Why government needs to move beyond traditional cyber defense protections
Editor’s Note: This article was produced for and sponsored by RSA Security.
Maintaining robust cybersecurity defenses within government agencies has grown increasingly more challenging over the past few years. The number and sophistication of attacks continues to escalate, as has the severity of breaches, such as the ones that occurred against the Office of Personnel Management and the IRS.
The seriousness of the challenge was one reason why Department of Defense Secretary Ash Carter addressed a record crowd at the annual RSA 2016 Conference, calling on IT security professionals to continue finding more effective ways to protect federal and military IT systems.
Another major take-away from this year’s RSA conference was for federal agencies, and enterprises in general, to increase the percentage of their IT security budget devoted to analytics-based security tools and methods designed to counter today’s rising threats.
“The strategy that the government, and more specifically the Defense Department, have been deploying for years isn’t adequate,” said Mike Brown, former U.S. Navy rear admiral (retired) and now vice president and general manager of RSA’s Global Public Sector business.
“That strategy was based upon a prevention activity versus what the discussion was at the conference, which was the need for greater analytics and visibility,” said Brown.
“It’s not that we are recommending giving up prevention with perimeter defenses, but it’s not the only tool in the toolbox that must be employed,” he said.
Shift in focus
For the Defense Department and other federal agencies, that means shifting their focus and efforts, relying less on a signature-based, prevention strategy, to a more risk-based approach and having systems that can quickly identify, isolate and mitigate hostile actions.
Brown says the U.S. government has been actively “looking at the tools that give them the right amount of network visibility and the ability to detect and respond to abnormal or malicious activity.”
He added, the government has also grown in sophistication in dealing with cyber attacks, pointing to tools provided by the Department of Homeland Security, which support continuous monitoring, diagnostics and mitigation.
Additionally, there are a several well-established frameworks and guidelines in place to assist the government in improving their defense of critical infrastructure. Among them are the National Institute of Standards and Technology publication 800-53, which catalogs required security and privacy controls, and the updated Federal Information Security Management Act, which establishes security guidelines that all government agencies are expected to follow.
However, there are still many hurdles when it comes to uniform implementation of the FISMA guidelines.
“What the Government needs to do, and what’s been difficult for them [to avoid] is the tendency to try to create it yourself,” he said, referring to agency IT systems.
“Government does many things very well, but one thing they have trouble doing is doing things quickly,” Brown said.
RSA has been working with government on security matters for many years, but more recently has been assisting the government in changing the overall response plan for cyber attacks. A more risk-based approach is being phased-in to replace the current reactive doctrine that is currently in use.
“If you’re just waiting and relying on that prevention strategy, you’re not going to be successful,” Brown added. “That’s why understanding what is normal is so important…being able to identify normal lateral activity from normal devices allows you to look for unwarranted activity.”
“RSA is well known in the cybersecurity industry for its SecurID™ multi-factor authentication capability,” Brown said.
“What I want government and everyone in the IT security industry to know is that RSA … provides tools offering pervasive network visibility and robust security analytics, as well as industry-leading risk governance offerings, that are necessary to understand normal versus abnormal. Our solutions are based on our understanding of what it takes to understand risk and use the cybersecurity framework as a foundational approach.”
According to Brown, one of the most outdated pieces of technology that the government must phase out is the Common Access Card (CAC) or Personal Identification Verification (PIV) cards used by government employees and contractors. While the two-step verification procedures provided by CAC and PIV were sufficient at one time, the technology has since become outdated and a liability.
“CAC has been around for fifteen years. It provides two factor authentication, which is okay, but it’s not the best technology to employ and costs more than easier-to-use and more secure alternatives,” Brown said.
For example, CAC/PIV systems don’t function well in today’s mobile environment. Additionally, the limited number of compatible card readers installed throughout government made it difficult to allow a natural workflow while maintaining security levels that are up to standards.
New updates to the security systems could enhance mobility by allowing agencies to log in securely using software and biometric scanners. Uniform implementation of such a system would push outdated two factor systems to the wayside, according to Brown.
One remaining question is who should take the lead at agencies when overhauling the current security systems. RSA believes that the person responsible may not be an agency’s security officer. Rather, the job should be done by someone who is familiar with the technology in use, not just within government but also in the private sector.
“I don’t think [the government] is taking advantage of what the private sector has,” Brown said.
Brown added that the RSA is leading the way towards safer government systems, and keeping data safe from both criminals and foreign governments. By employing a modern doctrine in cyber defense, government agencies can stay on par or even ahead of their many attackers.
Brown hopes that RSA will be able to continue in this role, keeping government and our cyber infrastructure safe from all threats for today and far into the future.