The Government Accountability Office is planning to release a report in early fiscal 2022 about the cybersecurity impacts of technologies adopted in response to the pandemic. When government agencies shifted to mass telework, that presented a whole host of new challenges for IT personnel who weren’t used to having the majority of their endpoints outside traditional network boundaries, and catalyzed the current push to adopt zero trust.
“I can’t discuss the findings of the report necessarily,” said Jennifer Franks, director of IT & Cybersecurity at GAO, during an August 31 FedInsider webinar. “But it was obvious to us that the threat surface had indeed expanded for these agencies, with more employees working remotely. And that this was a risk agencies were willing to indeed accept to maintain the health and safety of their employees, among other reasons, during the pandemic.”
Franks said her team surveyed and followed up with select agencies on their experiences moving to maximum telework, implementing federal guidance, the tools they adopted, the cybersecurity challenges they experienced, and how they overcame them.
Franks said that in the near future, GAO will also be expanding its reviews to take recent pushes to improve supply chain risk into account. She pointed to the SolarWinds incident and Microsoft Exchange vulnerabilities as recent examples of how federal agencies can secure their own networks, yet still be vulnerable to attacks.
“So now not only do agencies have to worry about their network, but now we have to worry about the networks of the entities of supposed ‘trusted’ partners and suppliers,” Franks said.
She also said every agency should be implementing a zero trust architecture and proactive threat hunting.
“This is another area that you can no longer just be passive and reactive to,” Franks said. “If you take that stance, we’ll always be behind the eight ball and constantly chasing after the next threat, instead of releasing in front of it, or even at least in line with the next cyber security curves. And threat hunting really is a proactive measure, and it gives more visibility inside of an enterprise’s network. So if an agency could know what it needs to secure, it could know what it needs to monitor a little bit more efficiently and effectively to provide its goods and services for its customers.”
Some agencies are already acting on this advice; Mike Witt, associate CIO for the Cybersecurity & Privacy Division at NASA, said he is currently working toward a software-defined access network infrastructure, which will provide a framework for zero trust at the agency. And Gary Stevens, executive director of Information Services Policy & Strategy at the Department of Veterans Affairs, said VA is part of the National Institute of Standards and Technology’s zero trust lab team through the National Cybersecurity Center of Excellence.
One thing both agencies are working on as part of those efforts is endpoint detection and response (EDR) capabilities. Stevens said that’s not an easy task at an organization as large and complicated as VA, with varied considerations like telemedicine, HIPAA and electronic health records thrown into the mix. Part of dealing with those added complications is ensuring that all the data being collected is integrated into the EDR capabilities to understand it. That allows predictive analytics to come into play, which can also help navigate the complexity of the network and get to that point of being able to be proactive.
“The nugget that we all want to get to is how can you apply that predictive analytics capability and make sense of it through an integration of all these tools and all the various data elements that they’re collecting, so that you can understand those patterns and then address them accordingly to identify those anomalies,” Stevens said.
Witt said to get to that point, agencies need to test EDR solutions around their tangible functionalities, such as ensuring that they can be managed from an enterprise deployment, especially in sensitive areas of their infrastructure. Another thing to look for is whether it supports blocking access to certain areas for certain users, ensuring those who don’t need it don’t have access to the entire system. Or perhaps the ability to block certain users outside of specific timeframes, so users can only access the system on week days.
“Make sure your EDR solution not only meets your cybersecurity requirements, but also make sure that it is properly designed with the functionality to support your day to day system administration, operations and maintenance requirements as well,” Witt said.