In 2015, two cybersecurity breaches at the Office of Personnel Management prompted the federal government to take steps to ensure that personal information will not be compromised in the future.
Most of that work, however, was basically closing the barn door after the horse had run off. The General Services Administration (GSA) moved quickly to award government-wide Federal Supply Schedule Blanket Purchase Agreements (BPA) for identity monitoring, and data breach response and protection services. According to the GSA, the BPAs have an estimated value of $500 million.
So we are spending $500 million to deal with the aftermath of the breaches (and possible future breaches), but somehow we never have enough money to prevent these breaches from the start. It begs the question of where that money was before the problem?
Well, of course, that’s a line item that is difficult to get through the federal budgeting process. In these austere days, Congress isn’t likely to provide “mission to the moon” funding to pre-empt possible problems.
And yet possible problems, as we have already seen, are increasingly likely as we rely more on IT infrastructures that may not be up to the challenge of increased use. The hard truth is that many IT systems in both the public and private sector were designed in the storybook days before cybersecurity became an issue. Federal programs that depend on IT infrastructure also tend to have complex supply chains, which can make systems vulnerable to things like clandestine listening, pattern analysis and distributed denial of service (DDoS) attacks.
Down the road, better coordination between technology vendors and buyers before the acquisition process will be able to stem some of the cyber tide (more on that later). That’s great for future purchases, but what do we do in the meantime with what we have now?
Defense in depth – a moat to defend the castle
The right approach to security in IT infrastructure begins by accepting that stopping every cyber attack is an impossible strategy. Similarly, static security certifications and “set-and-forget” IT systems are a thing of the past; we need to vigilantly rethink access controls and vulnerabilities patching.
While technology vendors continue working on making their products and components less susceptible to attack, a practical approach to security now means looking at “defense in depth” solutions.
Defense in depth looks to manage risk with a broad range of defensive strategies. That way, if one layer of defense fails, bad agents still need to get through another layer – and another. This strategy is already used in some private sector networks. Financial services firms, for example, typically have numerous security measures in place. Bad actors have to get past barricades and cross the moat before they can get into the castle.
By making it harder for adversaries to access your system, these bad actors may choose easier targets. Without a defense in depth strategy, it is easy to be overwhelmed by even unsophisticated tactics like DDoS attacks.
The need for better procurement processes
Ultimately, however, security for the federal government (and private sector enterprises) is going to need help from industry. Technology companies are going to need to treat security as a fundamental feature in their products from day one. That means putting security up front in product development, with a sound plan and security features designed into products from the start.
At the same time, the purchasing authorities need to bring their security needs front and center. Some necessary steps:
- Build IT security into your contracts, and develop standards for what secure computing must look like. Your Chief Information Security Officer needs to be actively involved in this process, and your contractors must be responsible for maintaining whichever system you settle on.
- Stop trying to reinvent the wheel, and start seriously leveraging existing industry standards. Similarly, make sure that the certifications and standards industry is already using are adequate to the level the government needs.
- Get out of hardware procurements, and start buying infrastructure as a service (IaaS). Be clear on what your particular industry needs (and keep in mind that federal cloud offerings are months behind the commercial cloud in terms of offerings).
This last point is important to elaborate. Does your preferred provider offer orchestration tools for deleting and building apps? You want apps to be able to easily scale up or down; this elasticity ensures the long-term viability of your network.
Likewise, make sure that your provider offers Identity and Access Management (IAM) tools for life-cycle management. You need to be able to extend on-premise IAM tools to the off-premise cloud data center environment.
As we’ve seen, stopping attacks and unauthorized access of network platforms demands a coordinated enterprise approach to mission assurance and cyber defense. A strong defense alone will not mitigate risk.
In future columns we’ll take a closer look at other ways to improve cyber security – including the role your workforce plays in limiting your susceptibility to hacking.
This article was originally published one CSOOnline