Sprinkler systems. Elevators. CO2 monitoring. What do they all have in common? They are systems that can all be digitally accessed in modern buildings. They can also all be breached. In a world where digital thermostats can be compromised and reworked into spying microphones, how can public agencies possibly stay ahead of cyber security threats?
At GovLoop’s event, Cyber Playbook: Meet the Players, Kenneth Durbin, Continuous Monitoring & Cyber Security Practice Manager at Symantec, moderated an informative “Cyber Huddle” including:
- Bill Billings, Chief Information Security Officer (CISO), HP Federal Enterprise Security,
- Daryl Haegley, Program Manager, Information Security, Installations and Environment Business Enterprise Integration Directorate, Department of Defense; and
- Henry Sienkiewicz, Former Chief Information Officer, Defense Information Systems Agency
The panel discussed the government’s top cyber security challenges and tips to navigate these threats. Being a huddle, after all, we’ll use a football approach to examine these topics.
Some say the best defense is a good offense. So, what is the ultimate play for public agencies to stay ahead of threats and guarantee security? What’s the Hail Mary pass, with no time left on the clock, where the pigskin always lands firmly in your wide receiver’s hands in the end zone?
Put simply, such things don’t exist. Sorry. Just as a team can never guarantee a successful Hail Mary, there’s no way to ever be 100% secure from cyber threats. But there certainly are ways to prepare your agency and employees to be as prepared and secure as possible. For this, you need to play a zone defense. You know it can’t be stopped, but it’s important to know how to contain the threat or force the adversaries away from critical infrastructure in a direction you want them to go, said Sienkiewicz. Prioritization is another important factor, added Haegley. Just as you’d stick double coverage on a star receiver, you want to make sure you know what data/systems are truly critical to protect. The panelists also emphasized the importance of visualizing the threat environment in a holistic fashion, just as a safety would.
A great quarterback can read defenses and adjust plays accordingly. Being agile and adaptive is crucial for cyber security as well. “If you think you’re secure today, you probably won’t be tomorrow,” said Billings. With an interconnected world and increasingly sophisticated attackers, it is important to stay current. It doesn’t really matter what you did in the past, it’s more important to have the capacity to change for the future.
This can’t be done alone, however. If the offensive line doesn’t adjust to a quarterback’s audible, there is confusion and the play will likely fail. To prepare your agency for cyber security, you need to get buy-in from staff, especially top management. This can be difficult when leadership views other issues as more pressing than “potential attacks”, said Haegly, but it’s key to try to convey why smart security policies are necessary with ever-growing, ever-present cyber threats. When approaching your director, it can also be very helpful to change the discussion away from FUD (fear, uncertainty, doubt) and instead focus on the business benefits of cyber, suggested Billings.
Sticking with the Run
Sometimes you just have to have faith in your running back. You may be gaining only a yard or two on each play but that consistency eventually opens up the defense to make big plays. A good coach knows his team inside and out. He knows when to stick to the basics and play the long game.
With cyber security, understanding your current state is essential to knowing where you’re headed, said Haegly. Knowing how your network “lives and breathes” is key to preventing bad actors from slipping through the cracks, Billings advised. Bad actors love to hide in the shadows, but if you know where those shadows are, you can shine light on them. Billings also emphasized “managing to normal.” When you know what “normal” looks like on your network, you can quickly identify and flag any abnormalities – or even better, automate the process to look out for such irregularities. Understanding your current state and threat vectors varies depending on the organization – just as one team’s “go-to” strategy will differ from another’s.
There is no way to be fully protected from cyber threats, just as there is no proven tactic to win every football game. So, whether it’s 250 pound linebackers or phishing attempts being hurled your way, the importance lies in preparation, agility, teamwork, and internal reflection to make the best out of uncertain and precarious situations.
For more recaps of GovLoop’s recent cybersecurity training, head here.
Photo: Flickr, Matt D Gardner