In the latest Public Sector Cybersecurity Survey Report conducted by SolarWinds, 400 public sector IT professionals were surveyed and asked to identify today’s top threats facing the federal government. For the first time in five years, the general hacking community was named the largest source of security threats for the federal government, as opposed to insider threats, which came in second. Foreign governments were listed as the third-largest security threat.
As cyber threats continue to evolve, public sector agencies must adjust their defense strategies to stay ahead of the curve, including adopting Zero Trust practices and a commitment to invest in IT cybersecurity solutions as outlined in the recent White House Cybersecurity Executive Order. Here are three ways agencies can prepare to protect against the risk posed by the general hacking community and foreign governments while continuing to make progress against insider threats.
- Cooperation and collaboration between the public and private sectors. The White House Cybersecurity Executive Order stresses the importance of public and private sector collaboration to enhance the safety and security of federal IT infrastructure. It emphasizes the private sector must adapt to changes in the threat environment and work with the federal government to create more secure cyberspace, putting the onus on the government to lead the efforts in data security. It also outlines working groups and takes existing National Institute of Standards and Technology (NIST) guidelines as formal instruction for agencies to follow.
The Order covers various topics, such as sharing information about threats, working more closely with private companies and other government agencies, and sharing best practices. While information sharing is essential to protect from cyberattacks by foreign governments, it will take the combined effort of the public sector, contractors, and the online community to make this work. The federal government relies on a vast network of IT and software service providers—many of whom have unique access and insights into cyberthreats and incident information on public sector systems.
In recent years, this information is rarely shared with agencies investigating cybersecurity incidents, and removing these barriers is an essential goal of the Cybersecurity Executive Order. The public and private sectors can work towards this collaboration by sharing risk insights and remediation best practices. The more transparency and communication we have across public and private organizations, the more secure we’ll be.
- Adopting a standard federal government cybersecurity playbook. The Administration has charged the Cybersecurity and Infrastructure Security Agency (CISA) with developing a standard set of operational procedures for planning and conducting vulnerability and response activity. As a result, they created two playbooks: one for incident response and one for vulnerability response. The playbooks are based on NIST standards, which agencies can use to shape their defensive cybersecurity operations. The playbooks also serve as a helpful guide for state and local organizations and critical infrastructure partners, further enhancing cooperation with private industry.
However, the playbooks don’t cover every situation. For example, CISA’s incident response playbook only applies to “major incidents” such as credential access, data exfiltration, and network intrusions. It doesn’t include other incidents which can escalate quickly, like phishing attacks or malware infections, requiring security and risk leaders to be proactive. Leaders can’t wait for a major incident to happen and should implement workable models for detecting and responding to all cyberthreats.
Organizations need buy-in from top to bottom for the CISA playbooks to be effective. The playbooks must also be tested and exercised, so everyone knows their roles and responsibilities. Perhaps most importantly, every playbook must evolve to keep up with the changing landscape of cybersecurity threats.
- Early detection. One of the Administration’s top priorities is detecting and fixing cybersecurity vulnerabilities and incidents as quickly as possible. However, this process can be difficult due to the expanding federal IT infrastructure—which includes cloud and remote environments—and the many tools needed to monitor these systems. In fact, 25 percent of survey respondents said complex tools or solutions had hindered their ability to detect and remediate security threats. And 31 percent stated a lack of data collection has been a major obstacle in this area.
Centralized monitoring technology is vital for detecting and responding to cyberthreats across government networks. A first step to complying with the Order is to employ modern security information event management (SIEM) solutions. SIEM tools can gather logs from thousands of sources in hybrid environments and watch for suspicious activity 24/7. They also automatically trigger an incident response plan which is key to early detection and resolution.
To combat these emergent cyber threats a whole-of-society approach is crucial. Protecting our government and citizens alike requires a concerted effort, meaning agencies, private companies, and other industry stakeholders must come together to understand the best ways to collaborate. The need for collective action to combat cyber threats has never been greater.
Brandon Shopp is Group Vice President, Product at SolarWinds.