7
Cybersecurity Tactics to Watch in Government
CONTENTS 3
Executive Summary
22 Tactic 4: Bug Bounties 4 Today’s Cybersecurity Landscape 25 How Government Can Deal With Ever-changing 6 A Tale of Two Presidents Cybersecurity Threats 9 Securing Your Data in the Era of Cloud Sprawl 26 Tactic 5: Partnerships Across Borders 10 Tactic 1: Artificial Intelligence and Machine 28 State and Local Spotlight: Virginia Learning Emphasizes Leadership, Partnerships 13 Identifying Data Owners to Keep Your 30 Tactic 6: Procurement Agency Safe Options 33 The Importance of 14 Tactic 2: Big Data Privileged Account and Analytics Security in Government 17 Critical Strategies for 34 Tactic 7: Government Recruitment and Cybersecurity Retention 18 Tactic 3: Innovative 37 Developing a Internal Training on Data-Centric Cybersecurity Security Strategy 20 Federal Spotlight: The National Initiative for Cybersecurity Education 2
A Govloop Guide
EXECUTIVE SUMMARY Cybersecurity is almost 30 years old, born of a Cornell University computer science graduate student who released a worm on the Advanced Research Projects Agency Network, the Internet’s ancestor. In the past three decades, cybersecurity has grown to be a multibillion-dollar industry – the fiscal 2016 federal budget alone allocated $14 billion to cybersecurity – and defenses take aim at way more threats than worms. In fact, no agency is immune to attacks, leading officials to take more proactive approaches and to get innovative.
Today, the term cybersecurity encompasses both defense and response plans, because cyber incidents are so prevalent across all agencies and levels of government. High-profile attacks include data breaches at the Office of Personnel Management that put 22 million records at risk of exploitation, and a hack of the Joint Chiefs of Staff’s email system in 2015. Currently, at the state level, investigators are examining how Russia targeted 39 states’ voter databases and software systems during the 2016 U.S. presidential election. What’s more, cyberattacks are only growing in number. Federal agencies reported 77,183 cyber incidents in 2015, compared with 5,503 in 2006, according to a May 2016 Government Accountability Office report. At the state level, the Multi-State Information Sharing and Analysis Center tracked 160 hacktivists – or hackers pushing political or social change – in 2016, compared with 65 in 2015.
The proliferation isn’t expected to decrease any time soon. The 2017 Vormetric Data Threat Report found that the federal government experienced more data breaches last year than the financial services, health care and retail sectors, and that data breaches grew by 12 percent. Clearly, new efforts are needed to combat this growing threat. In this guide, we will take an indepth look at seven ways government agencies are taking cybersecurity efforts to the next level using innovations in artificial intelligence, analytics, training, bug reporting, partnerships across borders, procurement, and recruitment and retention. Additionally, we’ll look at some causes of cybersecurity’s growth and new cyber policies under the Trump administration, and we’ll hear from experts at the federal and state levels about how they’re not sticking to the status quo.
7 Cybersecurity Tactics to Watch in Government
3
The Cybersecurity Landscape It’s not all gloom and doom cybersecurity news. It’s worth mentioning that the WannaCry ransomware attack that affected more than 300 countries and 300,000 computers in May left the U.S. government alone. Unfortunately, however, that’s not the norm. But why not? Why, 30 years after the first cyberattack, has a silver bullet remained elusive?
Similarly, recruitment and retention are other challenges. After all, it can be tough for a government agency to recruit top talent without offering opportunities for growth through training, not to mention salaries and benefits commensurate with those available for private-sector cyber jobs. And all the while, cyberattackers and threats are becoming more sophisticated with their tactics.
Besides the sheer numbers we covered previously, there are other reasons. One is lack of motivation. Compliance with the U.S. Computer Emergency Readiness Team’s Einstein program, which provides an automated process for collecting, correlating, analyzing and sharing computer security information, was voluntary for federal agencies until 2008. Still, at the end of last year, only 90 percent of civilian agencies were using it, even though it’s been available since 2004. Additionally, there’s no Einstein for state and local governments.
What’s more, demand for cyber experts is outweighing supply. “Employment of computer and information technology occupations is projected to grow 12 percent from 2014 to 2024, faster than the average for all occupations,” according to the Bureau of Labor Statistics. “These occupations are expected to add about 488,500 new jobs, from about 3.9 million jobs to about 4.4 million jobs from 2014 to 2024.”
Another reason is lack of cybersecurity training. Human error is a major cause of cybersecurity breaches, making safe practices the responsibility of all employees, not just those in information technology departments. Taking note of that, some IT shops are launching new training programs. For instance, in May 2016, Boston’s Department of Innovation and Technology announced its Cyber Security Awareness and Training program for all city employees. It’s an online training program that workers must complete to gain and maintain full access to city IT systems. More broadly, Sens. Gary Peters (D-Mich.) and David Perdue (R-Ga.) proposed this year the State and Local Cyber Protection Act, which would require the Homeland Security Department to provide training to state and local governments that request it.
4
A Govloop Guide
BLS expects the subfield of information security analysts to grow 36 percent in the same time period. “The federal government is expected to greatly increase its use of information security analysts to protect the nation’s critical information technology (IT) systems,” the agency states. All of this has led to some bad PR for the government: About half of Americans don’t trust the government to protect their data, and “some 28% of Americans are not confident at all that the federal government can keep their personal information safe and secure from unauthorized users,” according to the Pew Research Center for Internet and Technology.
Government entities take great pains with cybersecurity, though. Efforts at the federal level include:
Einstein Originally an intrusion-detection system when it was introduced in 2004, it now detects and blocks cyberattacks, and provides situational awareness that DHS can share governmentwide.
Continuous Diagnostics and Mitigation Established by DHS with input from OPM and the National Institute of Standards and Technology, CDM makes network administrators aware of their networks at any given time, provides information on the relative risks of threats and lets users identify and mitigate flaws at near-network speed.
U.S. Cyber Command Ordered by the Secretary of Defense in 2009 to be part of U.S. Strategic Command, U.S. Cyber Command was stood up in 2010 with the mission of planning, coordinating, integrating and conducting activities that “direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
Similarly, there are organizations and efforts to help local and state governments, which range from being behind the times because of lack of resources to being highly innovative:
State and Local Government Cybersecurity Framework In 2014, a kickoff event aimed at applying NIST’s Cybersecurity Framework to state, local and tribal governments drew lots of attention, but no framework has been established yet.
Multi-State Information Sharing and Analysis Center State, local, tribal and territorial government members of the center get access to an around-the-clock Security Operation Center, incident-response services, a vulnerability management program, access to secure portals for communication and document-sharing and more.
DHS’s Toolkit for State, Local, Tribal and Territorial (SLTT) Governments Part of the department’s Critical Infrastructure Cyber Community Voluntary Program, the toolkit offers resources on understanding the threat landscape, questions to ask leaders about their cybersecurity agenda and a list of hands-on support options, including MS-ISAC.
DHS’s Office of Cybersecurity and Communications Part of the National Protection and Programs Directorate, this office leads efforts to protect the .gov domain, and its National Cybersecurity and Communications Integration Center provides around-the-clock monitoring and incident response, and serves as a national point of cyber and communications incident integration.
Cybersecurity National Action Plan (CNAP) When President Obama introduced the plan in 2016, he highlighted actions to create the position of Federal Chief Information Security Officer, establish the Commission on Enhancing National Cybersecurity and invest $19 billion in cybersecurity as part of his fiscal 2017 budget. The plan also proposed a $3.1 billion IT Modernization Fund.
