How Do We Solve Government Cybersecurity?
This article originally appeared in Volume 2, Issue 3 of <theScript> Quarterly digital magazine.
Cybersecurity at all levels of government has reached a critical tipping point.
August 2016 was one of the first dominoes in a series of events that would bring the world into a new era. A hacker group known as the Shadow Brokers claimed to have infiltrated IT systems belonging to the U.S. National Security Agency (NSA). Then, in April 2017, they released a host of alleged NSA hacking tools and exploits, one of which was later used to perpetrate the now infamous WannaCry and Petya ransomware attacks.
NSA officials eventually traced the WannaCry computer worm back to North Korea. Flaws in the ransomware’s code prevented anyone from collecting its ill-gotten gains — which strongly implicated or even confirmed involvement. But the fallout from the leaked exploit didn’t stop there.
About a month later, Petya launched, along with its many variants. More advanced than its predecessor, it struck hard in Ukraine. Although Petya used the same leaked exploit as WannaCry, it’s possible it had an even more nefarious purpose. The timing of its release and its similarities to malware used by a hacking group with ties to Russia has led some analysts to suspect Petya was part of a Russian-led cyber offensive aimed at wreaking havoc on Ukraine’s infrastructure.
The age of cyber warfare is here, and government cybersecurity officials are struggling to hold the front lines.
Assessing current cybersecurity risks
Security incidents involving public sector IT systems have become a growing pattern. According to a report by the Institute for Critical Infrastructure Technology, government data breaches increased by 40% in 2016. But what can be done to reverse this alarming trend and ensure critical U.S. infrastructure is protected?
Assessing IT security risks associated with current systems might be the best place to start. A May 2016 report by the U.S. Government Accountability Office found federal agencies spend more than 75% of their IT budget on maintaining legacy systems, many of which are no longer supported and have gaping vulnerabilities.
Replacing outdated technology that can’t keep up with emerging cybersecurity threats is imperative for the public sector. But it’s also important to prioritize modernization of government IT systems that will have the greatest impact on security and efficiency. And to do that, you need a clear view of the bigger picture.
However, many public sector IT decision-makers struggle to address overall problems and systematic issues — and have to stretch their resources just to meet individual compliance requirements.
Robert Powell, senior adviser for cybersecurity in NASA’s office of the chief information officer, believes decision-makers must do more than check off a list. He was a panelist at the AFCEA Energy & Earth Science IT Symposium in July, where he spoke about this issue.
“I think that you can get so overly focused on compliance and trying to get a good grade or a good score, or be green or what have you, when really what we need to be focused on is risk. Why do we have compliance? Well, it’s to manage risk. If you forget that basic principle of how do I manage risk, why do we even have a risk process in place?” he said.
“Compliance has its purpose. I get that. We have to report out on that. But if we’re going through compliance exercises at the expense of not focusing on risk, then that’s a broken model,” he added.
Moving to the cloud
Government agencies are quickly coming to realize the benefits of cloud computing. Cloud-based email, videoconferencing and file management tools boost collaboration and productivity on the go, empowering a more mobile workforce. Cloud data storage and virtualization unlock IT agility and eliminate silos, enabling systems to scale quickly to meet changing needs. Yet, agencies have been slow to make the transition. So what’s holding them back?
Respondents to a 2017 survey by the Center for Digital Government cited security and privacy concerns (41%), legacy systems (32%) and a lack of financial resources (32%) as top obstacles to cloud adoption, as depicted in Figure 1.
However, cloud computing can address these concerns, too. By simplifying IT management and reducing or eliminating the need for on-site server maintenance, cloud solutions significantly reduce IT equipment costs and free IT staff to handle more pressing needs. When it comes to cybersecurity, agencies must still pay due diligence to evaluate providers, but adopting a cloud-based model can actually enhance IT security.
