Experts cite risk management, strong authentication, CDM as tools to help protect assets.
The goal of cybersecurity is to protect data, wherever it might be, in order to facilitate agencies pursuing their missions. That is one important takeaway from a webinar hosted by Federal News Radio and FedInsider earlier this month on “Cybersecurity vs. Data Security: Government’s Two-Pronged Challenge.”
Dr. Ron Ross, National Institute of Standards and Technology (NIST), said that he has “never been able to separate the data from the system where it lives … I think what we’ve been missing is tied back to the mission of the organization.”
Ross suggested the value of the information, and agencies’ ability to protect it, has a direct impact on their carrying out their missions.
Bill Lay, CISO for the State Department, noted that addressing data security requires “a full-spectrum approach. It’s not just technology, not just data security – the people portion is huge.”
Ann Barron-DiCamillo, Director, US-CERT, Department of Homeland Security, noted that “the last 24 months of data breaches [show] the attack surface is growing daily. It’s not effective for agencies to just widen their nets to protect everything … We must protect what matters most.”
Which leads, of course, to the hot topic of risk management.
Risk management “is predicated on having the right stakeholders involved,” Ross said. “Sometimes the mission business owners who actually take the risks are not involved in the [security] decisions.”
He compared the balancing act of risk management – deciding priorities in protecting assets – as akin to building an aircraft. “If [the plane] is perfectly stable, it won’t fly; if it is unstable, it has maneuverability.” The question becomes finding the right level of tradeoff.
Making sure stakeholders have a clear idea of their roles and responsibilities in cyber/data security pays dividends, Barron-DiCamillo said.
The 30-day cybersecurity sprint launched in June, in response to the major data breach at the Office of Personnel Management, saw tangible results, she said. “The emphasis was on strong authentication, two-factor authentication … Because of that increased focus, we were able to go from 42% to 72% [using it] in that 30 days.”
Ross agreed the cyber sprint was an excellent tool for sharpening cybersecurity efforts governmentwide. “We’re trying to step back from all these breaches and [see the big picture,]” he said. “The new technology is compelling to use, it makes us more productive, but at the same time one vendor’s new feature is the attacker’s” next opportunity.
The cyber sprint provided the chance to look at information flow, the use of technology, the requirements for cybersecurity, from the different stakeholders’ perspectives, he said. For instance, doing a stakeholder analysis shows that it’s very rare for a user to need access to an entire database at one time.
Agencies need to do a better job of architecting their databases, Ross said, to provide access to the portions users need, but keep them out of the parts they don’t. That can make the difference between a hacker walking off with 20 million records or a couple of thousand, he said.
The availability of continuous diagnostics and mitigation (CDM) tools through the DHS contract is helping, but it is not a silver bullet, Ross said.
“[It’s] a great program, it provides a lot of benefits, but it’s only [addressing] one aspect of the problem,” he said. “As good as CDM is, … fundamentally this is a science/engineering complexity problem. There’s only so much complexity you can manage. We have to address the growth of the attack surface, [which is] as much a cultural issue as a technical issue.”
Lay said the State Department is moving into that realm. “We’re expanding our suite of CDM tools. We’re trying to blend in as seamlessly as possible with legacy architecture while trying not to drown in the sea of information.”
