Over 90 percent of cybersecurity threats come through email, but only a fraction of security budgets are dedicated to the issue, said Tony D’Angelo, vice president of Proofpoint. And, he said, the most significant cybersecurity challenge for federal agencies is securing their people.
Proofpoint has a concept it refers to as “very attacked people” (VAP) – which is not necessarily a VIP. D’Angleo’s company works with agencies to identify VAPs within their organization.
“It’s relatively easy for cyber criminals to successfully hack an individual. They’re relying on people to unwittingly facilitate a crime. People are trusting by nature; they can easily be duped into opening malware, clicking on malicious links, entering login credentials, or other types of personal information,” D’Angelo said.
“The private sector is primarily a financial play – credit cards, personal information for identity theft …” and business email compromise, D’Angelo said.
The financial cyber threat called business email compromise happens when cyber criminals target employees who have access to company finances and trick them into making wire transfers to the criminal’s fraudulent bank account. The FBI estimates over $12.5 billion has been stolen this way.
But government hackers’ motivations are dramatically different. Their interest lies in stealing government secrets or intellectual property (IP) – and more recently – election rigging.
D’Angelo said many of these attacks are state sponsored by unfriendly foreign governments. Cyber criminals often target a federal contractor. “I’ve heard many government cyber experts say there’s a reason some foreign fighter jets look eerily similar to those of the United States Air Force and other defense agencies. It’s likely because a state sponsored bad actor targeted a VAP either by stealing their credentials or impersonating their co-workers and asking for design documents.”
Governments, over the years, have done a good job in securing infrastructure and making the attack vector more difficult and more complex. As a result, hackers have shifted their attention to softer targets – people. “The attack vector on people and through email is here and it’s here to stay for a very long period of time,” D’Angelo said. “Over 93 percent of attacks are on people, and of the attacks on people, 96 percent of those come through email. So clearly it’s a very successful attack vector for the cyber criminal.”
The move to cloud by federal agencies creates an additional concern. D’Angelo estimated 85 to 90 percent of the agencies Proofpoint interacts with have moved to Microsoft Office 365 or have plans to.
According to D’Angelo, “… It forces [agencies] to rethink all their cybersecurity initiatives … We’ve seen some very successful credential fishing campaigns which have allowed cyber criminals to gain access to accounts and sensitive information. With this data being offsite, that’s really all that they need. With someone’s credentials, you are effectively in, you are that person.”
A Proofpoint review of an agency would reveal the people being targeted, as well as the number and types of attacks delivered through email. “It’s a real eye-opening experience for the agency as it may not be an executive inside an agency, but often times it’s the administrative assistant of that executive who could be the target – sometimes greater by a factor of ten in the terms of the number of attacks,” D’Angelo said. By identifying the VAP, Proofpoint would work with an agency to put programs and policies in place to stop these types of attacks.
“If you asked every government chief information security officer (CISO) if they had enough budget for cybersecurity, they would say ‘no’, and in many cases that’s probably a true statement.” D’Angelo said agencies spend roughly 62 percent of their cyber budget on network and infrastructure security, but only a fraction on email.
D’Angelo said there is no one vendor who can do everything, but a single vendor in a major category can make sense. “You don’t need four or five vendors for email security particularly when the solutions tend to work together as a single system to analyze, identify, block and remediate threats.”
In October 2017, the Homeland Security Department released a mandate known as Binding Operational Directive 18-01, which forces civilian agencies to implement the Domain-based Message Authentication, Reporting & Conformance protocol (DMARC), a technology to authenticate email.
This directive is meant to prevent the cyber criminal from hijacking email and stealing money or technology inside an agency; from pretending to be a Congressional staffer and seeking campaign donations; or from spoofing a legitimate email domain and duping the user into clicking or entering sensitive information.
This past summer, Dana Deasy, CIO at the Defense Department mandated the adoption of the DMARC protocol for the entire department.
