Like many large organizations with critical communications needs, federal agencies are adopting Internet of Things devices and related 5G wireless technologies to help meet their missions.
A survey published last year found 90% of federal agencies were already using 5G to some extent or had plans in place to do so.
But the interconnected nature of mobile telecommunication data also presents new threat vectors that nefarious individuals and groups could target. In recognition of those risks, the Defense Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency last year published a “5G Security Evaluation Process Investigation Study” for federal agencies.
Threats to data keep coming
The threats “have absolutely evolved,” said Robert Williams, vice president for product go-to-market for emerging network security solutions at Palo Alto Networks, said in an interview.
“Researchers at Palo Alto Networks and across the industry are identifying new vulnerable points. The threats posed in these instances make them frequently the weakest links of an IT infrastructure,” he continued. “Adding to the threat posed is the reality that much of the data generated and transmitted in these cutting-edge use cases is unencrypted. The ubiquity of these devices and their often open access, including to bad actors, creates the ability for our antagonists to get their hands on them. From there they can develop attacks at the device level and move laterally across the agency and into the supply chain.”
Williams said some best practices are starting to emerge at federal agencies, particularly in the federal healthcare sector. One key is to ensure the IT and business sides of the organization, respectively, are working closely together on products early on.
“We are witnessing that many new technology innovations, like medical devices, are coming to the IT stack from medical practitioners, or other advanced users. These innovations may not start within the CIO’s office or the CTO’s office,” Williams said. “It is imperative that these cross-functional teams share ideas and innovations. Agencies must gather this input for a comprehensive three- to five-year vision of the outcomes of this technology and how it will drive the mission forward. Central to this process is both an honest assessment of vulnerabilities and a plan around mitigating attack impact. These plans need to ask questions like: ‘If this attack were to happen, what would we do? How do we mitigate it? How will we reduce the attack surface?’ ”
Focusing in on data protections
Another important step is to identify and build a protection plan around “the crown jewels” of data, Williams said, another key challenge under the federal Zero Trust Strategy released last January.
“Agency leaders need to have full visibility into all the data that’s coming in and out of these devices, across the IT stack, across the internet and through the public cloud. With this visibility, agencies can bring in a solution to provide constant protection from outside attacks, even if they have not been seen before in their environment,” he said. “Another factor is acknowledging the worst-case scenario and baseline what their agency or their mission could live with in terms of what devices and data could get accessed. With that understanding, they can then identify what red lines they have in terms of what requires the absolute highest level of security and what can be accessed outside of their group.”
Meanwhile, the Biden administration’s new National Cyber Strategy observes how “the world is entering a new phase of deepening digital interdependencies,” with networked technology and software increasingly serving as the backbone of critical infrastructure.
Organizations are increasingly concerned about the supply chains underpinning critical software and operational technology. CISA is now establishing a supply chain risk management office to help agencies, industry and other partners dig into their technology dependencies.
“From a federal perspective, we’re seeing strong initial action and leadership,” Williams said. “Long term, this is a whole-of-nation approach. We have an opportunity to share best practices across government, industry, device makers — across our critical infrastructure and operational technology environments. This is imperative because we are unfortunately seeing significant attacks to critical underpinnings of our economy, for example to the utility and energy space or to the agricultural sector. I’m thinking of our food and water supply. We also are seeing, in the advent of smart cities, grave threats to innovation at the municipal level.”