Breaches are on the rise. Private entities are being hacked, again and again. And government agencies are not safe. Recently, Robert Anderson, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI told the Senate Homeland Security Committee that if a federal department thinks it hasn’t been hacked, it is likely that they are simply unaware of the hack.
Unfortunately, the outlook continues to be bleak for cybersecurity and government agencies, according to several panelists at GovLoop's cybersecurity event in Washington, D.C. this Wednesday. Breaches are likely to continue to rise, and information will be compromised. Additionally, much of what the government has been doing to attempt to curb hackers is simply not working.
But there is hope. If government IT departments and cybersecurity employees can change their thinking about hacks and security breaches, a new mindset could help the U.S. government better protect the data of its citizens.
"Clearly our strategy from the first time I learned about information assurance in the 90s has been quite simple," said Ahmed Ali, Senior Account Executive for Networking & Security Business, VMware. "Let’s define who’s good. Who’s kinda good. And who’s everybody else. My primary methods of information security were basically to say 'I am going to build walls around the circles of trust and over time and I will make them higher, or put in barbed wire, or a moat. And I’ll do all this stuff but not fundamentally change my architecture."
Ahmed said that it's time for that mindset to change -- and fast. "At VMware we think that the path to the future of information security is actually an architectural one, not a tools one. I want to go from an architecture where I create circles of trust to an architecture where everybody is untrusted. I want to go from program where the primary focus is on preventing evil to a program where I assume the bad guys will be successful – and my primary goal is not just preventing the hack but also preventing it from spreading when it does come in."
Gina Scinta, Senior Solutions Architect at SafeNet, agreed. Her take? "We're at a new security reality – the secure breach. And it's not a matter of if it will happen, but when."
According to Scinta and a SafeNet survey, 66% of security professionals believe they will suffer a breach. And that's probably an accurate belief -- Scinta pointed out that since 2013, over 2.3 billion records have been breached, and that number keeps growing.
"A new mindset is needed," Scinta said. "Data is the new perimeter. Sole perimeter security is no longe enough. Insider threats are greater than ever. Breaches will happen and we must prepare differently."
Eric Brown, Senior Systems Engineer at Vormetric, and Nick Jovanovic, DoD Regional Sales Manager, stressed that data cannot defend itself.
"Traditional defenses are failing and security holes are being exploited," said Jovanovic. He pointed out that 822 million records were exposed in 2012, which was up sharply from 174 million in 2012.
"We eed to reduce the impact of misconfiguration and other threats by firewalling data," said Brown. The two also stressed the need to safeguard data with privileged user access controls. "If a superuser is compromised or goes rogue, the impact can be severe, as they can destroy, steal, and manipulate," said Brown.
A Vormetric survey revealed that even versus just two years ago organizations are feeling significantly more threatened with 54% of respondents feeling that insider threats are more difficult to protect than in 2011.
Hopefully the development of a new mindset around cybersecurity efforts will have government agencies feeling more hopeful.
For more recaps of GovLoop's recent cybersecurity training, head here.