7 Cybersecurity Tactics to Watch in Government
5
A Tale of Two Presidents: Where Obama, Trump Stand on Cybersecurity Obama was a huge proponent of cybersecurity innovation. He launched the Comprehensive National Cybersecurity Initiative, Commission on Enhancing National Cybersecurity, CNAP and the national Cyber Incident Response Plan. Now, President Trump is largely following the cyber path that Obama paved. Analysts say Trump’s Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, issued in May, adheres closely to the status quo while calling for a review of cyber vulnerabilities and capabilities within 100 days. “The draft seems mostly to call for reports on an aggressive timeline in areas that the Obama administration had interest,” Ari Schwartz, a former Special Assistant to Obama and Senior Director for Cybersecurity in the White House’s National Security Council, said in a Cyberscoop article. “It does show that the Trump administration is taking cybersecurity seriously and making it a priority, which is positive for what will come of these reports.” Trump is also building a team of cyber experts, including: Rob Joyce, White House Cybersecurity Coordinator Chris Liddell, Director of the American Technology Council, created by Trump’s executive order John Kelly, formerly DHS Secretary, now Trump’s Chief of Staff James Mattis, Defense Secretary Rudy Giuliani, informal cybersecurity adviser “We must protect federal networks and data. We operate these networks on behalf of the American people, and they are very important,” Trump said earlier this year. Still, Trump’s cybersecurity efforts are not without controversy. Despite investigations into Russian hacking, Trump announced plans to work with Russian President Vladimir Putin on forming “an impenetrable Cyber Security unit,” according to a tweet Trump sent July 9. And less than two weeks later, the State Department’s cyber official announced plans to leave the job at the end of July, while reports circulate that Secretary of State Rex Tillerson is considering closing the department’s Office of the Coordinator for Cyber Issues or merging it with the Bureau of Economic and Business Affairs.
“We must protect federal networks and data. We operate these networks on behalf of the American people, and they are very important.” — President Donald Trump
6
A Govloop Guide
7
Cybersecurity Initiatives to Watch Now that we understand the landscape, let’s look at ideas that break the mold. The next section of this guide will cover seven ways that government agencies at all levels are getting creative to stay ahead of cybersecurity threats. We start by defining what each approach is and how it works. Next, we look at a use case to see how it applies in the real world. Lastly, we offer tips for how you can implement these at your agency. One theme runs through all of the innovations: teamwork. Although at first blush, cybersecurity seems like the kind of thing an agency would want to keep under lock and key, it turns out it takes a village to keep IT safe. Whether it’s partnerships with other government agencies, the private sector, academia or Average Joes and Janes, government officials are realizing they simply can’t go it alone.
Here’s a look at what to expect in the coming pages. Tactic 1: Artificial Intelligence and Machine Learning
Artificial intelligence and machine learning help supplement a thin cybersecurity workforce by carrying out tasks in “smart” ways and learning from data they access.
Tactic 2: Big Data and Analytics
Bogged down by data, agencies are looking to collect it all in one place for analysis and correlation, often automating many steps along the way.
Tactic 3: Innovative Internal Training on Cybersecurity
Yearly cybersecurity reviews aren’t enough, especially when cyberthreats change constantly. To keep employees engaged in cybersecurity education, agencies are turning to game-based training and quizzes.
Tactic 4: Bug Bounties
Agencies are paying people who find vulnerabilities in their networks cash prizes – a small price to pay compared to some technical solutions or salaries. Additionally, they open the pool of vulnerability testers beyond agency walls and expertise.
Tactic 5: Partnerships Across Borders States are looking for power in numbers by working together to adopt a new standard on cybersecurity.
Tactic 6: Procurement Options
More CIOs are seeking the authority to nix procurements they feel could threaten cybersecurity.
Tactic 7: Recruitment and Retention
Following the Federal Cybersecurity Workforce Strategy, more agencies are focusing on hiring skilled employees and retaining experienced workers. Each initiative comes with its pros and cons, but cybersecurity is an evolving animal and government agencies need to not just keep up, but get and stay ahead. “Cybersecurity is a team effort,” Gen. Greg Touhill, the first U.S. Chief Information Security Officer, wrote in a blog post. “If we are going to achieve our goal and follow our strategic game plan, we have to work together across the Federal Government in concert with our various partners and stakeholders.” 7 Cybersecurity Tactics to Watch in Government
7
Get Briefed. Reimagine digital business for government. Empower your employees with a complete secure digital workspace solution.
Learn more at
citrixgbc.com
Industry Spotlight
Securing Your Data in the Era of Cloud Sprawl An interview with Jose Padin, SE Director, U.S. Public Sector, Citrix
It’s not an exaggeration to say that cloud computing technology has transformed government. The ability to use critical apps and store data in a variety of clouds has allowed the public sector faster innovation, great agility, more mobility, and a host of other benefits. But there is a downside to the rapid growth of cloud in government: cloud sprawl, or the increasing complexity of having to manage and access applications and data from multiple different clouds across vendors. Cloud sprawl can truly become a problem for the public sector, particularly in the area of keeping government data secure. To understand more about cloud sprawl, GovLoop sat down with Jose Padin, SE Director, U.S. Public Sector at Citrix. Citrix is a technology company offering the public sector a comprehensive secure digital workspace. Padin explained that cloud sprawl in government is the result of reliance on and consumption of cloud services from multiple internet cloud service providers. The benefit is that it removes the dependency of acquiring what is needed to use an IT service (infrastructure, software, support, etc.) so agencies can solely focus on the service needed (critical business application, robust storage, collaboration, etc.). In its own way, cloud sprawl is a natural evolution of using more cloud-based services, Padin said. “Everything used to be on premises or on the endpoint,” he explained. “But as we’ve evolved into a cloud-based system, government now has multiple different external systems that are managed and maintained by lots of different companies. And each system may have its own framework for authentication, for configuration, and for security.” When cloud sprawl happens at an agency, it can cause users, both internal and external, a variety of problems. Externally, citizens are navigating multiple services with a variety of user experiences. Internally, IT teams struggle with a lack of knowledge of who is accessing applications and where data resides, as well as a struggle to monitor and manage services centrally. To overcome cloud sprawl without sacrificing the benefits of the cloud itself, the public sector needs a more efficient and comprehensive way to organize, manage and secure all cloud services used across the organization. Government IT departments need to securely deliver apps and data to their citizens and their employees in a world that is becoming more
mobile and more dependent on cloud services – on any device, in any location, from any cloud. Citrix can help agencies do this through their secure digital workspace. “Citrix provides access to digital workspaces that contain apps and data that are centrally managed and monitored across multiple cloud services providers,” Padin said. Citrix’s secure digital workspace protects confidential data and guards agencies against cyberthreats. Apps and associated data can remain on premises or in the cloud, where they are accessed through granular, policy-based user authentication. This level of access control, along with auditing and reporting capabilities, enables IT to manage compliance, information governance and data protection. “The secure digital workspace is a contextually aware system that will allow people to get in and get access to multiple applications and web systems in one-easy-to-use hub,” Padin said. By eliminating the fragmented way in which users access their applications and data – and instead providing them with secure, single sign-on –users have more time for mission-critical work and spend less time seeking helpdesk support. The secure digital workspace also helps government IT departments regain control when delivering disparate web services; combating challenges caused by an ever-mobile workforce; and enabling single-sign-on access to all apps, files and data. Organizations that develop specific strategies to support digital work—including creating new procedures for security, enabling off-site environments, managing contingent employees, and mitigating burnout among always-connected workers—will see improvements across the board, Padin explained. “Oxford Economics’ study shows a high ROI when organizations use something like the Citrix secure digital workspace,” he said. “It helps both internal employees and citizens, all while ensuring that information and data across multiple clouds is accessed securely.” As cloud continues to evolve and bring real benefits to government, agencies must be sure to securely and intuitively manage access and data sharing across all of these clouds for both citizens and their employees. Protecting government and citizen data is a top priority of government, but it must be done without sacrificing efficiency and user experience. A secure digital workplace is the path forward.
