Securing the nation’s data, information assets, and digital infrastructure is shaping up to one of the most important issues for the new Administration. While information security and integrity have been top of mind for many years, there is concern that current defensive cyber strategies are not up to the task of mitigating the persistent threats or securing legacy infrastructure. The issue has assumed a heightened degree of importance as nation-states work to step up their cyber operations. Curious to find out how federal agencies should be approaching information security, we caught up with CSRA’s Chief Technology Officer, Yogesh Khanna, to get his perspective on this issue. Here’s what Yogesh shared with us:
Federal Technology Insider (FTI): The Acting CIO of the Department of Commerce, Rod Turk, quipped at a recent event that: “We always used to say there’s no sure thing but death and taxes, but there’s a third thing — it’s cybersecurity.” Why is ensuring information security and integrity such a hard task for federal agencies?
Yogesh Khanna (YK): While all organizations have to defend against cyber threats, federal agencies are especially enticing to bad actors as high value targets because of an abundance of valuable information. Additionally, data is often stored and transmitted via legacy systems, increasing the likelihood of a successful attack.
These factors alone make ensuring information security and integrity a very hard task. But then add in the lack of a sufficient workforce, the complexities introduced by working with subcontractors, accidental information exposure through untrained workers, and you can see why it becomes a real challenge.
Despite all these obstacles to ensuring the security and integrity of data and infrastructure, federal CIOs and CISOs are fully engaged in the fight and are doing their best. To enhance their efforts, we recommend increased focus in these critical areas: cyber risk mitigation, improving detection and reducing what is being referred to as “dwell time” (which is the amount of time an attacker can go undetected in a network), and maturing processes.
FTI: You mentioned dwell time – or the time an attacker can go undetected on a network – can we talk about that a little more? It used to be that the primary concern of agency cyber teams was keeping malicious actors out, but there seems to have been a shift in perspective where it’s accepted that that these bad actors will get in, but that the primary objective now should be limiting damage. Is this a more viable strategy?
YK: Unfortunately, because of sophisticated social engineering techniques and technical flaws like application vulnerabilities, it’s far too easy for malicious actors to gain access to federal systems. Having said that, however, I don’t think we should give up on the goal of keeping actors out and only focus on limiting the damage. Federal IT leaders need to formulate a hybrid approach. There should always be a strong perimeter defense strategy in place supported by a secondary in-depth strategy to prevent these bad actors from gaining access to more critical assets and moving laterally around the network.
The most viable strategy is to employ a layered, risk-based approach to mitigation, focusing on critical data and assets with active monitoring of those systems. No cyber team should be passively waiting for a malicious actor to trigger an alert; actively hunting threats is a more vigorous approach.
One of the hardest threats to mitigate – insider threats – is also one of the most pressing for federal agencies. Not all insider threats are intentionally malicious, but the unintended consequences of even the most accidental violation of an information security policy can have extremely damaging consequences for a federal agency—and the consequences are high. To counter these threats agencies should be looking at next-generation solutions in the areas of behavioral analytics, identification and access management, and, most importantly, real-time user education.
FTI: What role does the shortage of cybersecurity experts in the federal government play in the cyber challenges faced by federal agencies? What are some strategies that CIOs and CISOs can use to ameliorate their agency’s staffing shortages?
YK: It is often said that robust security is a combination of people, process, and technology. The reason that people are first in that list is because cybersecurity experts are the best frontline defense you can have. A well-educated and trained workforce with the requisite knowledge and skills is paramount to running a successful cybersecurity program. However, the reality right now for the federal government is that there is a significant shortage of those highly-qualified personnel. Not only is there a perennial shortage of skilled workers in this area, but agencies have to compete against private sector employers.
But CIOs and CISOs should not lose heart; there are many ways to improve staffing and execute a cyber workforce development strategy. Working with private sector organizations that have expertise in targeted training and education can provide a simple pathway to an ameliorated workforce. When evaluating vendors look for ones that have experience in training government cyber teams and whose courseware is aligned with operational methodologies, processes, and procedures. Once methodology is established, it is easier to transition to training on tools that emulate real-world operations and build a workforce internally that can be part of cyber mission defense.
From this position of strength, agency information security leads can then work on intra- and inter-agency mentoring to build capability and create the opportunity to invest in serious recruitment efforts. It’s vitally important to understand the motivations and professional goals of your cyber professionals and how their motivations may differ from other agency workers. In order to develop cyber teams that will be around for the long haul, it’s imperative to provide professional development and ongoing opportunities to enhancing knowledge and skills.
FTI: Earlier, you mentioned the role played by legacy IT systems in leaving federal systems exposed to risk. With the Modernizing Government Technology Act (MGTA) on hold for now, what steps can agencies take now to mitigate the risks posed by legacy systems?
YK: Legacy systems are one of the most significant vulnerabilities for national cybersecurity. While there might not be any immediate financial relief in sight to enable the replacement of legacy systems—some up to 50 or 60 years old—that pre-date the concept of cybersecurity, it doesn’t mean there can’t be some element of security wrapped around them.
To my way of thinking, the best approach in a legacy environment is to take a risk-based approach that enables the prioritization of critical data and urgent agency need. Once a risk-based asset inventory is in place all manner of decisions can be made—from where to store data so it’s most secure, to re-architecting design to support a layered defense strategy.
Once again, hands-on education and awareness training for all agency workers – not just security professionals, but also programmers, administrators, and power users of each system – is a vital part of this approach. Involving the entire staff in the cybersecurity process is a cost-effective, efficient, and easy-to-implement strategy. Other effective low-cost, high impact strategies include paying close attention to NIST guidelines, Department of Defense and Intelligence configuration guidelines, and the OWASP (Open Web Application Security Project) guide to build, design, and test web applications and services. In taking all these steps, it becomes possible to see where there are gaps that need to be filled by new technologies, processes, and approaches.
There’s no need for agencies to throw their very limited budget dollars into a vast abyss and hope that their cybersecurity posture improves and their information security risks decrease. By understanding the current threat environment, conducting an inventory of assets and information, and optimizing current investments, agencies can mitigate the negative effects of legacy systems on their security. To put this in a real-world context, CSRA recently collaborated with Splunk and Palo Alto Networks to demonstrate how this strategy would enable a certain government agency to discontinue use of duplicative tools, reduce licensing costs, and improve their cyber posture—all while decreasing spend.
FTI: Yogesh, do you have any final thoughts to share with our readers?
YK: I think the most important thing for federal CIOs and CISOs to remember is that while both the threat environment and budget situation look bleak and foreboding, there are still reasons to be optimistic. Start by going back to basics: good cyber hygiene, an inventory of assets, and understanding the risks you face. Then do the work: implement cyber training and education and reduce your agency’s attack surface through virtualization and moving to the cloud. And then, bring in collaborators from the public and private sectors to help strengthen your overall position.
Learn more about CSRA’s cybersecurity here.