The foremost example of a cloud solution tailored to address the concerns of the public sector is Microsoft Azure Government — a physically isolated instance of the Azure platform built exclusively for government clients and their solution providers. This includes mission-critical security and compliance services, such as Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense (DOD) compliance certifications, Criminal Justice Information Services (CJIS) state-level agreements, the ability to issue Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreements, and support for IRS 1075. In fact, Azure Government offers some of the most comprehensive certification options available, most of which are tailored to U.S. federal, state and local compliance standards.
As an added layer of protection, the hardened, georedundant data centers devoted to Azure Government are all located in the United States at least 500 miles apart from each other. They’re staffed exclusively by U.S. personnel who have passed extensive background screenings. In addition, Azure Government supports multiple hybrid scenarios for building and deploying solutions on premises or in the cloud.
Cloud services can also be leveraged to improve constituent services. According to a Microsoft case study released in April, the state of Indiana used the Azure Government platform to provide a one-stop portal for citizens with access to business licensing, tax payment and unemployment benefit services.
Leveraging automation and machine learning
Cybersecurity talent is in short supply these days — and not just in the public sector. While an increasing number of initiatives have been launched to grow the IT security workforce, advanced cybersecurity solutions have also emerged that could close the talent gap and drive greater efficiency through automation and machine learning.
In today’s threat landscape, a security breach can come in many forms, rendering traditional monitoring tools and anti-malware software insufficient to protect sensitive government data. Detecting and responding to an attack in as little time as possible will be vital to protecting critical infrastructure, as Renee Wynn, chief information officer at NASA, explained during a Federal News Radio panel discussion in July.
"Cybersecurity needs to be moving from compliance ... to absolute resilience. It is not [a question of] if you're going to have an attack, or if you're going to lose power ... it's when you're going to do it, and can you recover, and how quickly can you recover, and are you getting an email to the men and women in arms in fast enough fashion to protect them and to protect this nation," she said.
IT security teams are often overwhelmed by the high volume of security alerts they receive from traditional solutions. And without a way to triage which alerts are the most serious, malware has a chance to slip through.
Software that can analyze threats, take action where appropriate and alert IT personnel to only the most relevant threats can significantly unburden IT security teams. While false positives are sure to occur, machine learning systems collect and analyze feedback from users and adapt and optimize alerts over time. Leveraging the power of automation and machine learning to reduce the number of alerts cybersecurity workers must address is essential in transitioning from a reactive to proactive cybersecurity approach.
Security software, such as Symantec Advanced Threat Protection (ATP), can help government agencies address IT security across endpoints, networks and email — all from a single console. By prioritizing the most critical events, minimizing false positives and providing a consolidated view of threats across multiple control points, ATP drives greater efficiency and enables IT teams to work more productively. When a threat is identified as malicious, Symantec’s platform also provides immediate containment and remediation.
Approaching cybersecurity from all angles
Vulnerabilities in IT infrastructure at any level of government won’t be solved with a single solution. IT and procurement in the public sector will have to embrace a multifaceted approach to get systems on the right path. And because government doesn’t exist in a vacuum, especially not in today’s connected world, agencies will need to consider how to develop mutually beneficial partnerships with the private sector.
Communication and education will also be integral to transforming government cybersecurity. Agencies can learn from the example set by Ohio’s efforts to develop cybersecurity skills in its schools and communities and to foster greater communication and cooperation between offices when new cyberthreats emerge. States should also watch to see what lessons can be gleaned from Nevada’s new Office of Cyber Defense Coordination, created to ensure state systems are prepared to repel cyberattacks and to act as a resource for both the public and private sectors.
Determining which solutions will have the highest impact on system performance and productivity must still be tempered by the need to simultaneously address compliance issues and work within budgetary constraints — without losing sight of the bigger picture. While many cybersecurity providers stress the importance of preventing complex, zero-day threats, the majority of attacks don’t spring from the unknown. It’s vital that government agencies continue to work toward protecting systems against known threats and patching known vulnerabilities — something too often forgotten by the public and private sector alike.