7 Cybersecurity Tactics to Watch in Government
9
#Artificial 1 Tactic 1:
Intelligence and Machine LearninG
WHAT IT IS
Artificial intelligence (AI) is when machines can carry out tasks in “smart” ways, while machine learning enables machines to learn from data they access.
See it in action Within a year, DoD could introduce autonomous cybersecurity tools that can predict threats, including insider activity, and isolate parts of the network that may be attacked, Terry Halvorsen, the department’s former CIO, said in a February Meritalk article. “Given the volume [of attacks] and where I see the threat moving it will be impossible for humans by themselves to keep pace. We can and we’re very close to being able to put more autonomy into the security tools, and we will get to the point within the next 18 months where AI is becoming a key factor in augmenting the human analyst in making those decisions about what to do,” Halvorsen said.
10
A Govloop Guide
AI can change network configurations after an attack faster than humans, removing the damaged part of the network, isolating the problem and destroying the malware, he said. The Army’s SGT STAR is an example of machine learning helping government operate more efficiently. A virtual guide to GoArmy.com, the chatbot can answer common questions about enrollment, salary, enlistment requirements and job opportunities. Launched in 2014, it does the work of 55 recruiters and uses machine learning to improve recognition and helpful responses, with an accuracy rate of more than 94 percent, according to a Governing article. It’s answered more than 16 million questions to date.
THE ARMY’s SGT STAR DOES THE WORK OF 55 RECruiters and uses machine learning to improve recognition and helpful responses, with an accuracy rate of more than 49%.
How you can do it 1
Robotics and cognitive automation let machines copy human actions and judgment, and could free millions of working hours each year (out of some 4.3 billion worked total), according to research by Deloitte University Press. Automation could save 96.7 million federal hours annually, with a potential savings of $3.3 billion at the low end and 1.2 billion hours and $41.1 billion at the high end.
2
Common functions to consider replacing with bots replace include opening email and attachments, filling in forms, connecting to system application programming interfaces, following if/then decisions, moving files and folders, reading and writing to databases, and making calculations.
3
Find more advice on how to approach AI and machine learning in the National Artificial Intelligence Research and Development Strategic Plan, released in October 2016 by the National Science and Technology Council’s Networking and Information Technology Research and Development Subcommittee
7 Cybersecurity Tactics to Watch in Government
11
A Service-Disabled, Veteran-Owned Small Business
Innovate, Grow, Know with ThunderCat & Veritas. W W W.T H U N D E R C AT T E C H . C O M
Big Data & Analytics
Data Center Infrastructure
Enterprise Applications
Cyber Security
Industry Spotlight
Identifying Data Owners to Keep Your Agency Safe An interview with Stephen Watts, Federal Strategist for Information Governance, Veritas
The public sector faces numerous challenges that government employees work to overcome every day. Constrained budgets, ever-growing citizen expectations, information technology infrastructure issues — the list of obstacles grows constantly. However, one challenge that is less obvious but just as important is the massive growth of unstructured data — especially where and how to best store it so that it’s accessible, usable and retains its value.
data,” Watts explained. “When you can see a user risk analysis, you’ll be able to provide immediate insights into malicious activity and policy violations and thereby keep your critical data and information secure.”
Unstructured data often appears in the form of e-mails, memos, chats, white papers, marketing materials, images, presentations and video files. Most organizations tend to keep all of this unstructured data without a plan for disposing of it. In fact, today, agencies are conditioned to keep all of their data, whether it is useful for not. They hesitate to get rid of it because they believe accumulation is easier than organization or deleting information that will get them in trouble.
“Data Insight scans the unstructured data systems and collects file metadata and full access history of users across the data,” Watts said. “It helps organizations monitor and report on access to sensitive information.”
But unstructured data can hold sensitive information, so government must be proactive in classifying, storing, retrieving and disposing of this data or face potential cybersecurity risks. To discuss the risk that unstructured data poses to government agencies, GovLoop sat down with Stephen Watts, Federal Strategist for Information Governance at Veritas, a leader in government data storage solutions. Watts noted that this data hoarding strategy can cause the public sector a variety of pain points, not least which are security and compliance issues. “We see a growing sense of urgency to gain control of the costs associated with storing and maintaining information along with a need to reduce the compliance risks and security risks,” he explained. When there are such massive amounts of unstructured data, it can be difficult to tell who exactly is accessing all of that data, which opens up agencies to a variety of cybersecurity risks. In order to get a handle on unstructured data, understand who is accessing it, and mitigate the risks posed by this unstructured data, Watts recommended that agencies creating a framework around the three foundational pillars for comprehensive enterprise data management: data protection, data availability and data insight. “Making sure you understand who has the abilities to access and gain insights from your data is a true key to the protection of that
That’s where Veritas’ Data Insight solution comes into play. It helps agencies improve security and access through better visibility into their data.
Data Insight helps the organizations solve the problem of identifying data owners and responsible parties for information in spite of incomplete or inaccurate metadata or tracking information. This helps support large-scale business owner-driven remediation processes and workflows. In addition, Data Insight provides reporting to administrators to let them know two things: who has access to records and when which individuals actually access those records. The software allows record owners to shut down the access within those records at any time. In short, Data Insight helps organizations improve unstructured data governance to reduce costs, reduce risk, and achieve compliance through actionable intelligence into data ownership, usage, and access controls. Veritas’ expertise and solutions like Data Insight are complemented by working with ThunderCat Technology, a systems integrator that brings an innovative approach to solving customer problems in and around the datacenter by providing strategies for data storage, networking, security, and application. ThunderCat and Veritas work together to provide the best solutions for their government customers. With the massive amount of data that government is creating, storing, and accessing in today’s complex environment, it is more important than ever that data be properly stored, classified, and accessed only by the right users. By understanding the pillars of comprehensive data management across the enterprise and using the right solutions to store and access their data, government agencies can keep their data and their citizens’ information safe from any potential threat.
7 Cybersecurity Tactics to Watch in Government
13
#BIG2 DATA Tactic 2:
AND ANALYTICS WHAT IT IS
Agencies are aggregating existing data into one place and analyzing and correlating it so that it can be filtered, searched and probed for better analysis of security incidents, helping agencies find attacks faster. Today, 81 percent of federal agencies say they’re using data analytics for cybersecurity, according to a Meritalk study, while Ponemon research found that organizations are 2.25 times more likely to find a security incident within minutes or hours when they are a heavy user of big data cybersecurity analytics.
See it in action The Defense Information Systems Agency offers a cloudbased set of solutions called Cyber Situational Awareness Analytical Capabilities (CSAAC) that enables the collection of data from across the DoD Information Networks. The Big Data Platform drives CSAAC’s capabilities. It’s a DISAdeveloped open source solution and lets data, visualizations and analytics be shared.
