to hacks, and onto an across-the-board cloud computing structure.
“The thing that makes me lose sleep the most is old code,” he said. “I actually wish code and systems came with an expiration date and had a smell. So that way, my mission partners who think, ‘It’s always been working, why do you want to change it now,’ that they would actually feel the impact.”
Above all, the cyber officials emphasized that so-called “soft target” agencies that are not known to store classified data, like OPM, may be some of the most valuable targets to hackers.
"While North Korea and some of these other folks may be looking at the National Nuclear Security Administration, we’ve got every Tom, Dick and Harry with a computer down in their basement as a potential adversary,” Segarra said.
Don't miss CyberCon 2015, Nov. 18, where federal and industry cyber experts will dig into best practices for protecting government data and networks.