Federal cybersecurity off to a flying start in 2016
In my blog from a few months ago, I outlined several predictions for 2016 — one of which was that cybersecurity challenges would spur federal leaders to pursue new approaches to this continuing problem. Such a prediction might not seem like a stretch in light of the continuous barrage of headlines related to data breaches and other cyber threats, but since that blog the Obama administration has indeed taken several notable steps in the first few months of 2016.
One such recent development was the inclusion of a new federal chief information security officer position in the Obama administration’s 2017 budget request. Having a C-level official who can coordinate security policy, planning and implementation across the federal government will raise cybersecurity to the highest level of awareness and action in the federal government. The CISO position is part of a $19 billion cybersecurity budget request by the administration, an amount that indicates just how much of a priority this challenge has become. According to the White House, this represents a more than 35 percent increase from fiscal year 2016 request in overall federal resources for cybersecurity, "a necessary investment to secure our nation in the future."
Of course, a budget request means nothing if the resulting policies and requirements are not executed appropriately and efficiently. And that’s where the real work starts for federal agencies. Agency security professionals will be faced not only with increasing cyber threats but also new compliance requirements and other mandates from the Office of Management and Budget.
This may seem overwhelming to federal security leaders, many of whom are no doubt already stretched to their limits and worried about their in-house security capabilities. But I strongly believe that success in any complex undertaking starts with breaking down the complex to the basic elements. Any successful IT initiative comes down to three key ingredients: people, process and technology. Policy directives such as the Cybersecurity National Action Plan can help address the "people" and "process" aspects of this three-legged stool, but the "technology" aspect remains especially challenging.
Federal CIO Tony Scott speaks about the concept of "secure by design": – building security into systems at the start, as opposed to retrofitting them with tacked-on protection. Many or even most of the federal government’s systems in use today were not developed with security as a top design consideration, so adding protection at this time has proven a major hurdle. Scott often compares this to installing airbags in a 1965 Mustang: installing them would not only look terrible, it probably wouldn’t even make the car safer.
Instead, we need to think about entirely new approaches to protecting our data and systems.
As I noted in my earlier blog, traditional perimeter-based defenses are not going to keep attackers out 100 percent of the time. Bad actors ultimately will get in sometime and somehow. In addition to focusing on how to keep them out, we should also seek to minimize the damage they can do if indeed they do get in.
"Secure by design" will require a different approach: modern architectures designed to run in the cloud, multi-factor authentication, virtualized and software-defined networks and data centers, and high-value assets protected through micro-segmentation.
Challenges related to cybersecurity remain enormous, and we are playing catch up from many years of reliance on outdated technologies. However, the recognition and direction we are seeing from those at the highest levels of government is a welcome and positive move.
Casey Coleman is group vice president for civilian agencies at Unisys Federal. She previously served as an IT executive at the General Services Administration, holding the position of CIO from 2007 to 2014.
A key question for agencies and policymakers when it comes to verifying identities for tax and benefits services is…what technology alternatives exist to not only protect citizens but also combat the benefits and refund fraud that has exploded during the pandemic?
Moscow has repeatedly demonstrated that its hackers — which include military and intelligence cyber units as well as “independent” proxies — have the capability to inflict untold damages on the infrastructure and companies the global economy depends upon.
By constantly flexing the military’s cyber muscles to defend the homeland from inbound criminal cyber activity, the public demand for a broad federal response to illegal cyber activity is satisfied. Still, over time, the potential adversary will understand our military’s offensive cyber operations’ tactics, techniques and procedures.