14
A Govloop Guide
CSAAC monitors DoD Enterprise Email, giving operators near real-time situational awareness on incidents. The set also has an anomaly detection suite that finds authorized users who threaten the confidentiality, integrity or availability of sensitive DoD data, according to DISA. At the state level, Michigan is planning a Cyber Threat Analytics Center that will use feedback from sensors and threat feeds from vendors, and Alaska is using a data analytics platform to proactively monitor and report on security event activity for several state agencies.
organizations are 2.25 times more likely to find a security incident within minutes or hours when they are a heavy user of big data cybersecurity analytics.
How you can do it 1 2 3
AI, machine learning and automated data scanning are forms of big data and analytics that support cybersecurity. They’re able to ingest and sift through the vast amount of data agencies take in faster than a human could. To use data for security, agencies first need to understand the data they have enterprisewide. Conduct an audit of what data and analytics tools you have and where you have gaps to fill. Common ways big data analytics aid cybersecurity are by identifying behavioral anomalies on networks or devices or in employee and contractor behavior. Analytics can also assess vulnerabilities and risks, and pinpoint the origins of attacks.
7 Cybersecurity Tactics to Watch in Government
15
Securing the Cloud Generation We Are The Cloud Generation. The Cloud Generation is everyone who lives and works in this unique era— as computing breaks the boundaries of desktops and data centers to embrace the mobile, social, global, crowd-sourced, always-on realities Copyright © 2017 Symantec Corporation. All rights reserved.
16
A Govloop Guide
of modern life. It’s a time when critical data, applications and infrastructure are shifting from “behind the firewall” to “running on the cloud.” Some of us are “all in.” Some are only 20% there. Yes, it’s liberating. And yes, it’s chaotic. Symantec is here to help.
Industry Spotlight
Critical Strategies for Government Cybersecurity An interview with Ken Durbin, CISSP, Strategist, Symantec
The past few years have seen increasingly sophisticated attacks on our government. Everything from citizens’ information to emails of political candidates have been infiltrated. Protecting critical infrastructure and nationally significant industries is now more important than ever, yet too many critical systems lack basic security protections or the necessary workforce and training to address these issues. Governments need to work with industry partners to ensure there is a focus on protecting existing critical systems and to build security into system refreshes to control the risk of destructive attacks. To discuss how government can better do this and three important strategies they should be taking to bolster their cybersecurity effort, GovLoop sat down with Ken Durbin, CISSP, Strategist at Symantec, a leading cybersecurity company. Durbin said that focusing on three key areas is critical for improving government cybersecurity in the coming years. Those areas are internal training, automation to supplement the workforce, and critical partnerships. In terms of training, Durbin said, there has been a requirement for training around cybersecurity awareness but it has often lacked teeth. “With the recent signing of the presidential executive order on cybersecurity,” he said, “this draws a red circle around awareness and makes sure agencies are more urgently addressing internal mandatory security awareness programs.” Cybersecurity is often viewed as protecting hardware, software, and bits and bytes, but the training people receive is an equally critical component of any effective cybersecurity program. “If agencies take the time to train staff properly, ensure they have basic skills and awareness, then they become the front line of an agency’s cyber defenses,” Durbin said. “They are empowered to be part of the solution instead of the problem.” Symantec’s Cyber Skills Development solutions offer agencies training options that immerse users in real-world experiences that are more engaging than traditional training and allow security leaders to analyze individual and group performance, find functional gaps within the team, and conduct pre-hire skill assessments. In addition to better internal cybersecurity training, Durbin explained that automation will be critical in the fight for better cybersecurity – particularly because there is an enormous skills
shortage in the security area for government. With fewer trained people in the workforce, government must better leverage automation tools that can help them do more with less and catch potential attacks earlier. “Automation helps you do more with less – detect an event, triage it, and make a decision before a human has to be involved,” Durbin said. “For example, Symantec’s Security Analytics platform does deep packet inspection (among other things) to detect malicious activity. When something’s identified Symantec’s Advanced Threat Protection can check to see if it’s been seen at the endpoint, network or email, and take action. Or, it can go into an event manager so a human can see it and take action,” To help address the cybersecurity workforce shortage and ameliorate these issues, Symantec has created the Symantec Cyber Career Connection (SC3), a collaborative effort to address the global workforce gap in the cybersecurity field. The program provides underrepresented young adults and veterans with targeted education, training and certifications that position them to fill in-demand cyber security jobs and enter long-term careers. Finally, Durbin said that government, particularly at the state and local level, must focus on critical partnerships across borders. In particular, the Multi-State Information Sharing & Analysis Center (MS-ISAC) is an important resource for state and local governments looking to strengthen their cybersecurity posture. “Symantec supports the MS-ISAC and their efforts,” Durbin said. “Using solutions like our Managed Security Service (MSS), the MS-ISAC helps all 50 states monitor their networks. If an event is detected in one state, the information can be disseminated to all 50 states to prevent an attack from spreading.” Today, more than ever, it is critical that government works to bring awareness to the latest developments in cybersecurity, as well as the importance of ensuring all stakeholders are prepared to protect themselves and their data against the ever-changing threats of our technology-driven world. Cyberattacks aren’t going away anytime soon. But with stronger training, a renewed workforce, better automation tools and critical partnerships, the public sector can take a stand to keep their most valuable information safe.
7 Cybersecurity Tactics to Watch in Government
17
#Innovative 3 Tactic 3:
Internal Training on Cybersecurity
WHAT IT IS
To keep cybersecurity top of mind and drive home points, agencies are trying new internal training tactics such as game-based training that let officials test and train workers at the same time and daily or weekly quizzes that involve bite-size chunks of information about cybersecurity on myriad platforms.
See it in action When former Chief Security Officer Dan Lohrmann saw that Michigan state employees were less than enthusiastic about watching cybersecurity training videos, he switched to a vendor program that used games and interactive activities. The Department of Technology, Management and Budget rolled it out to all state employees over six months, and saw participation jump from 10 percent to 90 percent. One game asked employees to look for security violations, such as leaving confidential papers on desks, while another involved having a cartoon character search an airport for lost or stolen laptops in 90 seconds.
18
A Govloop Guide
“I can’t walk into an airport and not think about it,” Lohrmann told StateTech. “And that’s the goal — to change behavior.” At the federal level, DISA offers the Cyber Awareness Challenge to DoD employees and the intelligence community. It’s “a serious game that simulates the decisions that Federal government information systems users make every day as they perform their work. Rather than using a narrative format, the Challenge presents cybersecurity, information assurance (IA), and information systems security (ISS) awareness instructional topics through first-person simulations and mini-games,” according to the Center for Development of Security Excellence.
agencies are trying new internal training tactics such as game-based training that let officials test and train workers at the same time.
How you can do it 1 2 3
Successful games let players fail safely, have clear rules, encourage collaboration, involve community partners such as academia or the private sector, and are fun. Consider boosting motivation to participate and perform by giving rewards, even if they’re just badges, for players’ contributions. Common cybersecurity game formats include Capture the Flag, which involves Jeopardy-style questions or hands-on activity on a network; operational competitions in which volunteers act as hackers and try to break into the network and disrupt service; forensics competitions; and policy competitions in which participants respond to a realistic, evolving cyberattack and analyze the threat to national, international and private-sector stakeholders, according to NIST.
