Over the past year, resiliency – or the ability to withstand and recover rapidly from adversity – has become increasingly important to support federal agencies that are delivering on the mission in an increasingly fragile world, between an onslaught of cyberattacks, climate change-fueled natural disasters, and unconventional stresses, shocks, and threat to our economy and democracy. During this year’s RSA Public Sector Day, cybersecurity leaders from RSA, Department of Defense, NIST, and Tenable, discussed how agencies and departments have become more resilient in response to the COVID-19 pandemic among other cyberthreats.
Dr. Zulfikar Ramzan, Chief Technology Officer at RSA, discussed how agencies should look at their risk posture, security operations posture, and identity posture in order to succeed in mission delivery in the future. This past year, agencies have grown their resilience by learning how to operate remotely. What Ramzan hopes is that agencies continue to in this delivery on the mission remotely and “move forward despite the challenges around us” to “build better systems to engender trustworthiness.”
Government Resiliency: Yesterday, Today, and Tomorrow
“It’s not a question of if your network is going to be breached by an intruder, be it state or non-state, it is a question of when,” shared James Sullivan, Defense Intelligence Officer for Cyber at the Defense Intelligence Agency (DIA) As an agency’s digital capabilities grow, they need to be prepared for threats and attacks. Instead of just increasing defensive or offensive capabilities, Sullivan recommends that agencies develop a comprehensive understanding of their architecture and this is the foundation for security and resiliency.
Ron Ross, Fellow at NIST, added that when agencies “understand what’s on the network, every component in the system, and the level of trust, agencies can look into the supply chain and enforce discipline and structure in the system.” By understanding the network agencies will be ready to defend against all manner of threats, especially since “there are no rules of engagement in cyber yet,” said Sullivan. With attacks only getting worse – both in number and impact, agencies start now on building resilience.
Government Supply Chain: Not Just an Afterthought Anymore
When it comes to supply chain risks, agencies need to be able to rely on each other and on System Integrators, contractors, and vendors to practice good cybersecurity and good cyber hygiene. NIST’s Angela Smith suggested that agencies build supply chain risk management into practices and relationships. Today, agencies must trust without verification in order to deliver on an increasingly complex mission.
To reduce supply chain risks Kanitra Tyler, Supply Chain Risk Management Service Owner, at NASA, noted that while agencies need to understand their networks, industry partners have their own responsibilities. She added “with information sharing working groups, agencies can have bidirectional communication, which will increase the level of comfort.”
Government Cloud and Digital Modernization: Challenges and Opportunities
Marianne Roth, Chief Risk Officer, Consumer Financial Protection Board, commented that “collaboration and coordination with industry partners, but also within the organization, itself is critically important” for agencies to build security and become more resilient. She said that “taking a value-based approach and understanding the enterprise impacts of technology modernization has on achieving objectives is critically important” for agencies. While these partnerships are valuable, agencies need to establish trust and communication.
But what is also essential is the idea of collaboration across agencies to establish norms, or best practices for what security means and what makes an agency resilient. Michael Watson, CISO, State of Virginia, acknowledged that the adoption of a Zero Trust architecture is growing, but that it could benefit from a common definition. “We rely on each other’s services, but it is unclear how much trust exists,” said Watson. To build trust and find that common definition agencies need to look towards the interconnections and make sure partners are on the same page with how much reliance and trust there should be in the specified technology. Concluded Watson, “as we modernize and introduce more into our environment, if we don’t do this, we’re setting ourselves up for failure.”
With a clear focus on building resilience through good cybersecurity hygiene and practices this year’s RSA Public Sector Day was helping federal, state, and local government agencies set a course to deliver on the mission more securely in the future. To achieve this goal agencies first need to understand their network architecture and their supply chain. With this knowledge in hand agencies will be better positioned to defend their networks and be more resilient in the face of the unrelenting cycle of cyberattacks.