A strong and cohesive commitment to cybersecurity is paramount to the U.S. federal government’s success in bringing its information technology (IT) systems into the 21st century. From the White House’s proposed 2021 budget, it’s clear our leaders take the need to fortify their systems seriously. Indeed, nearly $18.9 billion is reportedly earmarked for cybersecurity programs, including $9 billion for civilian agencies, critical infrastructure, securing the workforce and so forth.
This is a great start. But allocating budget for the mounting threats posed by government-sponsored hackers, digital criminals and other troublemakers will not, in and of itself, help government agencies modernize safely.
Today, one of the more common scenarios we see with government agencies, regardless of their size, is that there are pockets of excellence, but also silos where cybersecurity development needs to evolve. The difference often comes down to where federal dollars are going and the degree to which an organization deals in classified or sensitive data. To get the U.S. government’s IT systems where they need to be, agencies must collaboratively implement best practices around security purchases, policies and procedures, talent recruitment and partnerships.
This becomes even more challenging in the coronavirus era where many government employees are working from home and adapting to a new workstyle. Allowing employees to do their jobs off-site means that you can’t assume the cybersecurity implications are the same as if they were connecting from inside a government office. In fact, they’re not.
Anytime someone connects to a network from outside its secure firewall, they’re creating a world of potential vulnerabilities that can lead to cyberattacks. A recent OpenVPN study found one in three organizations (36%) have already dealt with such incidents due to unsecured remote devices.
If you’re able to overcome such security hurdles, the benefits to your organization and its employees can be quite high. Your workers won’t have to endure long daily commutes, sit in small cubicles or deal with daily office distractions. As a result, studies show these remote employees can in many cases be more productive. But, first, you need a strong security action plan in place.
In the private sector, companies tend to have one team responsible for most or all cybersecurity matters. Some organizations vest these duties with the Chief Information Officer (CIO). Others hand it to a Chief Information Security Officer (CISO), or Chief Data Officer (CDO). Rarely do they allow each and every business unit to determine their own cybersecurity path because they know it would be ineffective, especially when sharing data across the enterprise.
But that siloed approach is more common in the federal government. While high-level guidelines from the National Institute of Standards and Technology (NIST) lay out minimal requirements for federal information systems, most agencies march to their own cybersecurity drummers.
As those agencies increasingly migrate to the cloud and start sharing more information, the demand for a universal plan to maximize the security posture of every agency, not just a select few, is critical.
This plan will have to start with defense in depth. There are countless avenues hackers take into networks, from stealing identities to penetrating poorly defended endpoint devices, such as network printers and computers. There’s also human nature to contend with. People unwittingly make mistakes by clicking on the wrong things, sharing passwords or a host of any other activities that leave networks vulnerable to attack.
Agencies, therefore, must have a strong direction for the technologies, tools and training they adopt. And the barrier of prioritizing “good enough,” or lowest price technically acceptable (LPTA) technology must be removed. With cybersecurity, actual attacks often cost far more than an investment in necessary prevention programs or the critical hardware and software needed to protect their infrastructure.
More efforts are also needed to bring cybersecurity talent into government. This will be a difficult task given the fact there are expected to be 1.8 million unfilled cybersecurity jobs across the private and public sectors by 2022.
But that does not mean they shouldn’t try or that recruitment is an impossible task. Embracing new recruitment channels and unconventional strategies can alleviate the workforce gap. For agencies unable to pay as much as corporations, this could mean offering faster tracks for career advancement, more flexible hours or attractive international assignments. It could even involve developing talent at a college level through mentorship, internship and diversity programs.
In short: The government would benefit from a central cybersecurity leader who is thinking outside the box and driving toward a solution that money alone will not buy. When resources and human capitol are leveraged in meaningful ways, the threat of cyberattack becomes a problem that our public sector can, in fact, stay ahead of.
Partner with the Private Sector
Government agencies also need to accept that they don’t have to solve their cybersecurity challenges alone. Technology vendors have been forging cybersecurity alliances among themselves for years to address specific issues affecting them all. A while back, for instance, more than 40 tech companies banded together in an alliance called the Cybersecurity Tech Accord to declare they would not help any government launch cyberattacks against any “innocent civilians and enterprises from anywhere.”
Many of the participants in these consortiums are competitors in the marketplace, but still believe that by sharing their time, knowledge and mutual commitment to innovation, they can make a difference and solve problems. That same energy should carry over to broader and more aggressive public-private partnerships aimed at protecting government infrastructure in particular.
While cybersecurity challenges will never go away and the threats will continue to grow, it is possible for government agencies to proactively protect themselves. In fact, as an increasing number of them rely on digital and cloud services, they’re not going to have much choice. Together, agencies must step forward and take the reins to drive consistent and dramatic change at all levels of the federal government. That’s the only way to achieve the IT infrastructure modern times demand. As current events have dictated, solid planning can produce secure and real results.
Todd Gustafson is president of HP Federal and the head of US Public Sector.