7 Cybersecurity Tactics to Watch in Government
19
Federal Spotlight: The National Initiative for Cybersecurity Education
A conversation with NIST’s National Initiative for Cybersecurity Education Director, Rodney Peterson The need for cybersecurity workers has outpaced their availability. More than 209,000 cybersecurity jobs in the United States are unfilled, and postings are up 74 percent in the past five years, according to a Peninsula Press analysis of Bureau of Labor Statistics numbers. The demand for positions such as information security professionals is expected to grow by 53 percent through 2018. NIST’s National Initiative for Cybersecurity Education (NICE) puts the cyber workforce in the spotlight. Borne of Obama’s 2008 Comprehensive National Cybersecurity Initiative, NICE’s mission is “to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development,” according to its website. 20
A Govloop Guide
NICE coordinates with government, academic and industry partners to fulfill this in several ways. One is through its Cybersecurity Workforce Framework, which provides “a standardized way of thinking about cybersecurity work, a common taxonomy, a common reference tool, and it includes not only seven categories, but 33 specialty areas for 50 work roles, and then the corresponding knowledge skills that go with these,” said NICE Director Rodney Petersen. “That’s a real opportunity for us to get people thinking in a standardized way about cybersecurity education and workforce from education and training providers who are developing them to employers who are hiring them. I think the key role that NICE plays is that integration of activity across the different stakeholders.”
The 2016 update to the framework came out in draft form last November, and a final version is expected soon, Petersen said. NICE is also working to change the way government human resources professionals and hiring managers think about the qualifications of a good cybersecurity employee. “Our biggest concern is that people are hiring only based on traditional credentials,” Petersen said. “That might be based on things like academic degrees and certifications and reported work experience, without really looking at the underlying skills, and the underlying skills can be developed and acquired in a number of ways and are evaluated increasingly in a number of different ways.”
Another concern is that position descriptions overestimate the type of qualifications required – for example, specifying a bachelor’s degree when an associate’s degree would suffice – or overemphasizing certifications. “We really try to emphasize skills-based hiring and the development of job announcements and position descriptions that reflect the knowledge and skills needed, not necessarily the credentials that might lead to that,” he said. “Really focus on the quality of the experience, not just the quantity.” NICE also focuses on cybersecurity recruitment and retention in conjunction with the Office of Personnel Management and the Federal Cybersecurity Workforce Strategy, which emphasizes an employment lifecycle, from recruitment to hiring to development and retention. One way to attract workers is to use the flexible recruitment and hiring authorities available to federal agencies. Then, match their knowledge, skills and abilities to the work to be performed, Petersen said. “It’s not enough just to bring them into the federal workforce, but to make sure they stay and either have a lifelong career that’s productive, or if they rotate out to the private sector, that they perhaps return at a later date with even better and improved skills, and that process of rotating between the public and private sectors shouldn’t necessarily be frowned upon, but should be seen as an opportunity for people to broaden their skills and experience and really bring back some of those new strengths to the federal workers,” he said. Agencies should also encourage rotation within the federal government, he said, letting workers take on different roles or responsibilities within their agency or at another. “You not only give them the benefit of your services, but you start to kind of round out your resume experience and allow the learning that can happen from being exposed to different ideas,” Petersen said. NICE is also working to get people interested in cybersecurity jobs from early age. For instance, the third annual NICE K-12 Cybersecurity Education Conference in December will bring together educators, curriculum specialists, researchers, nonprofits, foundations, government and students to talk about cybersecurity
education in elementary and secondary schools. “We’ve already started the process of really emphasizing the importance of building that pipeline at a younger and younger age,” Petersen said. The conference is “recognition of the importance of getting career awareness so that kids and parents can start as early as possible … and then secondly, working with both middle school and high school programs to make sure we leverage STEM programs, computer science programs and others to make sure we have students prepared either for a career in cybersecurity upon high school graduation or to continue in the community colleges and universities. I think that’s the key thing.” In the past several years, NICE has seen interest in cybersecurity work grow. For example, its conferences have grown not only in attendance, but in number. “Where it used to be a predominantly federal government audience or an academic, higher education audience, now we’re bringing in people from K-12 education, people from nonprofits, people from companies and corporations, and state governments, so I think the demographics have shifted and grown just based on the criticality of these issues,” Petersen said. What’s more, community colleges now have their own annual summit and the centers of academic excellence in cybersecurity now number 250 nationwide. Looking ahead, Petersen sees a need to ensure that as technology evolves, the cybersecurity workforce evolves with it. “Even though the NICE framework is good to have as a standard that’s kind of a pointin-time description of cybersecurity work, you have to be flexible and agile in order to respond to the future nature of this workforce,” he said.
“Really focus on the quality of the experience, not just the quantity.” 7 Cybersecurity Tactics to Watch in Government
21
#Bug 4
Tactic 4:
Bounties
WHAT IT IS
Bug bounties are deals that agencies offer to recognize and compensate individuals for reporting bugs, especially those pertaining to exploits and vulnerabilities.
See it in action The General Services Administration’s 18F innovation team started creating a bug bounty program in May, when it tapped HackerOne to make a software-as-a-service bug-reporting platform. Named after GSA’s Technology Transformation Service, the TTS Bug Bounty will be the first public bug bounty program run by a civilian agency, although it’s modeled after DoD’s popular Hack the Pentagon and Hack the Army bug bounty programs. Here’s how 18F says it will work: “Upon receipt of a bug report, HackerOne will triage submissions first, determining both the validity and severity of the reported bug. Valid
22
A Govloop Guide
bugs will be sent to TTS and the appropriate team in charge of the web application will correct the issue.” Anyone from a high school student to a major security research firm may look for bugs. Those who successfully find one will get $300 to $5,000. Benefits to the government include an officially sanctioned channel for people to report security issues, incentivizing independent researchers to improve the organization’s security and complementing traditional security reviews and penetration tests by making security review an ongoing, iterative process.
Anyone from a high school student to a major security research firm may look for bugs. Those who successfully find one will get $300 to $5,000.
How you can do it 1
Review 18F’s solicitation documents as a guide for how to procure a bug bounty platform from a vendor. For instance, 18F specified that the vendor would provide a SaaS platform with a publicly available website and handle triage, but it would not be responsible for fixing discovered problems.
2 3
Include bug bounties in IT acquisitions, as DoD plans to do. This means asking developers not just for penetration testing, but also to run a bug bounty against it. Beware of the risks of these programs, which rely on ethical participants. Consider whether background checks on applicants and/or establishing rules and regulations makes sense for your agency.
7 Cybersecurity Tactics to Watch in Government
23
federal
Mount a better defense
with SolarWinds cybersecurity & continuous monitoring solutions Agencies are under increasing pressure to identify and protect against internal and external cybersecurity threats, as well as detect, respond, and recover from incidents. SolarWinds solutions help you improve your agency’s Risk Management Framework (RMF), ®
NIST 800-53 controls, FISMA, and DISA STIGS compliance. They also help you implement, assess, and monitor your security controls to better defend against attacks, and continuously monitor your networks, systems, and application for compliance. Join nearly every civilian agency, DoD branch, and intelligence agency in using SolarWinds’ powerful, affordable, and easy-to-use solutions to make government IT more secure:
Log & Event Manager
User Device Tracker
Patch Manager
Secure FTP Server
Network Configuration Manager
Secure Managed File Transfer
Click here to learn more about how SolarWinds addresses federal cybersecurity.
IT management & monitoring solutions for government Network, Application & Server, Log & Security, Virtualization, Storage, Help Desk, File Transfer, Database Management Go to solarwinds.com/federal to download fully-functional free trials 877.946.3751 federalsales@solarwinds.com solarwinds@dlt.com
24
A Govloop Guide
© 2017 SolarWinds Worldwide, LLC. All rights reserved.
