The Trump administration issued two significant reports in the last couple of months that attest to the state of the federal government’s cybersecurity posture. The Federal Cybersecurity Risk Determination Report and Action Plan noted that 74 percent of agencies that participated in the Office of Management and Budget’s and Department of Homeland Security’s risk assessment process have cybersecurity programs that are either “at risk” or “high risk.” Meanwhile, the National Cyber Strategy of the United States of America addressed steps that agencies should take to improve upon that assessment.
Together, the reports illustrate two fundamental factors that will be instrumental in combating those who would perpetrate cybercrimes against the U.S. Those factors — people and the technology they use — comprise our government’s best defense.
People: the first line of defense
People develop the policies and processes that drive cybersecurity initiatives throughout the government. Their knowledge — about the threat landscape, the cybersecurity tools available for government, and the security needs and workings of their own organizations — are essential to running a well-oiled security apparatus.
But finding those skilled individuals, and keeping them, is difficult. Since the government is committed to keeping taxpayers’ costs low, agencies cannot always afford to match the pay scales of private sector companies. This leaves agencies at a disadvantage when attempting to attract and retain skilled cybersecurity talent to help defend and protect national security interests.
There are several education initiatives underway that could help with this cyberskills shortage. The National Cyber Strategy report lays out some solid ideas for workforce knowledge improvement, including leveraging merit-based immigration reforms to attract international talent, reskilling people from other industries, and more. Meanwhile, the Federal Cyber Reskilling Academy provides hands-on training to prepare non-IT professionals to work as cyberdefense analysts.
Hiring processes must also continue to evolve. Although there has been progress within the DoD, many agencies still adhere to an approach that is dictated by stringent criteria, including years of experience, college degrees, and other factors. This effectively puts workers into boxes — this person goes in a GS-7 pay grade box, this other person in a GS-15.
While education and experience are both important, so are ideas, creativity, problem-solving and a willingness to think outside the box. It’s a shame that those attributes can’t be considered just as valuable, especially in a world where security professionals are continually being asked to think on their feet, and combat an enemy that both shows no mercy and evolves quickly to bypass an organization’s defenses. The government needs people who can effectively identify and understand a security event, react quickly in the case of an event, respond to the event, anticipate the next potential attack, and formulate the right policies to prevent future incidents.
Technology: providing the necessary visibility
Cybersecurity personnel cannot be successful without the proper tools, but many of them do not possess the technology necessary to protect their agencies. According to the Federal Cybersecurity Risk Determination Report and Action Plan, 38 percent of federal cyberincidents did not have an identified attack vector. Per the report, IT professionals simply don’t have a good grasp of where attacks are originating, who or what is causing them, or how to track them down.
Part of this is due to the heavily siloed nature of federal agencies. The DoD, for example, has many different arms working with their own unique networks. It can be nearly impossible for an Air Force administrator to see what’s going on with the Army’s network, even though an attack on one could impact the entire DoD infrastructure. Things become even more complicated when dealing with government contractors, some of who have been behind several large security breaches, including the infamous Office of Personnel Management security breach in 2014.
Some of it is due to the increasing complexity of federal IT networks. Some networks are hosted in the public cloud, while others are on-premises. Still, others are of a hybrid nature, with some critical applications being housed on-site, while others are kept in the cloud.
Regardless of the situation, agency administrators must have complete visibility into the entirety of the network for which they are responsible. Technology can provide this visibility, but it cannot be the garden-variety network monitoring solutions that agencies used 10 years ago. The complexity of today’s IT infrastructures requires a form of “network monitoring on steroids.” Administrators need to be able to effectively police any type of network — distributed, on-premises, cloud or hybrid — and provide unfettered visibility, alerts and forensic data to help administrators quickly trace an event back to its root cause.
Administrators must have a means of tracing activity across boundaries, so they can have just as much insight into what’s happening at their cloud provider as they do in their own data center. Further, they must be able to monitor their data as it passes between these boundaries to ensure that information is protected both at rest and in-flight. This is especially critical for those operating hybrid cloud environments.
None of this should be considered a short-term fix. It can take the government a while to get things going — after all, many agencies are still trying to conform to the National Institute of Standards and Technology’s password guidelines. That’s OK, though; the fight for good cybersecurity will be ongoing, and it will be incumbent upon agencies to evolve their strategies and tactics to meet these threats over time. The battle begins with people, continues with technology, and will ultimately end with the government being able to more effectively protect its networks.
Jim Hansen is vice president of products, security and cloud for IT monitoring and management software developer SolarWinds.