A new approach to federal cybersecurity, 2 years after the OPM breach

John Chirhart, the federal technical director of Tenable, argues for a fundamental change in the way agencies approach cybersecurity for the long-term.

Many feel the 2015 data breach at the Office of Personnel Management served as a wake-up call for the federal government. In many ways, it was more of a confirmation of what many had feared would eventually happen.

Last month marked two years since the disclosure of one of the biggest data breaches in U.S. history confirmed the theft of more than 18 million Social Security numbers and other personally identifiable information from the Office of Personnel Management. The issues that helped enable the OPM attack were brought on by years of confusing regulations, irregular budget cycles and a lack of proper oversight; compounded by the fact that change in information technology takes years, not days.

The initial response — a coordinated 30-day cybersecurity “sprint” launched by the Office of Management and Budget — was somewhat successful in implementing new security requirements, such as scanning for threat indicators, immediately patching critical vulnerabilities, and implementing two-factor authentication. The White House Cybersecurity National Action Plan established a new role of a federal chief information officer and requested a governmentwide cyber spending increase.

Two years later, we’re seeing promising attention to cybersecurity issues in the early days of the Trump administration. And yet, key cybersecurity positions in the current administration remain unfilled, including the federal CIO. The cybersecurity skills shortage continues to grow. Basic cyber hygiene remains a challenge. It’s apparent that while the cyber sprint was an effective short-term solution, thirty days isn’t enough time to overhaul and correct decades of unmanaged and outdated systems.

It’s clear that if we are to avoid another devastating breach, the U.S. needs a fundamental change in the way we approach cybersecurity on a long-term basis. Key areas include smart investments in technology, collaboration between the public and private sectors, and development of a highly trained security workforce.

The single biggest security challenge ahead of the new administration is prioritizing smart investments in security tools that help government organizations understand and reduce their cyber risk. Last year alone, 75 percent of federal IT budgets was spent on operating and maintaining legacy IT systems, many of which can no longer be patched or updated with new security capabilities. Instead of wasting resources on managing antiquated technology, agencies need to focus on updating their outdated and vulnerable systems.

Known but unpatched vulnerabilities are the main source of many successful cyberattacks and data breaches, yet cybersecurity policy focuses on things like state-sponsored hackers and emerging threats-of-the-day with exotic names like WannaCry or Industroyer. Organizations remain too focused on preventing the next advanced persistent threat zero-day vulnerability that they forget about the easy things like applying patches for outdated Windows XP systems. The minute we fall behind and neglect to patch our systems or set up user access and credential restrictions is the minute we become hopelessly exposed to adversaries of modern scale. This is evident in the success and increasing popularity of ransomware attacks.

Federal agencies need the right tools that enable them to discover every device and system on their networks, understand where they are exposed, mitigate known vulnerabilities and identify and prioritize new ones instantly. Two federal initiatives that call for proactively identifying assets and vulnerabilities are the NIST Cybersecurity Framework and the Department of Homeland Security’s Continuous Diagnostics and Mitigation program. While many agencies, including the Department of Defence (DoD), are adopting these programs, the process has been slow, and that’s dangerous because the adversary won’t wait.

IT and security modernization is key to keeping modern networks secure. Modernizing federal IT and security should be seen not as an obstacle, but as an opportunity to become more agile in our security and to regain control over the modern elastic attack surface. That can only be achieved when it is prioritized at the highest levels of government. Luckily, there is positive momentum in Congress towards helping agencies pay for new technology with the recently-introduced and House-passed Modernizing Government Technology Act (MGT Act), which would replace the traditional “use it or lose it” approach to IT budgets by “loaning” funds to agencies (from an IT Modernization Fund) which would be eventually paid back in savings accrued by new technology.

Collaboration between the public and private sectors is even more critical now with the exponential growth of operational technology (OT) in the federal sector. Supervisory control and data acquisition (SCADA), industrial control systems (ICS) and the Internet-of-Things (IoT) all contribute to a larger and more vulnerable attack surface of devices that often prioritize uptime and availability over security.

President Donald Trump’s recent cybersecurity executive order mandates that the federal government develop a plan to protect this critical infrastructure. It’s a massive and critical task that will also strengthen U.S. national and economic security. And it can only be accomplished through cooperation of both commercial and government entities in our modern global ecosystem.

We also need to ensure that recruiting, developing and maintaining a robust and well-trained cybersecurity workforce remains a priority. There’s an insatiable demand in the market for better, faster and more secure technologies, but it’s unrealistic to think the security workforce can scale quickly enough to support these efforts.

Hiring top talent simply doesn’t happen overnight—it requires a bold and innovative strategy for training, continuing education, and on-the-job skills development. It’s also important that we diversify our talent pool. We need to reexamine our approach to attracting and retaining cyber talent, to ensure we’re finding the right people—including women and minorities—to help us tackle modern security challenges in a creative and effective way. For example, as part of his modernization bill, Rep. Will Hurd (R-Texas) has proposed legislation that would create a Cybersecurity National Guard. College students would receive scholarships in exchange for working for the federal government after graduation. And once their service is complete, they can enter the private sector as cyber “reservists,” where they would periodically return to the government, perhaps during a cyber incident. A bold strategy like this can work in the private sector too, so long as organizations start thinking about ways to partner with students and young professionals by offering scholarships, internships, and continuing education incentives.

The OPM breach should mark the beginning of a new approach to cybersecurity in the federal government, where operational excellence is the norm, long-term solutions are prioritized, and investments in people complement smart investments in technology. As the IT landscape becomes more dynamic and complex, we must rethink and readjust our approach, focusing on what really matters — our national security.

John Chirhart is the federal technical director of Tenable.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

More commentary

    Jeff Neal

    Doubt that feds do great work? Here is proof they do

    Read more

    Memo to agencies: Here’s how to address President Trump’s ‘lean government’ plan

    Read more
    ICF Senior Vice President Jeff Neal

    Can Congress legislate morale improvements?

    Read more