As agencies inch towards the most effective and efficient cybersecurity policies and practices IT departments are often left with more questions than answers. Is a holistic approach best for my agency? How can I mitigate insider threats? What does the threat landscape really look like? You get it—the current cyber landscape is convoluted at best. Fortunately, there are cybersecurity experts out there ready and willing to help government organizations protect their networks.
Billington Cybersecurity recently hosted their 7th Annual Billington Cybersecurity Summit to discuss the state of cybersecurity, challenges the government is facing, and solutions that move towards a holistic approach. The summit brought together speakers from across the public and private sector to share their expertise and offer a unique perspective of where we are at with cybersecurity and where we need to go.
Here is what I gleaned from the discussions between these experts:
The 45th President has their work cut out for them. As the new administration transitions in they will have to consider four main cyber themes: international trade and digital commerce, cybercrime and law enforcement, critical infrastructure, and Internet freedoms. Some key points that came out of this discussion included establishing a framework that includes both security and privacy perspectives, making decisions on data ownership, and integrating cybersecurity into agency missions.
Additionally, the experts made it clear that the executive branch must start considering how they can help state and local governments with their cybersecurity efforts. Obtaining effective security at the state and local level is critical because of the shear amount of personally identifiable information they possess. Similar to the federal government, addressing the disaggregation of IT departments across state and local agencies will be a critical point in the next president’s cyber agenda.
Threats are as sophisticated as ever. Hackers are getting smarter. Whether it’s a phishing attack, malware intrusion, or an insider threat, attacks are becoming increasingly sophisticated and are oftentimes successful. One of the main points that came out of this discussion is that legacy systems could risk making it easier for nefarious actors to get into an enterprise. The central issue with legacy systems is that there is a competing priorities issues within agencies. This means there are not enough resources and funding to satisfy current security requirements while simultaneously being able modernize to keep up with growing threats. In order to counter this, agencies have to start working around the lack of resources and find other ways to improve cybersecurity efforts.
Looking forward, insider threats are also particularly concerning. As one panelist put it, the insider threat is no longer just from insider employees. Your insider could be a partner, someone in the supply chain, or a customer. Instrumentation and analysis are key to monitoring and countering threats. Understanding malicious behavior and being able to identify when it is deviant from the norm allows agencies to more easily identify and address deviations before they can have a negative impact on the organization.
With the right priorities these threats can be countered. The main priority for the c-suite has to be incorporating cybersecurity into the overall mission of the agency. Across state, local, and federal agencies, IT is relatively disjointed and rarely integrated into the agency mission. Many of the experts echoed that agencies need to clearly describe the security ends they are trying to achieve. Through these efforts, organizations can start developing rational security models and identify the tools needed to solve security issues.
Looking forward, Federal CIO, Tony Scott left us with three overall paradigms that must become a priority in order to improve cybersecurity in government. First, technical designs must shift to include security by design. Second, how IT departments in the government are organized must be addressed. Scott emphasized that in order to foster cybersecurity, the federal government needs shared, scalable platforms. Third, how the government approaches funding cybersecurity has to shift from keeping IT departments on life support to supplying enough funding to foster modernization and innovation. Scott concluded, “Whatever role you play in supporting the government, this is one of the most important issues facing our country today. As our government digitizes we need modern platforms that are more secure and more efficient.”
Here is another suggestions. On the GSA Schedule there are no SIC, SID, or NAICS codes specifically designated for cybersecurity products. We here at Access Smart can add an Enterprise Multi-factor Authentication Password Manager to existing PIV, PIV-I, CIV and CAC cards with no rebadging, and meeting all the FIPS 140-2 requirements. Sounds like the NIST list of recommendations in their SP 800-63B document. But this and many other great products on the market go unnoticed. Many cybersecurity solution suppliers like us get classified in areas like Other, Software Peripherals, or Hardware Peripherals.
There needs to be a high level Cybersecurity code with all the different sub-classifications that address each aspect from IAM, Firewalls, Pen testing, AV/AM software, Password Management, PKI, and the list goes on. Then Federal, State, and Local agencies and departments would start finding the solutions they need and know where the whole are. Today, it is a hit and miss approach, or who has the most sales people to walk the DC corridors.