The sheer magnitude and complexity of federal networks make cybersecurity one of the government's biggest challenges. To tackle cybersecurity, agencies increasingly are engaging each other and sharing best practices, but it has to be an ongoing conversation that evolves along with the practices themselves, experts say.
"Threat sharing is not the destination, it's the means to an end. We have to see what the data tells us and determine what actions make sense," said Tony Sager, senior vice president and chief evangelist at the Center for Internet Security. "The notion of what's best changes all the time…no one is buying systems and waiting three years [to see how it goes]. How am I constantly refreshing knowledge? Nobody has enough [resources] to do this on our own; we have to do this as a group."
Sager spoke as part of a panel at the C4ISR & Networks/Federal Times CyberCon 2015 event in Arlington, Virginia, Nov. 18.
Another best practice that's caught on across the government in recent years is risk management, with agencies adopting risk management frameworks to help bolster cybersecurity. But that, too, has to evolve with changing threat, policies and lessons learned.
"Risk management framework isn't about an every-three-year certification and accreditation….risk management framework is about continuous monitoring," said COL Bobby Saxon, division chief and program director, enterprise management decision support, Army G-3/5/7.
The framework, and cybersecurity best practices writ large, are less about keeping the bad guys out and more about "letting us know the bad guys are in…as soon as possible so we can take proactive actions," Saxon said. The Edward Snowden breach "lasted many months before we knew there was a problem. In today's world of big data…we have the ability to do continuous monitoring. I think we have to speak truth to power – we have to say this can be done but it's going to cost money and it's going to take resources to make that happen. If they [decide] not to invest in that, then that's something the whole organization is now aware of."
Ann Barron-DiCamillo, director of US-CERT, recommended her top five specific best practices in cybersecurity.
"Application white-listing, patching of systems as well as applications, reduction of administrative privileges and then network segmentation: If those five controls are implemented and monitored – the monitoring aspect is the really important part – it would reduce about 85 percent of the incidents we respond to," she said. "We're really putting our money where our mouth is [at] DHS, implementing some of those controls as part of our continuous diagnostic and mitigation program that can actually be monitored on behalf of federal civilian networks as well."