In February, President Barack Obama proposed a budget increase of 35 percent for cybersecurity spending in the overall fiscal 2017 budget. Alongside the $19 billion ask, he also unveiled a new Cybersecurity National Action Plan (CNAP).
In the CNAP, he called for (among other initiatives) the establishment of a national cybersecurity commission, a $3.1 billion Information Technology Modernization Fund, the creation of a federal chief information security officer (CISO) position and a public awareness campaign that empowers Americans to secure their online accounts.
While there are a number of questions one could raise about the CNAP, I’ve used this column to focus on technology the government should invest in so it can actually protect critical data. Before I dive in, it’s helpful to understand the government’s past and present cybersecurity strategies, which have traditionally taken less of data-centric approach.
Modernizing our government’s computer systems is of utmost importance. Both President Obama and federal CIO Tony Scott have made their intentions clear. After all, antiquated systems are not compatible with modern security tools. An overhaul will also assist with cyber training, especially training revolving around combating 21st century exploits like phishing.
The federal government has taken several measures to bring IT and security in line over the past few years. Strategies include the use of cloud technologies, converged infrastructure, advanced analytics, next-generation firewalls and various forensic tools. But, there are limits: White House cybersecurity coordinator Michael Daniel has stated that while these solutions will improve the country’s cybersecurity footing, they will not completely stop attacks from occurring.
In March, we issued the federal government edition of our 2016 data threat report. The report, which is based on responses from IT security leaders working for federal agencies, paints a fraught picture. Ninety-percent of respondents feel vulnerable to data threats, while 61 percent have experienced a past data breach. Of that number, nearly one in five confronted a breach in the last year. Increasingly, it seems breaches are a fact of life for both the private and public sector.
But, it’s not all doom and gloom. The federal government has money, power and brilliant minds at its disposable. What matters is how all these assets are used. As stewards of critical federal information, our government leadership must turn towards protecting the rich “targets” that are sought by our adversaries. By “targets”, we mean data.
Officials need only look as far as the Office of Personnel Management breach to understand the gravity of this task. It’s a breach that stands to have major ramifications for years to come. State secrets, military and intelligence information as well as critical infrastructure are all at risk. Reaching the perimeter is simply a means to an end when it comes to accessing targeted data.
The government must take care to see the forest from the trees. That means not just protecting the perimeter, but the data that runs our country.
Building out a big picture cybersecurity strategy that embraces and prioritizes encryption and privileged access controls. This includes implementing a detailed discovery process to identify sensitive data and locking down access to it at both system levels (operating systems and file systems) and from within applications. This approach, which is best done with encryption, access controls to encrypted data and then monitoring of access patterns for privileged users is the best first step to take to limit the damage from penetrations to the network and extraction of data.
Fortunately, we’re seeing evidence that federal agencies are taking steps in the right direction. Our March report also revealed that 58 percent of respondents are increasing spending to protect sensitive data, 37 percent plan to invest in data-at-rest defenses this year, and 48 percent are looking to implement data security to follow industry best practices.
Nothing is an absolute in security. There is no perfect, black and white answer, nor am I positing that encryption is a holy grail. But, encryption with access-based controls has proved effective at removing many threat vectors associated with system administrators and root access. While it won’t stop all bad actors from gaining access to accounts, it will make life much harder for them.
Michael Daniel has gone on record as stating, “If we do not begin to address the fundamental cybersecurity challenges we face effectively, we risk cybersecurity and the Internet becoming a strategic liability for the U.S.”
We agree. The status quo isn’t working. It’s time to look beyond the perimeter and give data the attention its due.
Wayne Lewandowski is Vormetric’s vice president of federal operations, where he works with the company’s customers in the defense, civilian and intelligence communities. Lewandowski has spent more than 20 years working in the federal market with emerging integrators and technology companies.