“It’s a great first step in trying to secure email. But one problem that I would love to see the government change is that these mandates come typically without funding or centralized management,” D’Angelo said.
He called for “mandates with teeth,” re-allocation of budgets to increase the spend on email security, focus on VAPs and an emphasis on greater security-awareness training.
“You have to assume that somebody is always going to open the piece of malware, click on the URL, go to the wrong site, and enter their credentials. With security awareness training, an agency can identify those more vulnerable, more fallible employees inside the organization, customize training for them, and prevent the attacker from coming in the front door in the first place,” D’Angelo said.
With more than 25 years of experience in the IT industry, Mr. D’Angelo currently leads Proofpoint’s global U.S. Federal business unit and has spent most of his career providing the U.S. Federal government with IT and cyber solutions to support mission critical defense and intelligence systems.
Under Mr. D’Angelo’s leadership, Proofpoint has established a strategy to support the government’s desire to move towards cloud solutions though federal certifications such as FedRAMP and Common Criteria as well as a strong focus on partnerships with federal systems integrators, defense contractors, and traditional service providers to offer Proofpoint’s cloud and on-premise solutions.
Mr. D’Angelo joined Proofpoint from EMC where he led one of three federal business units as part of a nearly $800M Federal organization. Prior to EMC, he led the Federal team at Polycom where he helped grow the business with a strong focus on security certifications and strategic programs. He has also held a variety of leadership positions at Brocade (formerly Foundry Networks) and Nortel Networks (formerly Bay Networks).
Mr. D’Angelo has been a member of AFCEA for over 20 years and is also a supporter of the Wounded Warrior Project, the Surfrider Foundation, as well as NIAF (National Italian-American Foundation). He is also very active in youth sports and has coached girls lacrosse since 2011 for the town of Vienna, VA as well as high school travel/club teams. He received his bachelor's degree from the University at Buffalo, where he studied mechanical engineering.
Strategic Content Development, State, Local, Federal, Federal News Network
John Thomas Flynn was the first Chief Information Officer for both the State of California and the Commonwealth of Massachusetts, and the former President of the National Association of State Chief Information Officers (NASCIO). Since 2006, he has been the producer and host of TechLeader.TV, a Webcast and television program in California focusing of government, technology and politics.
For three decades, he has been at the center of the renaissance to upgrade the public sector’s management and utilization of its information technology assets. He was appointed by Governor Bill Weld to be the Commonwealth of Massachusetts’ first Chief Information Officer (CIO), becoming arguably the first state CIO in the U.S. He also became the State of California’s first CIO appointed by Gov. Pete Wilson in 1995.
Prior to his to State CIO service, he spent over a decade with systems integrators where he led teams designing and developing scores of financial, statistical, and operational reporting application systems for public sector organizations throughout the U.S.
For over six years he served as an officer in NASCIO, the association which represents state CIO’s, and in 1997 he was elected their President. He was an advisor to Gov. Schwarzenegger’s transition team and the California Performance Review. In 2006 he created the nation’s first live video Webcast program on public sector technology issues WWW.TechLeader.TV, now seen by over one million viewers.
He has been a member of the U.S. Government Accountability Office’s (GAO) Information Technology Advisory Board since 1995, focusing on the federal government’s implementation of Clinger-Cohen Act which instituted CIO’s in federal agencies. He was a member of the faculty at Drexel University, College of Information Science and Technology, Sacramento Campus in 2008-2009, and also taught at Northeastern University and Emmanuel College in Boston. He served on advisory boards at the Haas School of Business, at the University of California, Berkeley, and at Sacramento State’s College of Engineering & Computer Science.
He served in White House-appointed positions in both the Reagan Administration and that of George H.W. Bush at the Federal Regional Council, a White House intergovernmental coordinating organization, and at the U.S. Department of Labor.
An acknowledged leader and visionary, he has written and spoken extensively on effective government operations, and government’s ability and capacity to successfully manage its information technology assets.