SOLARWINDS FEDERAL DISTRIBUTOR
Industry Spotlight
How Government Can Deal With Ever-changing Cybersecurity Threats An interview with Mav Turner, Senior Director, Product Strategy, SolarWinds Government is always dealing with change – a changing workforce, changing citizen expectations and changing technologies. But one of the most complicated areas of change that affects government every day is the changing face of cybersecurity threats. Today in government, agencies must protect their systems and data from a rapidly shifting and incredibly complex series of threats, from foreign hackers, to insider threats, to a variety of other cybersecurity attacks. To understand the top cybersecurity threats facing government, GovLoop sat down with Mav Turner, Senior Director, Product Strategy, at SolarWinds, a leader in IT management products for government. Every year, SolarWinds delves deep into data and information from government to release their Federal Cybersecurity Report. Their research, which explores the biggest barriers to improving IT security, has consistently shown that careless or untrained insiders, foreign governments and the general hacking community are the top three threats to federal government IT security. “The rapid pace of technology development means that risks evolve fast. Your security strategy should be built around people, process, and tools that don’t just solve a specific problem today, but that can evolve quickly to solve the problems that will arise tomorrow,” said Turner. Knowing that these threats are growing and changing constantly, what tools does government have available to them to combat these particular issues? Proper training for employees and information sharing are necessary, but not sufficient, Turner said. You have to have the right products and tools to enable a well-trained staff and provide consistency in your process. These tools should continuously monitor your environment for threats. The people in your organization need to be able to easily extract knowledge from that data and quickly run through your response procedures. Specifically, look for tools that make it easy to automate responses, quickly scale, provide clear and regular reporting, and
provide analytics to simplify all of the data being collected. In fact, it’s imperative that agencies gain complete visibility into both off-and on-site applications and data. They need processes and tools that allow them to view network performance, traffic, and configuration details pertaining to all user devices, whether they are on-premises, in the cloud, or across hybrid environments. In other words, they’ll need clear insights into the darkened pathways that exist between on-premises and hosted locations to ensure that the data that’s passed between them remains secure and properly managed. Since threats are always changing, the tools government uses need to continuously change. But how can government leverage the latest and newest tools when procurement can be difficult and slow? What can vendors offer them to help? “Tools need to be easy to buy, quick to deploy, secure, and updated by vendors to keep up with ever changing threats,” Turner said. “At SolarWinds, we are dedicated to simplifying the acquisition process for our government clients, and helping them scale their solutions and stay up to date. We also offer free trials for all of our products.” SolarWinds software delivers actionable intelligence to proactively identify threats, takes automated action to quarantine and mitigate damage, and analyzes data to prevent future attacks. Their security solutions and continuous monitoring tools correspond closely to the Risk Management Framework (RMF) developed by NIST, play a critical role in Information Security Continuous Monitoring (ISCM), and other government cybersecurity strategies. With the right solutions and knowledge about the complex and changing threats, federal IT pros can get the visibility they need into their IT infrastructure’s security posture to prevent threats before they become breaches.
7 Cybersecurity Tactics to Watch in Government
25
#Partnerships 5 Tactic 5:
Across Borders WHAT IT IS
States are looking for power in numbers by working together to adopt a new standard on cybersecurity.
See it in action
26
The National Governors Association (NGA) is working on a 50-state collaboration to establish the country’s first baseline for cybersecurity measures.
Some states already make information-sharing part of their cyber plans. For example, a cornerstone of the New Jersey Cybersecurity & Communications Integration Cell is to share information among local, state, federal and privatesector organizations.
“We have the standards and we’re all set. We have the 10 basic protocols that we want all 50 states to meet,” said Virginia Gov. Terry McAuliffe, who recently completed his tenure as NGA Chairman. “The National Governors Association Cyber Resource Center is working with all the states right now to make sure they are at the basic threshold level.
In fact, failure to share information puts states at risk, according to Brookings. “States, unlike private sector firms, have the advantage of not being in competition with other states and so can adopt and leverage these standards to provide better cybersecurity to the citizenry,” it said.
A Govloop Guide
“States, unlike private sector firms, have the advantage of not being in competition with other states and so can adopt and leverage these standards to provide better cybersecurity to the citizenry.”
How you can do it 1 2 3
Join MS-IAC, the Multi-State Information Sharing & Analysis Center, which is free for state, local, tribal and territorial government entities, to access monitoring, weekly threat reports and cybersecurity table-top exercises. U.S.-CERT recommends the use of tools to automatically share cyber information: the Trusted Automated eXchange of Indicator Information, Structured Threat Information eXpression and Cyber Observable eXpression. NIST’s Guide to Cyber Threat Information Sharing offers tips on structuring sharing plans, including defining the scopes, establishing rules and planning for ongoing support.
7 Cybersecurity Tactics to Watch in Government
27
State and Local Spotlight: Virginia Emphasizes Leadership, Partnerships A conversation with Virginia Secretary of Technology, Karen Jackson Virginia is a leader when it comes to cybersecurity, in part because highranking officials understand they can’t go it alone. For example, Gov. Terry McAuliffe recently completed his tenure as Chairman of the National Governors Association, where he launched an initiative called “Meet the Threat: States Confront the Cyber Challenge,” putting states – not just Virginia – front and center in the effort to find solutions to cyberthreats. That kind of leadership support has been invaluable to Virginia’s cyber work, said Karen Jackson, the commonwealth’s Secretary of Technology. “It sounds like Kodak. It’s priceless,” Jackson said. “When you have clear top-down emphasis from the Governor and the Secretary of 28
A Govloop Guide
Education and the Secretary of Public Safety – everybody right on through – that communicates down to the agency heads, that communicates down to the more rank-and-file employees and hopefully that actually permeates out into the citizens because they hear it.” But cyber efforts don’t happen only within Virginia’s borders. Partnerships with other states, the federal government, the private sector and academia are a big reason for the commonwealth’s cyber success, she added. “Cyber is a team sport, as is most technology,” Jackson said. “You can’t only look at the technical side of cyber. Then you’re going to miss the fact that you need a workforce and the fact that you need industry to have input
into the educational system so that the skills and the credentials that kids come out of school with are actually transferrable to the workforce.” For instance, this summer, Virginia partnered with the SANS Institute and six other states for CyberStart, which runs from July 14 to the end of August. It’s basically a cyber test designed for students 16 and older, with challenges that increase in difficulty as participants complete them. SANS is offering 100 $1,500 scholarships to the top 100 finishers at the first round and another $500,000 for college and graduate-level scholarships and certifications. The Virginia Cyber Cup Competition, hosted by the Virginia Cyber Range, an initiative to enhance cybersecurity education in high schools, community
colleges and universities, is a cyber game for the commonwealth’s centers for academic excellence that debuted in 2016. Teams from 13 community colleges and universities competed to solve computer security challenges in categories such as cryptography, network traffic analysis and reverse engineering. The commonwealth’s Education Department started offering CyberCamp last year and has eight more this year that are in-person, hands-on training for rising 10th-, 11th- and 12th-graders interested in cybersecurity. Eligible school divisions are those where at least half of enrolled students qualify for free or reduced-price meals. The camps must offer 70 hours of instructional time, including guest speakers, field trips and project-driven learning. Additionally, Virginia participates annually in the National Security Agency’s Day of Cyber School Challenge, an online, game-based program in which participants create a cyber resume, explore careers and try challenges in an effort to whet students’ cyber appetites. Schools with the highest participation get a cash prize to go toward their cyber programs. “A lot of times people are suspect or reticent of programs like that because they say, ‘Well, we didn’t create it,’” Jackson said. “You don’t have to create everything. You can get much better content and a whole system, in some cases, where all you have to do is say, ‘Yes, we want to do that,’ and then the momentum just takes over.” Finally, Virginia has partnered with technology companies such as Cisco and Amazon Web Services on its Cyber Veterans initiative, which McAuliffe announced in 2016. It offers training to separating veterans in the commonwealth, which has the highest per capita number of veterans. “We couldn’t have done this type of program without the partnership
with the companies,” Jackson said. “If you can’t ally yourself with others to get the work done, you’re not going to move forward very quickly, and chances are you’re going to get left behind somewhere along the process.” All these initiatives go back to the five cybersecurity pillars outlined in a roadmap that the state’s first cyber commission put together several years ago. They are economic development, education and workforce, infrastructure, public awareness and cyber crime. Main cybersecurity concerns for the state include threats such as phishing attacks and malware, Jackson said. More than 60 agencies ride on the executive branch network that her office oversees. “If you think about it, we’re one click away from a potential disaster at any given time,” Jackson said. “There’s a thin margin of error in all of the cyber arena. You make mistake, you leave one hole open and you’ve left yourself open to becoming a victim pretty quickly.” She credits the roadmap, strong leadership and the partnerships with making Virginia cyber strong. “You have a clear message, you have a committed leader, people will help you, and it’s just a matter of being willing to think creatively, think outside the box in terms of government as to how you can partner,” Jackson said. “You can make great things happen, and I think that’s what’s happened for us.”
