This interview is an excerpt from GovLoop’s recent research guide, The Current State of Government’s Cybersecurity.
As resources diminish and cyberthreats escalate, it’s more important than ever that government adopt risk-based tactics to maximize security. In a recent interview with GovLoop, Gregory Touhill, Deputy Assistant Secretary of Cybersecurity and Communications, and Hala Furst, Cybersecurity and Technology Business Liaison, explained how the Department of Homeland Security (DHS) is assisting in that effort, both with best practices and private-sector collaboration.
“Best practices work,” Touhill said. “People often try to foster an environment of compliance but, from my perspective, the best way to do that is to build a culture of best practice. Best practices bring compliance; compliance doesn’t always bring best practices.”
Touhill detailed the seven focus areas that DHS is prioritizing with other agencies. Those include:
- Secure your back door. “You are only as strong as your third party vendor,” Furst said. Too often, agencies secure their own infrastructure without realizing that third-party provided solutions create critical vulnerabilities into secure systems. “For all the third party vendors out there, we really need to make sure that we’re spelling out our requirements and expectations. Then we need the ability to monitor and audit them,” Touhill agreed.
- Whitelist applications. Agencies should assess each application running within their network and approve only those that meet operational and security standards. Touhill said about a significant number of incidents that the United States Cyber Emergency Readiness Team (US-CERT) and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) responds to could be avoided if agencies implemented application whitelisting.
- Ensure proper configuration and patch management. Referencing ICC-CERT again, Touhill said that 29 percent of the time the team performs incident response on an issue that would have been prevented if the agency had maintained proper patching and configuration. That requires IT shops to proactively manage and deploy security upgrades.
- Reduce the attack surface. As networks and endpoints expand, so too does the potential to create vulnerabilities to exploit. Touhill explained this mitigation tactic simply: “Don’t put stuff out there that doesn’t need to be out there,” he said. “We can preserve the idea of open government and still make sure that we’re tightly controlling access to information for only those people who require it.”
- Manage authentication. Touhilll said one of the biggest lessons from last year’s OPM breach was the need for better user verification. He described that as “making sure that whoever has accessed the network and its information is not only authorized, but authenticated.” Particularly, DHS is encouraging organizations to adopt multifactor authentication to ensure appropriate access.
- Implement secure remote access. That multifactor authentication should be pushed to the perimeter of the network as well to ensure remote access is also secure.” That helps close a vulnerability that we’ve seen in many different breaches, both in the public and the private sector,” Touhill said.
- Monitor and respond. Finally, agencies should continuously monitor their entire networks and have a plan in place to react to incidents in real-time. The department’s Continuous Diagnostics and Mitigation (CDM) program is a cornerstone of this initiative.
These seven practices help agencies and private sector organizations assume a risk-based approach to cybersecurity. Touhill said that is a critical stance. “At the end of the day, cybersecurity is a risk management issue,” he said. “It’s not a technology issue. In the past, many of these risk decisions have been made in the server room, because folks thought it was just a technology issue.”
DHS is trying to change that mindset in federal agencies. “As a result of the OPM breach, we’ve really focused the executive level on managing cybersecurity risk decisions not just in the server room, but into the boardroom. We want it on the agenda at all layers of leadership and management,” Touhill said.
Furst said they’ve seen enthusiasm for this idea, particularly in the private sector. However, many organizations lack the know-how and resources to independently instill this risk management approach. To help small and medium-sized businesses, the department developed a toolkit.
“This toolkit gives them vocabulary and language from a business perspective, to speak to those people,” she explained. “And if a company isnt’ big enough – as we see often in small and medium size businesses – to have a dedicated CIO or CISO, it gives them tools and resources to start with; the majority of which are free.”
Even as the department assists the private sector, Furst emphasized that the relationship is mutually beneficial. “Innovation is happening everywhere in the private sector. What we are trying to learn in government, from the private sector, is speed and talent retention,” she said.
Particularly for cybersecurity personnel, hiring is a challenge in government. To increase the talent pool, programs like the Loaned Executive Program provide an opportunity for private sector employees to share their expertise with the Department directly. Programs like Exemplar give government employees the chance to learn best practices by being detailed to a private sector company. DHS is also encouraging the development of fellowship programs and temporary assignments that allow professionals to temporarily enter public service.
However, Furst said that relied on private sector cooperation. “We’re asking people to help us solve some of the bigger problems. But that takes buy-in from companies to allow their folks to come out and help us, then go back to their jobs.”
To foster that buy-in, DHS devotes resources to building relationships in innovation shops across the country. “There’s a lot of movement outside Silicon Valley with people that are bringing in innovation and looking for better ways to incorporate cyber best practices in education, business and in government at the state, local and tribal territorial level. We’re seeing a lot of positive movement throughout the country,” said Touhill.
DHS has a crucial role to play in fostering that. “We provide great value to the private sector from the federal government, in addition to shaping and developing best practices and information sharing but also by preparing for incident response and planning, conducting exercises and providing a wide range of tools,” he said.