No doubt, the government has evolved to keep pace with the 21st century tech boom. But plenty of challenges still exist today, and few are more pressing than those in cybersecurity.
Per the Government Accountability Office, between 2006 and 2015 reported cyber incidents rose from 5,503 to 77,183 — a staggering increase of more than 1,400 percent. Considering the diverse functions of government, that leads to a definite conclusion: Digital security must be treated by agencies across the board as an increasingly crucial topic.
Christopher Dorobek discussed the issue this afternoon, along with Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), and Francesca El-Attrash, a staff writer at GovLoop. The trio went into detail on cybersecurity challenges and pointed to a handful of solutions for government bodies and private sector consumers alike.
Ross, who leads the Federal Information Security Modernization Act (FISMA) Implementation Project, said he believes that managing access points in the Internet of Things (IoT) remains among the most impactful.
As an example, he and Dorobek pointed to the breach of Target’s network, which resulted in the exposure of credit and debit card information from some 40 million accounts in 2013. The hackers pinpointed an unexpected entry point, by stealing credentials from a Pittsburgh heating and ventilation company, which had access to the network in order to monitor and maintain the store’s systems. From there, they infected the network at large with malware that stole user data.
Ross used the anecdote to reiterate his main point: If you’re looking to bolster your systems in 2017, double-down on cyber basics.
“The fundamentals never change,” Ross said, “it’s just how we apply them, and how we get smarter, that’s going to make a difference.”
A system is only as strong as its weakest link, he said. At the top of the chain sits the application; below that the middleware; then the operating system; then firmware; then integrated circuits; all the way out of the network. When these stages receive imbalanced attention, it opens the whole system to cyberthreats.
Agencies at all levels have worked to minimize these threats. For example, some have gone beyond basic awareness trainings and begun officewide phishing exercises, El-Attrash said. (“Phishing” refers to the illegitimate effort to acquire information by posing as a trusted entity in electronic communication such as email.)
But all the training in the world can't guarantee impenetrability, she explained. Agencies face a number of internal challenges to cybersecurity, including lack of training, lack of motivation among employees to stay engage on cyber topics, and a demand for cyber experts that outweighs the supply.
Last month, GovLoop published a relevant resource guide written by Catherine Andrews, senior director of editorial, titled “7 Cybersecurity Tactics to Watch in Government.” Those tactics were:
- Artificial intelligence and machine learning. This should assist a small cybersecurity workforce by carrying out tasks in “smart” ways from collected data.
- Big data and analytics. Keep an eye on where/how agencies choose to collect all their data for analysis and correlation, as well as automation.
- Innovative internal cybersecurity training. Agencies will continue to engage employees with game-based cybersecurity education.
- Bug bounties. A practice in which agencies pay experts to find flaws in their systems.
- Partnerships across borders. States will continue to work together in efforts to adopt a new cybersecurity standard.
- Procurement options. More chief information officers are pushing for the power to veto procurements that could threaten cybersecurity.
- Recruitment and retention. More agencies are focused on hiring skilled employees and retaining experienced ones, following the federal cybersecurity workforce strategy.
“Cyberthreats aren’t going away any time soon,” El-Attrash said. “So it’s really important that agencies keep pace.”
Recent federal actions — including the August American Technology Council report on IT modernization — have pushed the government’s tech efforts in the right directions, Ross said. Federal entities are working to simplify the infrastructure by, for example, standardizing the network acquisition support arm within the General Services Administration (GSA) and cutting back on parts that aren’t necessary.
Ross likened the situation to how virtually all football teams, whether amateur or professional, spend the first weeks of the season on tackling and blocking fundamentals. That’s what the government needs to focus on, he said.
For individual consumers, he posed a bit of somber but useful advice.
“Limit the amount of web surfing you’re doing — you have no idea if that website has been previously infected,” Ross said. “Be very conservative and expect the worst when working with email and web.”