“If you can’t ally yourself with others to get the work done, you’re not going to move forward very quickly, and chances are you’re going to get left behind somewhere along the process.” 7 Cybersecurity Tactics to Watch in Government
29
#Procurement 6 Tactic 6:
Options WHAT IT IS
The word “procurement” simply means the act of obtaining something, but in government, the practice can get complex because of rules, regulations and red tape.
See it in action In 2014, the Energy Department issued guidance for using specific procurement language to build cybersecurity protections into energy delivery systems. The document provides an example of language for general procurements: “The Supplier shall remove and/or disable, through software, physical disconnection, or engineered barriers, all services and/or ports in the procured product not required for normal operation, emergency operations, or troubleshooting.” For authentication and password policy management, it recommends that the buyer ask the supplier to “provide for a configurable account password management system that allows for” things such as password changes, inactives ession logout and selection of password length.
30
A Govloop Guide
More recently, NASA CIO Renee Wynn refused last summer to sign off on the “authority to operate” (ATO) for a $2.5 billion Hewlett Packard Enterprise contract, citing poor performance. Several months later, Wynn and other federal CIOs told the House Oversight and Government Reform Committee’s IT Subcommittee that they want the authority to nix any procurement they feel could threaten cybersecurity. “Congress can’t hold agency CIOs accountable … if they don’t have the necessary authorities to get the job done,” said Subcommittee Chairman Rep. Will Hurd (R-Texas).
The word “procurement” simply means the act of obtaining something, but in government, the practice can get complex.
How you can do it 1 2 3
Like DoE, write guidance for what wording needs to be included in requests for proposals and contract bids. This wording will differ according to agency and even divisions within an agency, as well as based on the IT need. Give vendors a second chance. Wynn added a six-month grace period to give HPE a chance to rectify its problems – a helping hand that the company readily accepted. Join the push for Congress to make clearer the fate of a procurement contract if the ATO isn’t signed by letting CIOs make the call.
7 Cybersecurity Tactics to Watch in Government
31
SECURE PRIVILEGE. STOP ATTACKS.
ACROSS THE ENTERPRISE • IN THE CLOUD • ON ENDPOINTS
Unsecured privileged accounts add risk to your business anywhere they exist— 100% of advanced cyber attacks involve them. Seamlessly protect privileged accounts across the enterprise— on premises, in the cloud and on your endpoints with CyberArk. Federal Certifications and Compliances Include: · · · · ·
DoD UC APL Common Criteria Certified NIST SP 800-53 / -171 / -82 / -63 NERC-CIP DHS CDM Phase II Privilege Management Solution
CyberArk.com 32
A Govloop Guide
©2017 CyberArk Software Ltd. All rights reserved.
· Army Certificate of Networthiness (CoN) · Available on DoD Cyber Range · HSPD-12
Industry Spotlight
The Importance of Privileged Account Security in Government An interview with Noam Liran, Federal Engineering Manager, CyberArk
The public sector faces a variety of threats on the cybersecurity front. Insider threats, foreign adversaries and more all pose increasingly complex challenges for agencies that are trying to protect sensitive data. One of the most significant enterprise security risks is the potential exploitation of privileged accounts and credentials. Privileged accounts exist across the IT infrastructure and are utilized by non-human users as well as systems administrators who use these powerful credentials to login to servers, switches, firewalls, routers, database servers, and the many applications they must manage. To understand the importance of better security and management around privileged accounts in the public sector, GovLoop sat down with Noam Liran, Federal Engineering Manager at CyberArk, a privileged account security leader. Today, stolen, abused or misused privileged credentials are used in nearly all breaches. In fact, according to CyberArk, the compromise of privileged accounts was a crucial factor in 100 percent of advanced attacks. With this serious threat, government agencies need to put controls in place to proactively protect privileged accounts and to effectively detect and respond to in-progress cyberattacks before they strike vital systems. The federal breach that led to the 30-day cybersecurity sprint remains a stark example. In the breach, attackers exploited privileged credentials to make their way into the federal agency’s network undetected, conduct reconnaissance, and exfiltrate critical data. To improve the resilience of fFederal networks, the sprint focused on three primary efforts: patching critical vulnerabilities; tightening policies and practices for privileged users; and accelerating implementation of multi-factor authentication, especially for privileged users. “Unmanaged, unprotected privileged accounts represent one of the most serious security vulnerabilities an organization faces today,” said Liran. “In the hands of an external attacker or malicious insider, hijacked privileged accounts can allow full control of an organization’s IT infrastructure to disable security controls, steal confidential information, commit financial fraud or disrupt operations.” Cloud Adoption and the Expanded Attack Surface The increased adoption of cloud technology – particularly hybrid cloud – in government complicates this threat vector. The risk and potential attack surface posed by privileged credentials, which include API and SSH keys, increases exponentially in dynamic cloud environments. In many cases, the first target of attackers are the
privileged credentials used to administer cloud services, such as Infrastructure as a Service or Database as a Service. All it takes is a user with administrative privileges for cloud services to click on one phishing email to give an attacker access to the entire cloud infrastructure. Privileged accounts can often go unprotected across cloud environments, due to immature defense strategies. “Privileged accounts in cloud environments must be managed, protected, and monitored just like privileged accounts in traditional datacenter environments,” Liran advised. In addition to managing risk in hybrid cloud environments, agencies must be able to address the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program requirements around privileged account security while also reducing risk and preparing their organizations for newer threats. Steps for Protecting Privilege So what can government do to comply with requirements and protect their accounts? IT and security leaders must consistently enforce security and access policies across their entire organization, and at scale. This can be achieved with a single point of control that enables consistent management of privileged accounts and credentials across each of the compute and development environments. By natively extending its Privileged Account Security Solution to the cloud, CyberArk enables government to use the same platform protecting on-premises and industrial control systems to also cover their cloud environments. The CyberArk Privileged Account Security Solution provides a new layer of security that includes privileged password management, session monitoring and recording, least privilege enforcement, endpoint privilege management and privileged threat analytics to help organizations defend against advanced persistent threats and insider threats. Specifically, many organizations rely on passwords to authenticate users and systems to these privileged accounts. A digital password vault authenticates the privileged users so they can select the necessary accounts and passwords. The password is checked back into the vault once a privileged user’s session on the shared/group resource ends, providing the agency with more control. A key security component is that no one has access to the passwords directly, not even the vault administrator. Privileged accounts represent one of the largest security vulnerabilities the public sector faces today. “To achieve proactive security for their users and their information, federal agencies need an expert system for privileged account security that provides management and monitoring as well as targeted, immediately actionable alerts,” said Liran.
