Complexity and a Lack of Strategic Planning Undermine Our Government's Cybersecurity
Our Nation’s National Security Strategy highlights the danger of disruptive and even destructive cyber-attack vectors. Today, government’s cyber infrastructures are under increasing pressure from a variety of adversaries with a number of objectives, ranging from individual and organized criminals seeking financial gain, to nation states seeking political and military advantages, to activists and terrorists seeking to undermine basic values.
Complexity and a lack of multi-domain planning increasingly undermine our government’s cybersecurity. This situation does not have to continue. There exists the capability to protect the Nation’s data and cyber resources, but something is missing: strategic, risk-based cybersecurity programs that prioritize the Nation’s applications and data. Implementing this, however, means overcoming some particular challenges. Much like the space race in the 20th century, the U.S. needs a national program and timeline to address the critical issue of cybersecurity.
Why Is Good Cybersecurity So Hard?
Part of the reason is the rapid advancements in cyberspace and the corresponding, ever evolving cybersecurity threats. Lone hackers have been replaced by highly motivated, well-resourced organizations, supported by a black market that commercializes the latest exploits, and offers botnets as commodities to provide a marketplace for stolen information. However, the primary reason defense is so difficult can be summed up in one word, complexity.
We must create an architecture that is resilient to these threats by enabling agencies to continue their business operations and service to our nation’s citizens
Most organizations have implemented a voluminous number of security products to protect their environment. Industry and organizations chase the next dazzling product instead of forming and implementing a comprehensive roadmap or cybersecurity plan. As a result, you have so many products without enough time to properly train your security professionals. Moreover, some newly purchased products remain in the box, unused. Resources continue to be used for extinguishing fires rather than learning how to prevent them.
Cybersecurity efforts are also primarily focused on protecting an enterprise by blocking attempts to penetrate the system from the outside in. While there is a logic to this approach, ultimately it is a losing strategy in such complex environments.
What can we do?
We need to take a different approach and look at the methodology from the inside out. When you’re looking at cybersecurity from the outside in, then you’re just trying to deny intrusions. However, if you approach cybersecurity from the inside out, then you can think about it from the angle of, “what are my most critical applications and data”.
To leverage this ‘inside out’ way of thinking, you can consider these lines of efforts:
Risk-based Focus: It is important to develop a risk-based strategy instead of a compliance-based strategy.
A risk-based program focused on the most valuable and vulnerable assets enables you to use finite resources to defend those assets that are most likely to be targeted.
Application Security Assurance: Applications are the primary target for hackers and we estimate more than 70 percent of successful breaches are directed at the application layer. A robust applications threat analysis service is needed to proactively avoid cybersecurity defects from the start, and also functions as an independent validation and verification of security requirements and architectural security resilience. The result is an application that is secure by design. Today, conventional application development methods discover only a small fraction of vulnerabilities.
Continuous Monitoring: Organizations need to migrate from periodic assessments of static security controls to continuous monitoring. For example, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program supports continuous monitoring by making available a suite of off-the-shelf products to give real-time visibility into networks and systems. NIST’s Risk Management Framework also provides a risk-based approach to manage organizational risk for critical infrastructure.
Managed services: Protecting IT resources is critical for every agency, but cybersecurity is not a core competency for most. Managed services provided by experienced, certified professionals can help agencies meet their cybersecurity requirements without the capital expenditures and manpower costs of in-house operations, freeing agencies to focus on their missions.
Data Security: Preventing the unwanted disclosure of data in motion, at rest and in use, is paramount. Organizations must implement data loss prevention solutions, including encryption and key management, web content filtering, database security health checks (assess security vulnerabilities), email protection services, and end-to-end data protection. Agencies should also establish policies to identify and restrict critical and private data movement.
Defense-in-context: Defense-in-depth has encompassed a continuing cycle of adding more and more layers of protection and security controls to protect an organization’s assets and resources. However, these layers and controls are not often integrated and if the organization’s most critical assets are at the core of those layers and these layers are breached, then the adversaries may exfiltrate your vital assets. In today’s world, these high-value assets are distributed, so your protection also has to be distributed around them. The context of those assets is more important than their location at the “center” of your enterprise. For this reason, a defense-in-context takes the approach of leveraging all the security-related information available (location, device, access, behaviors, etc.) and integrating it to obtain situational awareness.
The Future of Cybersecurity
The history of cybersecurity has been reactive, with enterprises and security-solution providers struggling to keep pace with threats and vulnerabilities introduced by rapid changes in technology. Technology will continue to change at an ever accelerating rate, but this does not mean cybersecurity must remain in a losing race to keep pace with threats. While compliance is the entry fee, it will not adequately protect an enterprise from threats. Application security, continuous monitoring, managed services, data security, and defense in context are essential and we must remember, no one is alone. We are all in this together.
We must create an architecture that is resilient to these threats by enabling agencies to continue their business operations and service to our nation’s citizens. Think of it like installing brakes on a car. Brakes were not invented to stop a car, they were invented so you could drive faster, safer, slowdown, and come to a complete stop if necessary.