On May 7, Colonial Pipeline halted its operations after learning it was the victim of a ransomware attack and making the news worldwide. The shutdown spurred massive fuel shortages; according to the New York Times, Colonial’s pipeline to the east coast carries about 3 million barrels of fuel each day. Five days later, President Joe Biden signed an executive order to improve federal and private sector cybersecurity, citing the Colonial Pipeline attack as a “sober reminder” of the threats lurking digitally. The pandemic accelerated those threats.
In the wake of the COVID-19 pandemic, we saw an unprecedented level of digital transformation across the public sector, which increased cybersecurity risk. Following an initial push to a remote workplace, agencies are undergoing a more-permanent transformation to a hybrid-remote model. Agencies were understandably caught off guard during the former, which made IT and cyber training difficult. But now they have time and the need to provide employees with the necessary training for navigating this new environment.
In line with Biden’s executive order, it’s crucial for federal agencies to train employees consistently on cybersecurity, particularly those in IT responsible for handling a breach.
Practice incident response
The recent executive order will create a standardized playbook for cyber incident response by federal departments and agencies, in addition to a template and mandate for private sector response efforts.
“Recent incidents have shown that within the government the maturity level of response plans vary widely,” the order reads.
Agencies need to not just have a playbook, though; they need to pressure test it through rehearsals and practice sessions.
In addition to regular awareness training on phishing scams and ransomware attacks, agencies must run exercises to reinforce the proper security measures if an employee does succumb to an attack. In the future, organizations will be judged not by whether a cyber incident occurs, but in how they react to the inevitable incident. Phishing is simply a numbers game, as it’s an extremely low-cost attack strategy. If one malicious email doesn’t work, they’ll simply send more. When a malicious email does work, the whole organization is compromised.
But training is not just about checking a box. Things can and do change quickly in the real world. Agency personnel need to conduct realistic, detailed, in-depth training so that they can react instinctively when a situation arises.
To that end, IT must be trained on how to manage a breach response from the first signs of compromise. Agencies should use playbooks to design and offer advanced training and red teaming. Red teaming is when another group acts as a malicious actor then provides security feedback. While penetration testing helps agencies understand if and how an adversary can get in, they also need to practice what to do when an adversary already is in. The question is not just “what happened?” but “what do we do next?”
Train employees for the cloud
The executive order also states that it will help “move the federal government to secure cloud services and a zero-trust architecture.” The cloud, of course, is a huge part of any hybrid-remote workplace. Agencies need to modernize their cloud and file sharing policies too — then educate employees on them.
Traditional file sharing policies are especially stringent when it comes to the cloud. Agencies need to enable more dynamic file sharing policies without putting the organization at risk. To do so, they must train employees on the risks of third-party cloud apps and what types of information sharing is okay within agency sanctioned apps. Users must know how to share and protect data, including what’s IP, what’s sensitive, and what isn’t. As we’ve extended digitally to the edge, so has the risk.
Whether we are talking about cloud-sharing or phishing, each individual employee must be knowledgeable enough to spot and report their own mistakes for the good of the agency. While training should help your agency cut down on the volume of mistakes, someone is likely to make one anyway — and everyone must be prepared. Individuals must feel confident enough to admit when they’ve made a mistake for the sake of security, and that comes from training. Raising concerns must be an accepted process in an organization and celebrated for the intent to protect the organization.
The bottom line
Despite any agency’s best efforts, there is likely to one day be a breach. Agencies must not just have a playbook to respond to cyber incidents; they need to practice it! Training individual users to be responsible and secure is half the battle. The rest comes from doing advanced drills with IT focused not solely on prevention, but what to do when an adversary is already inside.
In the Colonial Pipeline incident, for instance, there may have been a way for the company to deal with the vulnerability without cutting off its revenue source and spurring fuel shortages. But an organization won’t be able to respond well in real-time if they haven’t prepared in advance.
Biden’s executive order is a good push for federal agencies to get up-to-speed with IT and cyber training. Many fell behind during the early stages of the pandemic, as the focus was on connectivity. Now, agencies can make up for lost time. Whether awareness campaigns for the workforce or specific drills with IT, agencies must have a plan of what to do when a breach occurs. As we said in the Army: “Train like you fight, fight like you train.”
Eric Trexler is the vice president of Forcepoint’s Global Governments and Critical Infrastructure team and conducts extensive training with his own team on cyber readiness.