7 Cybersecurity Tactics to Watch in Government
33
#RECRUITMENT 7 Tactic 7:
AND RETENTION WHAT IT IS
About 31 percent of federal employees are eligible to retire this year, and state and local governments are seeing retirement rates rise, making recruitment and retention of workers particularly important in the evolving cyber arena.
See it in action At the beginning of the year, OPM launched CyberCareers.gov. Part of the Federal Cybersecurity Workforce Strategy, the website offers resources to job-seekers, managers and supervisors, and serves as a platform for recruiting new hires, including students. Site visitors can see job listings or read bios of people in the field, while hiring managers can review tips on how to use hiring authorities and how to reach target audiences such as veterans.
34
A Govloop Guide
At the state level, Maine changed its approach to IT interns in 2014, giving them a business problem to research and solve, and asking them to write code, rather than pour coffee, CIO Jim Smith said. Additionally, the state partners with community colleges, universities, career centers, technical programs and veterans resources to educate the upcoming workforce about available technology jobs.
About 31 percent of federal employees are eligible to retire this year. recruitment and retention of workers IS particularly important in the evolving cyber arena.
How you can do it 1
Align your compensation and incentives to be competitive with the private sector. Refer to OPM’s Compensation Flexibilities to Recruit and Retain Cybersecurity Professionals guide for specifics, but think telework options and an attractive benefits package.
2
Bring in new talent through the CyberCorps Scholarship for Service program, an OPM program targeting federal information assurance professionals through scholarships for full-time students, plus stipends of $22,500 for undergraduates and $34,000 for graduate students.
3
Once you’ve hired someone, keep them on board by offering them opportunities to further their studies, try new positions within or outside the department through rotational assignments and develop their cybersecurity career path.
7 Cybersecurity Tactics to Watch in Government
35
Cyber security defined. Performance without limits.
Optiv combines extensive expertise, experience and research with powerful partnerships with industry leaders like Gigamon to help our clients achieve their security objectives. Let us help plan, build and run a successful security program for your organization, focused on your specific needs. GigaSECURE Security delivery platforms delivers prevention, detection, prediction and containment 36
A Govloop Guide
www.optiv.com
www.gigamon.com/government
Industry Spotlight
Developing a Data-Centric Security Strategy
An interview with J.R. Cunningham, Senior Director of Field Operations for Optiv’s Advisory Services Practice Network security is no longer just an IT issue. Every employee has a part to play in ensuring that government data and assets are secure. But security and technology professionals in particular are charged with strategizing how best to secure a network that cannot be defined by boundaries. It isn’t self-contained, and it can stretch across states and countries. “The network is a combination of our on-premises network, our cloud presence and our mobile devices,” said J.R. Cunningham, Senior Director of Field Operations for Optiv’s Advisory Services Practice in an interview with GovLoop. “The network has changed in the sense of we don’t have as much control over the physical premises of the network as we once did.” There was a time when agencies could point to hardware and software as being “the network.” That’s not the case anymore. It’s nearly impossible to define where the network starts and stops because it is vast and ever changing. There are third-party vendors and other partners that also play a role in keeping the network secure, so collaboration is key. One of the biggest drivers of evolving network security is the fact that business and mission requirements are changing. “We are in a data centric world where access to apps and information is critical, and the end user community is less concerned about the physical infrastructure,” Cunningham said. “We are less concerned about the where and more concerned about the what.” With all of these changing dynamics at play, agencies must place a high priority on being nimble and adapting to changing network security needs. “Rather than being infrastructure-focused, we have to move our security strategy to being more data and identity-focused,” Cunningham said. Government agencies and their private sector counterparts are focusing on understanding key pieces of information, including what sensitive data they own, where the data is located, what protections are being used to secure the data and what are the real threats coming against the organization and putting data at risk. Now more than ever, data security is key to a strong network security strategy. Agencies also have to focus on identity management, which means providing data access to the right people and ensuring you don’t provide access to the wrong people. When building strong identity management controls
agencies should first determine who needs access to what information. For example, agencies will likely need to provide data access to internal employees, contractors and the public. Each of these use cases will require different approaches to security because the sensitivity level of the data varies. Agencies also have to think through what critical assets or data they own and where they are located. Knowing this information will help dictate security practices, too. But one of the challenges agencies face is how to balance security and accessibility. “We don’t have the ability in cyberspace to lock everything down,” Cunningham said. People need access to information and systems to do their work, and this inherently introduces information risk. “We have to be precise about the way that we implement controls,” he said. “If I can’t see the data or if I don’t understand what my user community’s behavior is, I end up taking a shotgun approach and putting controls in places where they might not be necessary.” This is not a set-it-and-forget-it exercise. Agencies should adapt their security strategy as business needs change. Being nimble and increasing visibility of your data will position your organization to better respond to security incidents when they occur. To do this, there are vendors that can help you, like Gigamon and Optiv. Gigamon, a network visibility and traffic monitoring company, provides pervasive visibility into physical, virtual, and cloud environments so organizations can see the data in motion across their entire network. Organizations use the Gigamon Visibility Platform to make it easier to manage, secure and understand all their data, enabling stronger security and enhanced network performance. Optiv works with agencies to answer key questions about the critical assets they own, where they are located, who is after those assets and how to protect them. “Our focus is on enabling government customers to take a data and identity centric approach,” Cunningham said. “This is not simply a technology problem but an information risk challenge and governance issue,” he added. “Together we educate clients on having the tools and technology to have visibility of their critical data and determine where they will accept, mitigate or transfer risk.”
7 Cybersecurity Tactics to Watch in Government
37
Conclusion As we have seen, there is no one right approach to cybersecurity. Every agency has different needs, and those needs are constantly evolving as technology advances and threats persist. But one constant does emerge: the need for collaboration. State, local and federal government entities can’t handle cybersecurity in a vacuum. With challenges such as tightening budgets and workforce hemorrhages coinciding with threats that keep changing and multiplying, governments need the expertise, experience and tools that outside resources can offer. Those resources take many forms themselves: institutes of higher education; elementary, middle and high schools; government leaders; the private sector and intergovernmental partnerships. The challenges also force agencies to get creative in their cybersecurity approaches, push their comfort zones to open themselves to ethical hackers and information-sharing groups, burst their traditional bubbles by partnering across borders and put more work previously handled by humans in the trust of AI and machine learning systems. That’s because there’s one more certainty when it comes to the unpredictable world of cybersecurity: It remains a top concern for governments at every level.
38
A Govloop Guide
ABOUT & ACKNOWLEDGMENTS About GovLoop
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public- sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering crossgovernment collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com. www.govloop.com | @GovLoop
SpecIal Thanks
Thank you to Citrix, CyberArk, DLT Solutions, Gigamon, Optiv, SolarWinds, Symantec, Thundercat Technology and Veritas for their support of this valuable resource for public sector professionals.
AUTHOR
Stephanie Kanowitz, Writer
DESIGNER
Megan Manfredi, Junior Graphic Designer
7 Cybersecurity Tactics to Watch in Government
39
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop