The State of
Government’s Cybersecurity
The State of Government Cybersecurity | 1
A GovLoop Guide | 2
Contents Threats in Government Today.................................. 2
The Cyber Workforce Deficit................................... 26
The New Direction of OPM’s Cybersecurity.........................................................................4
Automating Access Controls for Better Security............................................................ 31
Building Security with Advisory Services......... 7
The Legislative Approach to Cybersecurity............................................................... 32
Cyber by the Budget.........................................................8 The New Leaders of Cybersecurity.....................10 Making the Most of Your Threat Intelligence Data.............................................. 13 The Role of the CISO.......................................................14
The Right Investments to Safeguard Against Insider Threats.................... 37 Cyber Initiatives: Where Government Stands.......................................................38
Organizing Cybersecurity Management.......16
Moving Toward a Holistic Cybersecurity Experience.........................................43
Conquering the Data Deluge with Information Governance.............................................19
Executing CNAP at GSA.............................................44
The Challenge and Opportunity of Technology............................................................................20 Bridging the Private-Public Sector Divide.......22 Enhancing Security While Achieving Unparalleled Application Performance...........25
How the Evolution of IT Networks is Shaping Cybersecurity.................. 47 Conclusion.............................................................................48 About & Acknowledgments......................................49
Executive Summary With cyberattacks constantly targeting specific points of the government IT infrastructure, it’s easy to get lost in the minutiae of cybersecurity. Do we have any zeroday vulnerabilities? What patches need to be deployed? Are all of our endpoints secured? While IT professionals have to consistently ask and answer these questions to safeguard the government enterprise, it’s equally important that agency leaders consider the larger landscape of cybersecurity. Knowing the context of cyberattacks, as well as how other government organizations are countering them, empowers leaders to address threats with more knowledge and understanding.
This GovLoop guide provides an overview of the current cybersecurity landscape in government. In it, we explore: • The evolution and increase in cyberattacks over time • The cyber priorities of current government organizations • The challenges and opportunities presented by evolving technologies • The new roles, initiatives and organizations being created to counter cyberthreats • Unique perspectives from current cybersecurity leaders in government This guide takes a step back from the intricacies of information technology and security management to consider the larger implications and progress of government cybersecurity. It highlights different aspects of the field – legislation, technology, initiatives and more – from a broad perspective, in order to give you an understanding of cybersecurity today.
The State of Government Cybersecurity | 1
Threats in Government Today
FY 2015 Observed Depth of Intrusion
level 6: critical systems, 22
level 5: critical system management, 1 level 4: critical systems DMZ, 0
level 3: business network management, 3
FY 2015 Incidents by Sector (295 total) unknown
level 2: business network, 39
communications, 13 level 1: business DMZ, 230
commercial facilities, 3 chemical, 4
water
transportation systems
abuse of authorized access, 7
critical manufacturing, 97
brute force, 4
weak authentication, 18
information technology
network scanning/ probing, 26
healthcare & public health government facilities food & agriculture financial nuclear reactors, materials & waste
other, 17 energy, 46 dams, 6
unknown, 110
defense industrial base, 2
spear phishing, 109
FY 2015 Incidents by Infection Vector (295 total) SQL injection, 4
Source: NCCIC/ICS-CERT Year in Review
Reported Federal Cybersecurity Incidents FY 2013 total: 60,753
57,971
2,782 CFO Act Agencies Non-CFO Act Agencies
FY 2014 total: 69,851
67,196
FY 2015 total: 77,183
2,655
75,087
Source: whitehouse.gov A GovLoop Guide | 2
2,096
Top 10 Overall Performers with Strongest Security Postures
Clark County, Nevada
U.S. Bureau of Reclamation
Architect of the Capitol
Hannepin County Library
City of Phoenix
Central Intelligence Agency
Federal Trade Commission
National Science Foundation
Clerk of Circuit Court, Hillsborough County
New York State Education Department
96.5
98 Security Scorecard Grades
Industry Ranks: Bottom Performers
Non-Profit
Transportation
Healthcare
Legal
Energy
Pharmaceutical
Telecommunications
Education
Government
Source: 2016 U.S. Government Cybersecurity Scorecard
The State of Government Cybersecurity | 3
99.5
The New Direction of OPM’s Cybersecurity
A New Face at OPM With experience at some of America’s largest companies and industry leaders in global defense, automotive, Oil & Gas, and telecommunications, Triplett was an ideal fit for the Senior Cyber Adviser position. At the time, it was critical for OPM to have an individual who was familiar with private sector best practices and and able to bolster the agency’s cyber operations. In addition to strengthening interagency and cross-sector partnerships, Triplett’s duties include improving cybersecurity education and awareness. “My role is to assist with the development of people and processes, and the effective use of technology,” Triplett said. “What I predominantly do is help clear roadblocks, including communications, a lack of understanding, and education. Over the last six months, I’ve been able to increase awareness and understanding across the organization and with our partners.” Triplett reports directly to the OPM Acting Director and serves as a key advocate for advancing the state of enterprise architecture and cybersecurity, including technology investments, capabilities and services. Working alongside OPM’s acting CIO and the newly appointed CISO, Triplett also supports the ongoing response to past cyber incidents, development of OPM’s plan to mitigate future incidents, and further improvements to best secure OPM’s IT architecture.
An interview with Clifton Triplett, Senior Cyber and OPM’s Progress Information Technology credits partnerships and collaboration as key to adAdvisor at the Office of Triplett dressing cyber threats. He remains optimistic that with such Personnel Management partnerships, the agency will be able to take swift action to protect OPM’s assets and strengthen the resiliency of its networks and systems.
In the aftermath of a massive security breach and the resignation of its director, the Office of Personnel Management (OPM) has taken 2016 as an opportunity to re-evaluate internal processes and strengthen its cybersecurity defenses. As part of those efforts, OPM appointed Clifton Triplett as Senior Cyber and Information Technology Adviser. Since taking on this new role in November 2015, Triplett has been charged with strengthening the agency’s cybersecurity posture, advancing its cybersecurity-related goals, and collaborating with a broad spectrum of interagency partners and stakeholders. In an interview with GovLoop, Triplett shared his current priorities, as well as challenges and opportunities facing OPM in its pursuit of improved IT security.
A GovLoop Guide | 4
“Upon discovering the breach and the immediate aftermath, OPM was able to work with its federal partners,” Triplett said. “We gain great value from the working relationships we’re able to establish with other agency partners, specifically DHS. Since then, we’ve also been able to work with and gain value from working with other agencies more closely like DoD and DISA.” OPM is making significant progress and Triplett emphasized how the agency is trying to build on the momentum already underway with these seven areas of focus he had mentioned: 1. Strong Authentication: OPM has implemented multi-factor authentication across for the agency’s network. With two-factor authentication, the agency can better mitigate potential outside and inside threats by making it more difficult to steal identities or access important information.
2. Continuous Monitoring: OPM is leading the implementation of DHS’s Continuous Monitoring program. As the first agency to complete the deployment of the DHS toolset defined in the Continuous Diagnostic & Mitigation (CDM) program, OPM is better positioned to identify risks on an ongoing basis, prioritize these risks based on potential impacts, and mitigate accordingly. 3. Team Organization: “We created this new position [my position] that reports to the director, and I think that has helped sharpen the understanding and focus on our cyber initiatives,” Triplett said. Additionally, OPM established a CISO position with dedicated staff to support cybersecurity efforts. The establishment of this team has resulted in great structure and momentum in the advancement of OPM’s cybersecurity capabilities. “Our people have made a difference!” 4. Malware: OPM strengthened its focus on combatting malicious code and viruses. As cyber threats increase in sophistication, it’s important for the agency to develop better toolsets to combat hostile threats that could affect entire federal networks. 5. Data Protection: “We’ve implemented data loss prevention technology, which automatically prevents sensitive information, such as social security numbers or other personally identifiable information, from leaving our network unauthorized,” Triplett said. He added, “This is very powerful for an agency trusted with sensitive information.” 6. Training: In combatting the shortage in cyber skills and workforce, OPM has spent much time and energy on cybersecurity awareness training for its existing employees, and has further augmented the team with additional talent to assist in mentoring and advancing the overall capabilities of the organization. The agency placed emphasis on training all of its employees to identify malicious threats, with a focus on phishing. The perspective is that cybersecurity awareness should not just be left alone to the IT staff but should also be agency wide. 7. Encryption: OPM has now fully encrypted its network traffic on all internal networks. This is especially important in helping to keep important information secret and secure so that it does not fall into the wrong hands.
Priorities Moving Forward In addition to these seven issue areas, OPM has continued to work to implement its IT Infrastructure Improvement Project to address the agency’s aged infrastructure and strengthen security protections. The project includes a full overhaul of the agency’s technical infrastructure by implementing additional IT security controls and then migrating the entire infrastructure onto a modern operating environment, under an initiative referred to as Shell.
“During the initial stages we bought new equipment, software, and brought in new talent,” Triplett explained. “The equipment has been delivered and configured and we are now beginning to use the equipment in terms of test and development. This is giving us the foundation we need to move some systems on older equipment approaching obsolescence to newer technology and concurrently assist the agency in data center consolidation.” This is only the tip of the iceberg when it comes to OPM’s plans for improved cybersecurity. Triplett was able to focus the agency on four main near-term priorities – mitigate cyber risk, mitigate operational risk, optimize operating positions in terms of cost and efficiency, and modernize technology and functionality. Those priorities represent both a need to confront constrained resources and evolve OPM’s thinking on cybersecurity. “Mitigation was obviously important as a first priority, and then migration helped us relieve cost burdens to allow for the acceleration of our modernization programs,” Triplett said. “Right now, we’re seeing the dollar shifting towards cost-optimization, such as virtualization and data center consolidation.” By standardizing and consolidating its IT infrastructure, OPM can gain greater visibility into its cyber environment, while also decreasing operational and acquisition costs. Triplett hopes that OPM will conclude the consolidation of its data centers and systems over the next couple of years. “We can then really focus on our investment towards the modernization and continuing evolution of our systems,” he said. “Then, we can continue to have the money required to best serve our constituency.” As with the majority of government agencies, one of OPM’s most significant challenges concerning cybersecurity is budget. In addition to constrained resources, Triplett noted that agencies have a vast number of constantly shifting priorities that compete for those resources. Tight budgets also create fast shifting priorities. “We have tremendous momentum right now,” Triplett said. “We would not have been able to achieve so much if we didn’t have the full support of our organization, our partners, and Congress. [But] we’re in an environment where the threat continues to evolve at an increasing rate, and therefore, we need to maintain this momentum.” Triplett’s new position certainly didn’t come without its challenges. Yet while there are many obstacles facing OPM, there are also many new emerging opportunities for the agency in cybersecurity. The agency has been at the forefront in terms of federal leadership in cybersecurity initiatives. With leaders like Triplett, the future of cybersecurity in government seems ever brighter.
The State of Government Cybersecurity | 5
Printer security breach? Not on your watch. Defend your network with the world’s most secure printers. New enterprise HP LaserJets with JetIntelligence provide the industry’s deepest printer security.1 Features including HP Sure Start with its self-healing BIOS, whitelisting, and runtime intrusion detection come built in. hp.com/go/printersthatprotect
2
The world’s most secure printers and deepest level of security: Based on HP review of 2015 published embedded security features of competitive in-class printers. Only HP offers a combination of security features for integrity checking down to the BIOS with self-healing capabilities. Available on the HP LaserJet M527, M506, M577 and as an upgrade on the M552, M553, M604, M605, and M606. Some features will be made available as a HP FutureSmart service pack update on selected existing Enterprise printer models.
1
2
Ponemon Institute, “Annual Global IT Security Benchmark Tracking Study,” March 2015.
© Copyright 2015 HP Development Company, L.P.
A GovLoop Guide | 6
INDUSTRY SPOTLIGHT
Building Security with Advisory Services An interview with Ronald Chestang, Senior Security Consultant, and Michael Howard, Chief Security Advisor at HP “At all levels of government, what we’re seeing is that agencies are in a very reactive mode when it comes to cybersecurity,” said HP’s Chief Security Advisor Michael Howard. “The number of attacks are on the rise and agencies are being bombarded from all sides. Keeping up with the security toolsets that need to be in place to confront cybersecurity threats today is extremely challenging.” In an interview with GovLoop, Howard and Ronald Chestang, Senior Security Consultant at HP, explained how security advisory services can help agencies navigate the complexities of IT security while also bridging resource and workforce gaps. Specifically, Howard and Chestang emphasized the need to seek assistance in securing printers. It is difficult for many agencies to evolve their digital toolsets while still ensuring robust print security. What’s more, many agencies have trouble finding IT staff with the know-how to implement and manage those print security systems. “Printers are one of those areas that have always been overlooked but it’s important to realize that they are sitting on the network,” Howard said. Even as we move into the digital era, printers are a core component of operations. They are also a critical vulnerability. “It is critical to understand the risks around printers, as well as the advantages of securing them from both a cost perspective and a control perspective,” Chestang said. To bridge the gap between resources and security needs, many agencies are turning to third-party providers for tools and expertise. “We are seeing more organizations outsourcing security simply to get additional resources,” said Howard. “It’s something that agencies are going to have to do in order to get the technologies and people they want in place in a timely and an effective manner.” However, bringing in third-party providers isn’t always a smooth process. “We’ve seen it go both ways,” Howard continued. “Some organizations say outsourcing didn’t work as effectively as they hoped because they lost some control over their security. But on the flipside, other organizations say it gave them immediate relief.”
HP’s Print Security Advisory Services actually places greater control in the hands of agencies by first giving them a full view of their environment and its potential vulnerabilities. “This all of a sudden opens the environment where a CISO now has 100% visibility,” Howard said. “He can see what’s going on in the environment, and then can start controlling it.” After an initial assessment of the printer infrastructure, the advisory team and HP can help formalize and implement security protocols. One such protocol is consolidation and access control which allows appropriate users to utilize agency printers and ensure unauthorized users don’t have access to these security points The key to achieving the best results lies in choosing the right security advisory service that can adapt to the unique needs of your agency, giving administrators ultimate control over the process and procedures of security while bringing in the technical expertise to execute those goals. “All the CISO’s that I’ve talked with said this collaboration is perfect, because they don’t have the time to train somebody specifically in print security,” Chestang said. “So they would rather partner with HP and let us be the experts. We work with their teams to make sure that we’re aligning the print security policies with their overall IT security policies.” “It’s always a challenge with outsourcing, especially if agencies haven’t done it before,” agreed Howard. “But if you do it right, there are significant advantages. You get immediate toolsets in place and you get personnel in place that are already trained on how to use those toolsets. You can see immediate results.” As agencies manage the many disparate components of the cybersecurity environment, it’s easy to focus on the newest digital technologies while missing the threats that have always been connected to your network. Yet printer security is a vital component of any protected IT infrastructure. To ensure agencies are effectively secured across their entire network, it’s critical to seek assistance from third parties who know the intricacies of printer security and marry those details to your mission’s specific needs.
The State of Government Cybersecurity | 7
Cyber by the Budget $19 billion In the president’s 2017 budget proposal, the administration requested a more than 35 percent increase in funds from FY 2016 as a means “to support a broad-based cybersecurity strategy for securing the Government, enhancing the security of critical infrastructure and important technologies, investing in next-generation tools and workforce, and empowering Americans.� This money will largely be used to support the Cybersecurity National Action Plan and its associated directives. Other appropriations within the proposal, however, indicate additional cybersecurity priorities at the federal level. Those allocations are indicated below. Source: whitehouse.gov
$318 million Recognizing a need to further explore innovative technological solutions to cyber challenges, research and development investments at federal civilian agencies will receive continued and greater funding in 2017.
$3.1 billion The Information Technology Modernization Fund will help agencies retire legacy technologies and replace them with newer, more secure IT systems. The revolving fund will also be used to ensure agencies maintain critical systems not yet at the end of their lifecycle with appropriate security measures.
A GovLoop Guide | 8
$62 million The cyber workforce shortage, as well as a skills gap in current government personnel, will be addressed with the funding of a cybersecurity reservist program. These funds will also be used to expand cybersecurity educational programs at academic institutions across the country, providing more opportunities for current and potential public servants to acquire cyber skills.
$24.2 million Because the nation’s critical infrastructure is increasingly reliant on software, part of the cybersecurity budget will be dedicated to supporting the DHS Science and Technology Directorate’s software assurance efforts. This initiative is focused on identifying and repairing vulnerabilities in software before attackers can exploit them to harm our energy grid, transportation system, telecommunications or other public services.
Up to $4 million To be used by the Department of Health and Human Services “to increase the agency’s ability to utilize auditing and investigation authorities with respect to cybersecurity, as well as to increase cyber threat information sharing within the health care sector, and improve awareness of cybersecurity by patients, practitioners, and medical companies.”
The State of Government Cybersecurity | 9
The New Leaders of Cybersecurity Government’s perspective on cybersecurity responsibility is evolving in two seemingly divergent ways. On the one hand, it has become a common idiom in government that “cybersecurity is everyone’s job.” Every employee has some role to play in keeping agency data and IT secure. On the other hand, many agencies at the state and federal levels are creating new leadership positions to place responsibility squarely on the shoulders of specific individuals. Why? In reality, these new leadership positions complement the understanding that every employee has a role in cybersecurity by addressing the need for management across a wider array of players. These leaders coordinate among different departments and employees, creating common policies and expectations around cyber strategy. They also provide a single point of contact for any team that may need additional guidance or support.
Chief Risk Officer The CRO should “empower the agency to identify events that could negatively or positively impact the agency’s ability to meet its mission and objectives and to effectively manage the negative events, risks, while reaping the full benefits of the positive events, opportunities.” In the arena of cybersecurity, the CRO specifically focuses on proactively reducing vulnerabilities in the IT infrastructure and workforce processes that could expose government organizations to cyber risks.
A GovLoop Guide | 10
The Evolving Role of the CIO The Chief Information Officer has always been in charge of data and IT within government agencies. The level and execution of that responsibility, however, has varied from agency to agency for many years. In December 2014, Congress approved the Federal Information Technology Acquisition Reform Act (FITARA) to correct that fact. FITARA streamlined and enhanced the role of the federal CIO. Chief among those new responsibilities is the requirement that agency CIOs approve the IT budget requests of their respective agencies and certify that IT investments are adequately implementing OMB’s incremental development guidance. In other words, every agency CIO now has direct oversight into how their IT is procured, deployed and managed. That means the CIO can more closely monitor how security is built into new solutions and how that security is maintained over time.
Chief Privacy Officer
Chief Information Security Officer Several federal agencies, including the VA, NASA and USDA, already have a CISO. As part of the Cybersecurity National Action Plan (CNAP), the government is hiring its first CISO to oversee the entire federal enterprise. According to the job announcement, the CISO is “responsible for advising OMB and agencies on federal cybersecurity policy strategy and oversight across federal information technology systems.” In other words, the federal CISO will coordinate and enforce cybersecurity initiatives across agencies.
Corporations have long employed CPOs to manage data protection and customer privacy concerns. In the early 2000s and 2010s, federal agencies like DHS and the Department of Education also incorporated this position into their organizational structure to ensure citizens’ data is equally protected in the public sector. Now, CPOs are starting to take leading roles in state governments too. Ohio, West Virginia, South Carolina and Washington are the first four states to establish the position. Those state CPOs will determine how citizen data is collected, stored and shared across various state entities.
On the state level, we’re also seeing this role created in many governments to make sure IT shops and non-technical leadership communicate across agencies and departments to craft holistic cybersecurity strategies.
The State of Government Cybersecurity | 11
The future of technology is more secure than ever.
IntelÂŽ Security combines the expertise of McAfeeÂŽ with the performance and trust of Intel to deliver secure computing to consumers and businesses worldwide. We believe that as technology becomes more deeply integrated into life, security must be more deeply integrated into technology. Because when everyone has the confidence to use technology to its full potential they can achieve their full potential. Visit intelsecurity.com.
McAfee is now part of Intel Security. Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. Š 2016 Intel Corporation. www.intelsecurity.com
INDUSTRY SPOTLIGHT
Making the Most of Your Threat Intelligence Data An interview with Ned Miller, Chief Technology Strategist, US Public Sector at Intel Security Right now, determining best practices for harnessing threat intelligence data is a popular topic for government and cybersecurity. But what’s often left out of the discussion is the importance of interoperability and automation along with the ability to share actionable intelligence across a cyber-defensive grid. As a result, government has yet to really tackle cyberthreats in real-time.
period,” Miller said. “When agencies are kept in firefighting mode, they are pouring human resources into every breach.”
Intelligence data is only half the equation in addressing malware and cyberthreats. Most agencies rely on siloed security infrastructures where staff and products rarely communicate well with one another. Additionally, a shortage of trained security staff and a lack of automated processes result in inefficiencies and protection gaps.
The DXL Platform
In an interview with GovLoop, Ned Miller, Chief Public Sector Technology Strategist at Intel Security, a security solutions provider, shared the importance of interoperability paired with adaptive threat prevention and how Intel could help agencies move away from siloed security technologies and systems.
Adaptive Threat Prevention
Miller shared the essential elements of adaptive threat prevention: interoperability and automation. “Interoperability in this context is best described as the ability to improve effectiveness and efficacy,” Miller said. “The active sharing of data and processes makes it possible for every security control to leverage the strengths and experiences of the other security tools that are part of the overall security infrastructure.” This approach replaces traditional, disconnected infrastructures and promotes collaboration to achieve a more sustainable strategy against complex threats. Additionally, automation helps agencies be more proactive in tackling cyberthreats. Rather than treating each malware interaction as a standalone event, adaptive threat prevention integrates processes and data through a more efficient messaging layer, which facilitates communication between distributed systems. This approach seamlessly connects end-to-end components through automation, allowing administrators to generate and consume as much actionable intelligence as possible from each process. What’s clear is that keeping systems, people, and processes disconnected will only impede government’s ability to mitigate threats. Siloes keep agencies from being proactive and limit them to what Miller called “firefighting mode,” where they detect and react to the threat after the damage has already been done. Interoperability and the shift to adaptive threat prevention enable agencies to better detect threats before they become serious problems. “Interoperability and integration improves effectiveness,
With adaptive threat prevention, agencies integrate their teams, tools, and processes to detect and address threats ahead of time and use their threat intelligence in more sustainable ways.
Tools like Intel Security’s Data Exchange Layer (DXL) allow agencies to apply these three action items and take advantage of real-time command and control options for otherwise inaccessible systems. DXL is the foundation for enabling the ideal adaptive security ecosystem. It’s a near real-time communications fabric that allows security components to share relevant data among endpoint, network, and other IP-enabled systems. Using tools like DXL, agencies can harness better automated response, reduced response time, and better containment of any threats. “To accelerate the process and keep up with the enormous volume of sophisticated threats, security architectures must undergo a significant evolution and be able to start in real-time,” Miller said. “The goal of the DXL platform is to promote an open collaborative security platform that enables active command and control, assists with interoperability, and insures consistency as well as speed of outcome.” With solutions like DXL, agencies can: • Create an integrated security ecosystem that works across vendors. The open platform connects security products and solutions from multiple vendors for bi-directional security information sharing. • Reduce costs and increase value. DXL unites disparate security technologies into a single coordinated system. By doing so, this drives costs lower, streamlines protection and response, and shifts valuable security team resources away from manual tasks and tactical fire drills. • Identify more threats faster. Security components connected through DXL instantly share contextual insights while delivering immediate threat protection. It’s clear that adaptive threat prevention through actionable intelligence is the way to move forward in cybersecurity. The question is how agencies can take advantage of their actionable data and use it in the most efficient way possible. With tools like DXL, government can now harness interoperability and automation, stop being “firefighters,” and start being better public servants.
The State of Government Cybersecurity | 13
The Role of the CISO An interview with Agnes Kirk, Chief Information Security Officer for the state of Washington When you think of a Chief Information Security Officer’s (CISO) job description, you probably think of something like “establish business objectives while overseeing the protection of an organization’s technological assets.” It all sounds pretty straight forward. But if you talk to the state of Washington’s CISO, Agnes Kirk, you’ll quickly understand a CISO must wear many hats when it comes to managing government and cybersecurity. Not only does she set the mission and pace for the state while managing its technological assets, but she also helps the state combat a variety of cultural and organizational cybersecurity challenges. In an interview with GovLoop, Kirk shared the many roles she plays as CISO, as well as the ways the state is working to improve its cybersecurity posture.
The Different Hats of a CISO For Kirk, a day on the job can entail working on any number of diverse tasks and priorities related to cybersecurity. When we asked what her responsibilities entailed, she responded with a laundry list of duties including: • Establishing statewide IT security policy and standards • Reviewing technologies and IT projects for proper security controls • Partnering with federal counterparts to ensure connective response for cyberthreats • Building relationships with universities, private sector, and vendor communities • Educating government employees and private sector organizations on cybersecurity best practices, skills, and resources Outreach is a big part of Kirk’s role as CISO. “The security community is all about trust,” Kirk said. “We build relationships before there is an event or emergency so that we know who to reach out to when something happens.” Every month, she and her team hold technical training for state agencies and their staff on security-related issues. Additionally, Washington partners with many federal counterparts to craft holistic messaging and get more resources into the hands of agencies. A major point of their outreach efforts happens every October, during Cybersecurity Awareness Month. “This year, we’ve been invited by DHS to cohost their national launch of Cybersecurity Awareness Month in Seattle,” Kirk said. “We’re going to make it 3 days of events so we can do further outreach to educate our citizens, businesses, and those in the public sector.” One of the themes of the event is privacy and security. “We’re going to have a privacy of law cyber panel that discusses privacy issues that impact consumers in the digital age,” Kirk said. “We really want to help people understand how they can manage their digital footprint.” Kirk also works to establish formal mechanisms and organizations to support her office’s messaging. She helped establish the Pacific Northwest CISO Community, which meets quarterly to share challenges in cybersecurity as well as best practices, like compliance training and securing an organization’s infrastructure.
A GovLoop Guide | 14
Building the Cyber Workforce However, Kirk emphasized that she can’t perform the role of CISO alone. She depends on her team to get the jobs done. “You’re always having to juggle priorities, but I have an outstanding team of security professionals that help carry those roles,” she said. “I can only be as successful as we are as a team that works together and collaborates.” That means Kirk needs skilled professionals to help get the job of cybersecurity done. Unsurprising, one big priority for the state is educating and building the cyber workforce. To address the serious shortage in the cyber workforce, the state partnered with other state governments, higher education, and the private sector to launch a pilot program, through a grant from NIST, called Cyber4Vets. Though the program ended in March, Cyber4Vets helped connect at least 156 veterans and transitioning service members with existing cybersecurity educational programs in Washington State and was a great force in helping to increase the talent pool of cybersecurity professionals. In addition to building the workforce through such programs, Kirk and her team focus on educating the next generation of IT professionals. They reach out to universities and even K-12 programs to encourage youth to choose cyber careers. Educating and developing the cyber workforce means no one is too young to start learning about cybersecurity. “We have one of the five national cybersecurity centers of excellence with a community college,” Kirk said. “We talk about their programs, ask students to share their insights, and have employers talk about the success of hiring folks out of that program.” Another creative strategy to drive growth in the cybersecurity workforce is to adopt private sector practices. On October 6th, as part of Cybersecurity Awareness Month, Washington state will also be hosting a “Shark Tank-like” event to drive innovation in cybersecurity. “We’re going to have entrepreneurs do a fast pitch about their startup product or service to multiple venture capitalist groups,” Kirk said. “It’s an opportunity to help educate and open up opportunities for those small businesses in cybersecurity.” Altogether, Kirk explains that the best strategies to develop the cyber workforce include increasing early education, developing partnerships with the private sector to train more cyber professionals, and driving innovation to incentivize more people to join the cyber workforce.
“The security community is all about trust. We build relationships before there is an event or emergency so that we know who to reach out to when something happens.”
Tools and Support In addition to manager and educator for cybersecurity, a CISO wears the hat of IT professional as she oversees an organization’s technologies and support programs for cybersecurity. That’s no easy task but it does allow Kirk to work with and help develop a number of exciting new tools and gadgets. Take the state of Washington’s recently expanded Office of Cyber Security (OCS) , for example. The office was established to better support other agencies and state and local counterparts improve their own cybersecurity posture. The Washington State Security Operations Center (SOC) monitors and manages all aspects of the perimeter security in near real-time, from a single, centralized location. “We also have a team that helps agencies assess their current security posture and develop recommendations and prioritization for mitigating future threats,” Kirk said. “Additionally, we provide on-the-ground consultative support so we can design strategies customized for them. We try to fit the right training for the right types of responsibilities people have.” This is especially important in addressing cultural shift in organizations where security is no longer just an IT responsibility, but everyone’s responsibility. “We like to help with training and education because it’s just as important for the receptionist to understand that she is probably the first line of an attack for a cyber hacker,” Kirk said. For its approximately 7 million citizens, the state also provides a single sign on portal, Secure Access Washington for constituents and businesses to better deliver services while maintaining security. The portal allows users to access multiple online government services with the use of a single user ID and password or higher level security. Citizens and businesses then only have to remember one credential rather than multiple for each service they use. Kirk estimates that the portal has about 2.8 million active users now. Secure Access is just one of many ways Kirk has engrained security into the daily operations of Washington State. These mechanisms are absolutely necessary. The many hats of a CISO would sound overwhelming to many. But, as Kirk proves, with the right strategy, team, outreach, and technologies, it certainly can be done.
The State of Government Cybersecurity | 15
Organizing Cybersecurity Management While many agencies are creating leadership positions dedicated to maintaining information and technology systems, governments-at-large are also carving out space for more dedicated cybersecurity efforts. On the federal level, the Obama administration has created two new organizations to coordinate cybersecurity efforts and inform governmentwide policies. State governments are also establishing new departments and organizations, but with a heavier emphasis on cross-sector collaboration and resource sharing. A sample of new organizations at the federal and state levels is highlighted below.
Federal Government Commission on Enhancing National Cybersecurity
Cyber Threat Intelligence Integration Center
Established in February 2016 and housed within the Department of Commerce, this bipartisan group of cybersecurity experts will “identify and study actions necessary to further improve cybersecurity awareness, risk management, and adoption of best practices throughout the private sector and at all levels of government.”
This organization was created in February 2015 to “connect the dots” between disparate cyber intelligence from across government and the private sector. Under the guidance of the Director of National Intelligence, CTIIC will coordinate cybersecurity information sharing and “assist relevant departments and agencies in their efforts to identify, investigate, and mitigate those threats.”
A GovLoop Guide | 16
State Government Indiana Executive Council on Cybersecurity Established by Gov. Mike Pence in April 2016, this new council is composed of 23 administration officials, academics and private-sector experts. They will advise the government on strategies and implementation plans for better securing the state’s data.
Colorado National Cybersecurity Intelligence Center Colorado lawmakers recently funded this center, under advice from Gov. John Hickenlooper. While not yet solidified, the governor “envisions the new center working in conjunction with the cybersecurity program at University of Colorado, Colorado Springs, containing a cyber academy for students and government officials, a research facility to help encourage investments in cybersecurity companies and a ‘rapid response’ program to help private sector firms respond to breaches and other cyberattacks.”
New Jersey Cybersecurity Commission Proposed in the wake of a crippling denial-of-service attack at Rutgers University, the NJ Cybersecurity Commission, along with an appropriation of $50,000, is currently being considered by the state Legislature. The commission, which is likely to be approved this year, will be composed of 13 members. Six leaders will come directly from the higher ranks of the state’s government. The remaining seven seats will be equally distributed among private citizens with expertise in technology, business administration, public safety and education.
The State of Government Cybersecurity | 17
It’s time data worked for you and not the other way around. It’s time to transform data from freight into fuel. To let it power decisions instead of impede them. It’s time to rise up against the scourge of junk data. To seize what’s rightfully yours. To shape it into something that’s no longer a costly burden, but an always-on, always-available source of insight. It’s time to show your data who’s boss.
IT’S TIME FOR VERITAS.
veritas.com
A GovLoop Guide | 18
© 2016 Veritas Technologies LLC. All rights reserved.
IT’S TIME DATA MADE GOOD ON ITS PROMISE.
INDUSTRY SPOTLIGHT
Conquering the Data Deluge with Information Governance An interview with Stephen Watts, Federal Strategist for Information Governance at Veritas A flood of unstructured data is entering government, with no signs of slowing. This has serious implications on security as unstructured data gives less visibility to agencies, making them more vulnerable to cyberattacks. Additionally, agencies are struggling to gain control of runaway storage costs while security and compliance risks are increasing. That’s why government needs improved information governance strategies. In an interview with GovLoop, Stephen Watts, Federal Strategist for Information Governance at Veritas, defined information governance and shared its importance to government’s data management practices. Veritas is a market leader in information management solutions and focuses on data management solutions for organizations in both the public and private sector.
The Data Deluge
Watts highlighted the problems facing government with the growing flood of unstructured data or “data deluge.” “There’s simply too much data, storage management costs are expensive, and there are users carrying around access to data they don’t need,“ he said. “If we keep everything forever, storage costs grow, storage infrastructure grows, and management of this data is a problem.” He added: “Deleting data is what most people should be doing. The problem is a lot of people choose not to.” This makes it harder for agencies to keep track of who’s using their data and for what purposes. Long-term employees who still have permissions to files systems from previous assignments, for example, may be insider threats looking to expose important information. Agencies need to go even further by not only monitoring users’ permissions but also monitoring their activities. “Looking at data is one thing,” Watts said. “But it’s also important to look at the user’s interactions with that data and see if any red flags emerge, such as someone who opens 50 files during the day compared to 6,000 files at night.” Additionally, all of this data makes agencies vulnerable and leads to high costs for storage space. “Gartner found that 69 percent of customers’ data is redundant, outdated, and trivial,” Watts said. That’s where an effective information governance strategy comes in. Why Government Needs Information Governance Information governance allows agencies to manage and understand their data’s age, location, and ownership. “The more you know about your data, the better decisions you can make to reduce your actual risk,” Watts said. Information governance is a strategy that focuses on people, processes, and technology to effectively identify and protect an agency’s most critical information, while simultaneously deleting information that contains no value.
Tools like VERITAS Data Insight allow agencies to determine what their data is, where it is located, and who is working with it. Then once agencies have an understanding of their data, they can take action against it. Veritas Enterprise Vault help agencies automate and manage their data by defining policies that can automatically archive email, files, SharePoint and other critical information sources, index it to make is searchable and store to locations on-premise or in the cloud. Enterprise Vault.cloud can address email retention and management to help save on storage costs by requiring no on-site infrastructure and including unlimited storage for a predictable monthly fee. Tools like Veritas’ eDiscovery Platform can be helpful with government’s compliance needs and responding quickly to legal matters and regulatory requests. Once policies are established, an agency can use this platform to automatically identify and classify data based on such policies.
California Department of Corrections and Rehabilitation
California’s Department of Corrections and Rehabilitation (CDCR) was able to take advantage of compliance and data management benefits that come with information governance. CDCR is the largest state-run prison system in the country and manages a population of more than 118,000 inmates and juvenile offenders as well as over 46,000 parolees. It also operates 34 prisons, 3 juvenile facilities, and 50 parole officers as well as over 29,000 peace officers. The department faces many legal challenges requiring IT and legal affairs staff to sort through mountains of documents stored away in order to produce requested documents quickly and accurately. So the Department deployed Veritas Enterprise Vault and eDiscovery Platform to take their data from sitting in archives to providing it on-demand for legal purposes. With these new solutions, CDCR was able to: • Reduce time and cost in reviewing requested information; • Help legal staff produce and manage data without IT assistance; • Save costs with cloud storage archiving; and • Deliver faster performance, boosting productivity. CDCR is a great example of a government entity that conquered its data deluge through information governance. While it may sound daunting to start defining data policies and manage data, Watts emphasized that agencies should not be intimidated. “The best place to start is by being informed,” he said.
The State of Government Cybersecurity | 19
The Challenge & Opportunity of Technology Shadow IT
Expanding Endpoints
In the private sector, new devices are created every day to make our lives easier. Tablets let you work anywhere, smartphones give you access to information at any time and the newest watches even let you wear data on your wrist.
New technologies create new ways for both employees and citizens to connect to and engage with government information. But as devices, web portals and digital services multiply, more endpoints to the government network are created. That increases the attack surface of IT systems while simultaneously making it more difficult for IT managers to maintain visibility across their entire networks.
Today, many public servants are using these technologies to do their jobs better, with more flexibility and speed. But they aren’t always using approved devices for agency work. The problem? You can’t secure what you don’t know. While IT staff diligently apply protections to devices and other technology under their purview, undocumented employee technology often remains unsecured. That creates a significant vulnerability for agencies.
A GovLoop Guide | 20
Employee Misuse
Legacy Systems
Technologies like collaboration platforms, mobile devices and virtualized desktops are often acquired and deployed to make a public servant’s work easier and more efficient. But as technologies diversify and increase within government organizations, many employees are finding it difficult to keep pace.
Even as agencies pursue innovation with new technologies, most continue to rely on numerous legacy IT systems. Some of those systems are over 50 years old. That is a major security risk for agencies – so much so that federal CIO Tony Scott called it “a crisis that is bigger than Y2K” – because most of these technologies were not built with the security needed to battle today’s evolving cyberthreats. Additionally, retrofitting these systems with up-to-date security measures is both costly and time-consuming for IT staff.
Within IT shops, agencies are struggling to fill empty positions with the highly sophisticated skillsets needed to truly secure this evolving technology. And even for those professionals who have the right skills, the sheer challenge of managing the credentials and privileges of so many different platforms can be overwhelming. Even in non-technical departments, a lack of know-how prevents many public servants from appropriately and securely using new devices and platforms. Beyond technical skills, simple management and daily use of these systems is ripe for misuse. As tools diversify, employees often seek ways to streamline and integrate these technologies with their workflow. That can result in workarounds – things like writing down passwords, sharing accounts or even adding new, unsecure technologies that increase productivity at the cost of security.
The proposed $3.1 billion Information Technology Modernization Fund will help replace or improve many of the legacy systems at the federal level, but the fact is that every level of government will continue to operate outdated technologies given the enormous scale, stagnant speed and overwhelming cost of updates. That means IT leaders have to work on securing the vulnerabilities associated with these old technologies, even as they build security into new acquisitions.
The State of Government Cybersecurity | 21
Bridging the PrivatePublic Sector Divide
“Best practices work,” Touhill said. “People often try to foster an environment of compliance but, from my perspective, the best way to do that is to build a culture of best practice. Best practices bring compliance; compliance doesn’t always bring best practices.” Touhill detailed the seven focus areas that DHS is prioritizing with other agencies. Those include:
1. Secure your back door. “You are only as strong as your third party vendor,” Furst said. Too often, agencies secure their own infrastructure without realizing that third-party provided solutions create critical vulnerabilities into secure systems. “For all the third party vendors out there, we really need to make sure that we’re spelling out our requirements and expectations. Then we need the ability to monitor and audit them,” Touhill agreed.
2. Whitelist applications. Agencies should assess each application running within their network and approve only those that meet operational and security standards. Touhill said about a significant number of incidents that the United States Cyber Emergency Readiness Team (US-CERT) and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) responds to could be avoided if agencies implemented application whitelisting.
An interview with Gregory Touhill, Deputy Assistant 3. Ensure proper Secretary of Cybersecurity and configuration and patch Communications, and Hala Furst, management. Cybersecurity and Technology Referencing ICS-CERT again, Touhill said that 29 percent of time the team performs incident response on an issue Business Liaison, at the the that would have been prevented if the agency had mainDepartment of Homeland Security tained proper patching and configuration. That requires IT
shops to proactively manage and deploy security upgrades.
As resources diminish and cyberthreats escalate, it’s more important than ever that government adopt riskbased tactics to maximize security. In a recent interview with GovLoop, Gregory Touhill, Deputy Assistant Secretary of Cybersecurity and Communications, and Hala Furst, Cybersecurity and Technology Business Liaison explained how the Department of Homeland Security (DHS) is assisting in that effort, both with best practices and private-sector collaboration.
A GovLoop Guide | 22
4. Reduce the attack surface. As networks and endpoints expand, so too does the potential to create vulnerabilities to exploit. Touhill explained this mitigation tactic simply: “Don’t put stuff out there that doesn’t need to be out there,” he said. “We can preserve the idea of open government and still make sure that we’re tightly controlling access to information for only those people who require it.”
Furst said they’ve seen enthusiasm for this idea, particularly in the private sector. However, many organizations lack the know-how and resources to independently instill this risk management approach. To help small and medium-sized businesses, the department developed a toolkit. “The toolkit gives them vocabulary and language from a business perspective, to speak to those people,” she explained. “And if a company isn’t big enough – as we see often in small and medium size businesses – to have a dedicated CIO or CISO, it gives them tools and resources to start with; the majority of which are free.” Even as the department assists the private sector, Furst emphasized that the relationship is mutually beneficial. “Innovation is happening everywhere in the private sector. What we are trying to learn in government, from the private sector, is speed and talent retention,” she said.
5. Manage authentication. Touhill said one of the biggest lessons from last year’s OPM breach was the need for better user verification. He described that as “making sure that whoever has accessed the network and its information is not only authorized, but authenticated.” Particularly, DHS is encouraging organizations to adopt multifactor authentication to ensure appropriate access.
6. Implement secure remote access. That multifactor authentication should be pushed to the perimeter of the network as well to ensure remote access is also secure. “That helps close a vulnerability that we’ve seen in many different breaches, both in the public and the private sector,” Touhill said.
7. Monitor and respond. Finally, agencies should continuously monitor their entire networks and have a plan in place to react to incidents in real-time. The department’s Continuous Diagnostics and Mitigation (CDM) program is a cornerstone of this initiative. These seven practices help agencies and private sector organizations assume a risk-based approach to cybersecurity. Touhill said that is a critical stance. “At the end of the day, cybersecurity is a risk management issue,” he said. “It’s not a technology issue. In the past, many of these risk decisions have been made in the server room, because folks thought it was just a technology issue.” DHS is trying to change that mindset in federal agencies. “As a result of the OPM breach, we’ve really focused the executive level on managing cybersecurity as a risk issue. In essence, we’re putting cybersecurity risk decisions not just in the server room, but into the boardrçoom. We want it on the agenda at all layers of leadership and management.,” Touhill said.
Particularly for cybersecurity personnel, hiring is a challenge in government. To increase the talent pool, programs like the Loaned Executive Program provide an opportunity for private sector employees to share their expertise with the Department directly. Programs like Exemplar give government employees the chance to learn best practices by being detailed to a private sector company. DHS is also encouraging the development of fellowship programs and temporary assignments that allow professionals to temporarily enter public service. However, Furst said that relies on private sector cooperation. “We’re asking people to help us solve some of the bigger problems. But that takes buy-in from companies to allow their folks to come out and help us, then go back to their jobs.” To foster that buy-in, DHS devotes resources to building relationships in innovation shops across the country. “There’s a lot of movement outside of Silicon Valley with people that are bringing in innovation and looking for better ways to incorporate cyber best practices in education, business, and in government at the state, local, and tribal territorial level. We’re seeing a lot of positive movement throughout the country,” said Touhill. He concluded by impressing the need for collaboration. “We share so many of the same problems in both the public and private sector… We’re focusing on trying to raise the bar for everyone. We believe that we can help folks reduce risk through better implementation of those best practices and through better sharing of information.” DHS has a crucial role to play in fostering that. “We provide great value to the private sector from the federal government, in addition to shaping and developing best practices and information sharing but also by preparing for incident response and planning, conducting exercises, and providing a wide range of tools,” he said.
The State of Government Cybersecurity | 23
A GovLoop Guide | 24
INDUSTRY SPOTLIGHT
Enhancing Security While Achieving Unparalleled Application Performance An interview with Peter Graupp, Solutions Engineering Manager at Riverbed, and Ken Bradley, Senior Solutions Engineer at Merlin International Agencies continue to rapidly implement new security monitoring tools with the goal of identifying actions impacting security within each layer of their environment. This growth of management and monitoring tools has negatively impacted systems and application performance due to the additional overhead placed on the network. Is this plethora of tools really meeting the agency goals of protecting these critical assets while meeting service level agreement guidelines around application performance? According to Peter Graupp from Riverbed, a leader in application performance infrastructure and Ken Bradley from Merlin International, an information technology solutions provider, the answer is not always. In many cases, agencies are overprotecting some resources, to the detriment of more critical assets’ security and performance. “Would you place the same level of value on the assets of Fort Knox that you would your refrigerator? Probably not,” said Bradley. “Instead, fit a security posture around your known assets. The value of these assets should dictate what security position to deploy and what policies should be defined based on the amount of risk the organization is willing to assume with each asset.” Graupp said it’s critical for agencies to identify individual applications and evaluate them within the larger network context. “It’s imperative to understand the application,” he said. “Is it available? Is it the network performance that’s impacting it? How is the application performing, versus the server response times, the peak loads, the latency, and the metrics?” Unfortunately, many agencies lack true visibility into their network and the applications that perform within it. That has negative impacts on performance, but also security. “The application layer continues to hamper ITs ability to identify and proactively prevent threats,” Bradley said. Without a clear view of the application landscape, it’s nearly impossible for security personnel to pinpoint potential security and performance vulnerabilities. Instead, they require end-to-end visibility for all applications across an organization’s network and insight into metrics and forensic data. “Riverbed’s SteelCentral solutions can identify what systems are on the network, who is talking to whom, over what ports or protocols and where the traffic is flowing are key to having full visibility over one’s network,” Graupp explained. This end-to-end approach also has an added benefit for government organizations. “Not only is this kind of visibility into the network
beneficial for understanding what needs to be secure and protected, but it is also a common platform across most information security regulatory requirements,” Bradley said. But how does an agency achieve this end-to-end visibility of its applications and network? According to Graupp and Bradley, the key is consolidating the points of risk. That’s easier said than done in a time when most agencies are expanding their networks to accommodate remote employees and virtualized work environments. However, some solutions can centralize the view of an agency’s network, even as the network expands. “Solutions like Riverbed’s SteelFusion enables agencies to centralize data back into the data center, consolidating and securing that data allowing policy to be enforced in the data center where it has a containerized view from a centralized point of control,” Graupp said. That data can provide a full view of the agency’s applications, where they reside on the network, and how they’re performing. Additionally, this strategy insures integrity of intellectual property, mission continuity and it provides for recovery after interruptions and disasters. Even in places where it’s safe to maintain local copies of data, branches and remote offices generally lack the continuous protection mechanisms typically employed by data centers to safeguard data from risks and provide non-stop data access and availability. This consolidated data strategy offers operationally feasible ways to get the data out of the branch and into a more secure setting, even while employees use applications onsite. “Collapsing all data back to the central datacenter provides an immediate improvement in an organization’s security posture and enables staff to dedicate their limited resources to fewer locations,” Graupp said. “What we are advocating is a strategy that enables organizations to drive workflows into daily operation, automatically mapping their networks so they can manage change, track compliance, conduct robust survivability analysis, and execute threat modeling for common attacks,” Bradley continued. “This, along with the ability to provide immediate reporting, provide management and IT personnel insight into situational awareness across the enterprise.” Agencies are looking for technology platforms and strategies that offer the ability to deliver services in a repeatable and predictable manner. In order to achieve that goal, data and applications have to be available for the disparate number of platforms and environments, without sacrificing performance or security. That requires an end-to-end understanding of your network, as well as the applications living within it.
The State of Government Cybersecurity | 25
The Cyber Workforce Deficit Due to evolving and increasing cyberthreats, traditional IT or general service skills are no longer enough to keep government secure. But government is having trouble accruing the talent it needs, especially as it competes with the private sector to fill critical cybersecurity positions, due to lower pay and longer time-to-hire in government. Below we examine the cyber workforce deficit, as well as tactics agencies can take to fill that gap.
Skills Gap HAVE
NEED ཐཐ Additional 2 million new and qualified workers
ཞཞ Rate of growth for jobs in information security projected at 37 percent from 2012-2022 ཞཞ Workforce that will grow at a compound annual growth rate of 11.3 percent globally between now and 2017
On average, how many applicants are qualified? 75-100% fewer than 25% 4%
50-75% 12%
ཞཞ Fewer than 25 percent of cybersecurity applicants who are qualified to perform the skills needed for the job
32%
52%
25-50%
Skills Sought for Cyber Workforce The NICE Cybersecurity Workforce Framework outlines seven broad areas of practice sought in a cyber workforce:
SECURELY PROVISION
OPERATE & MAINTAIN
PROTECT & DEFEND
INVESTIGATE
A GovLoop Guide | 26
OPERATE & COLLECT
ANALYZE
OVERSIGHT & DEVELOPMENT
Within each of these areas, specific job functions are described along with sample job titles, for a total of 31 different areas of practice. The factors identified for contributing to the most success in a cyber career were communication, policy formulation and application, leadership, business management and project management skills and legal knowledge.
Factors Contributing to Success
Shortages by Job Title
broad understanding of 92% the security field
communication skills
technical knowledge
47%
91%
32% security engineer (planning)
88%
31%
awareness & understanding 86% of latest security security policy formation & application
security analyst
security auditor
27% security engineer (application)
75%
leadership skills
27% security tester
68%
business management skills
project management skills
57%
55%
legal knowledge
26%
security architect (products)
26%
security systems administrator
23%
42%
web security
22%
security engineer (platform)
21%
security architect (consulting)
Common Skills Required for Cybersecurity Job Roles Incident handling & response
Audit & compliance
Access/ identiy management
Intrusion detection
Firewall skills
Application security development
Advanced malware prevention
The State of Government Cybersecurity | 27
Analytics & intelligence
Cloud computing/ virtualization
Tactics to Recruit & Train More Cyber Staff To address the cyber skills gap, agencies need to:
ACCELERATE LEARNING & SKILLS DEVELOPMENT
DIVERSIFY THE CYBERSECURITY COMMUNITY
To assist agencies, the Department of Homeland Security (DHS), provides a Cybersecurity Workforce Development Toolkit to help better prepare them in recruiting and training their cyber workforce. The toolkit is divided into four sections to help organizations understand where to start in assembling their cybersecurity teams: 1. Prepare: Assess Your Organization’s Cybersecurity Workforce Planning Readiness. Self-evaluation can help determine the readiness of your organization to conduct cybersecurity workforce planning. 2. Plan: How to Plan for Your Cybersecurity Team. Use tools to evaluate your agency’s current and future cybersecurity workforce needs; explore your cybersecurity risks and find suggestions to close workforce gaps.
PROVIDE CAREER DEVELOPMENT OPPORTUNITIES WITHIN THE CYBERSECURITY FIELD
As part of the CNAP, the president’s budget invests $62 million in cybersecurity personnel to: • Expand the Scholarship for Service program by establishing a CyberCorps Reserve program, which will offer scholarships for Americans who wish to obtain cybersecurity education and serve their country in the civilian federal government; • Develop a Cybersecurity Core Curriculum that will ensure cybersecurity graduates who wish to join the federal government have the requisite knowledge and skills; and • Strengthen the National Centers for Academic Excellence in Cybersecurity Program to increase the number of participating academic institutions and students, better support those institutions currently participating, increase the number of students studying cybersecurity at those institutions and enhance student knowledge through program and curriculum evolution.
3. Build: What Should a Cybersecurity Team Look Like? Identify roles that make up a great cybersecurity team; view cybersecurity talent profiles to help make informed hiring decisions and see tips for recruiting cybersecurity staff. 4. Advance: Develop Your People. Find templates to create custom cybersecurity career paths; links to training, certifications and professional events and ideas for retaining staff at every level.
A GovLoop Guide | 28
The Cybersecurity Workforce Development Toolkit provides a Cybersecurity Recruitment Activity Checklist to help you build a cybersecurity workforce that meets the goals of your agency:
2. Evaluate Potential Sources for the Talent Pipeline
1. Identify Vacant Positions ཞཞ Work with hiring managers and workforce planners to determine cybersecurity recruiting needs. ཞཞ Identify cybersecurity-specific hiring flexibilities (e.g., hiring bonuses). ཞཞ Use cybersecurity trait profiles to identify target population characteristics, work preferences, technical background and current cybersecurity trends to increase job interest.
3. Develop Marketing Strategy Materials ཞཞ Develop a list of advantages and benefits of the position(s) and your organization (i.e., selling points) to incorporate into outreach efforts and materials. ཞཞ Highlight key technology, tools and IT capabilities to attract the right cybersecurity talent for your organization’s specific risk profile. ཞཞ Develop materials (e.g., slick sheets, job announcements, social media messages). ཞཞ Consider using interactive communication tools, such as social media (e.g., Twitter), that live where cybersecurity professionals do – the internet – to recruit, schedule and announce interaction opportunities (e.g., webinars, live tweeting).
ཞཞ Create a comprehensive list of current and potential recruiting alliances that align with organizational goals and resources (e.g., Centers for Academic Excellence (CAEs)), colleges, universities, cybersecurity competitions and veteran transition programs). ཞཞ Prioritize where and how to recruit cybersecurity professionals (e.g., online job search engines, hackathon, cyber competitions, personal referrals, social media). ཞཞ Identify current cybersecurity employees who can engage with potential candidates at recruiting events (e.g., job fairs, campus recruiting events). ཞཞ Establish an employee referral program to recruit talented and trusted cybersecurity professionals from your cybersecurity employees’ personal networks (e.g., colleges/universities, alma maters, professional associations).
4. Select and Hire ཞཞ Use the cybersecurity trait profiles and interview questions provided in this toolkit to evaluate non-technical characteristics of cybersecurity professionals. ཞཞ If a decision to hire candidate is made, create a competitive offer package to attract top cybersecurity talent.
The State of Government Cybersecurity | 29
INDUSTRY SPOTLIGHT
Automating Access Controls for Better Security An interview with Scott Carlson, Technical Fellow at BeyondTrust
It’s no secret that agencies continue to struggle with combatting insider threats. At the federal level of government, initiatives like the Cybersecurity Strategy and Implementation Plan (CSIP) and the Continuous Diagnostics and Mitigation (CDM) program are being deployed to better secure our information systems and critical infrastructure against potential misuse. These programs focus on endpoints and the networks to which they are tied, with the goal of upgrading and modernizing the underlying IT infrastructure of the U.S. government to one that can be better maintained, patched, and monitored. But according to Scott Carlson of BeyondTrust, a privileged access management and vulnerability management solutions provider, these federal initiatives fall short of truly protecting government IT from credential misuse. “Although these programs significantly improve infrastructure and monitoring, they offer very limited guidance regarding the access that employees and authorized individuals should have to government systems and data, as well as the actions that these users can take once they access systems in an authorized manner,” said Carlson in a recent interview with GovLoop. “Solving infrastructure pain points can definitively thwart external attackers and remove a large attack surface, but user-based risks are mostly still present.” Credential theft continues to be a major challenge to government cybersecurity. Failing to rotate enterprise passwords, not enforcing a password management policy, and not maintaining accountability and control over who can use credentials (e.g., sharing passwords) are the biggest culprits behind this type of theft. Yet many organizations stop at password management and don’t look deeper into insider access trends. To address that shortfall, Carlson recommended implementing policies and processes to better manage access privileges and credentials. “Remove credentials from people who do not need them to begin with,” he said. “If you can reduce the quantity of users who have access to privileged systems or applications, it reduces the attack surface.” Additionally, administrators should correlate data from multiple users and behaviors in order to identify potential risk scenarios. “Combining multiple data elements like machine use, access over
time, and executed commands can help distinguish patterns of events that should never happen, from those that are expected – or at least are legitimate under certain approved circumstances,” explained Carlson. Building use cases that include these elements is a foundational step in countering insider threats. Once baselines for normal and threat behavior are created, Carlson suggested supporting those protocols with technical automation. Implement automated solutions that establish baselines for normal behavior, observe any changes, and isolate and flag anomalies that may indicate a threat. This can trigger automated responses to proactively control and manage the activity, versus relying on a defensive/reactive posture. “You can also introduce software that stores, maintains, and automates the periodic change of passwords. Attackers often guess and exploit default passwords to gain access to systems. Deploying a solution to manage passwords will reduce the possibility of damage from a compromised account and shorten the window of opportunity where a password is useful against the system,” said Carlson. Finally, Carlson suggested using a solution that securely provides privileged users with access to critical infrastructure. Software, such as the BeyondTrust PowerBroker Privileged Access Management Platform, can monitor an entire system to ensure it’s accessed from an expected location, automatically provide the password when needed, and record what users do. It’s an integrated solution that offers control and visibility over all privileged accounts and users. Ultimately, by uniting capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security and reduces privilege risks. Reducing the chance of an insider threat breach isn’t the only benefit of these solutions. “Agencies can also expect to gain better control over their user’s endpoints, because those users will be unable to change systems outside of what you have given them rights to change,” Carlson concluded. “They will also gain better visibility into user account and system activity, enabling them to proactively identify and mitigate threats from insiders – as well as from external attackers seeking to become insiders.”
The State of Government Cybersecurity | 31
The Legislative Approach to Cybersecurity After a string of high-profile cyberattacks on private-sector companies and the highest tiers of the U.S. government, government has been ramping up federal legislation to counter the escalation of cyberthreats.
Common Themes
PRIVACY
Top 5 Pieces of Cyber Legislation from 2015-2016 National Cybersecurity Protection Advancement Act (NCPA) of 2015 Passed House.
CYBERSECURITY EDUCATION & WORKFORCE TRAINING
The law is said to enhance public-private partnerships as well as cybersecurity by encouraging voluntary information sharing about cyberthreats between and among the private sector and government.
INFORMATION SECURITY
A GovLoop Guide | 32
Protecting Cyber Networks Act Passed House (April 2015). This act “establishes within the Office of the Director of National Intelligence (ODNI) a center that would be responsible for analyzing and integrating information from the intelligence community related to cyberthreats. In addition, the bill would require the government to establish procedures for sharing information and data on cyberthreats between the federal government and nonfederal entities.�
Strengthening State and Local Cyber Crime Fighting Act State and Local Cyber Protection Act of 2015 Passed House (December 2015). The bill amends the Homeland Security Act of 2002 to assist state and local coordination on cybersecurity with the National Cybersecurity and Communications Integration Xenter. Specifically, this bill focuses on identifying system vulnerabilities and information security protections to address unauthorized access, use, disclosure, disruption, modification or destruction of information relating to such crimes and threats.
Passed House (November 2015). The bill also amends the Homeland Security Act of 2002 to establish in DHS a National Computer Forensics Institute to be operated by the U.S. Secret Service to: ཞཞ Disseminate homeland security information related to the investigation and prevention of cyber and electronic crimes and related threats; ཞཞ Educate, train and provide equipment to state, local, tribal and territorial law enforcement officers, prosecutors and judges to carry out investigations, prosecutions and court proceedings relating to such crimes and threats.
The State of Government Cybersecurity | 33
Cybersecurity Information Sharing Act of 2015 (CISA) Passed Senate Intelligence Committee (March 2015). CISA includes the following provisions: ཞཞ Liability Protection. Provides strong liability protection for information sharing so long as such sharing is not grossly negligent or an act of willful misconduct; and ཞཞ Authorized Uses. Allows the government to use information gained by information sharing for purposes including: enhancing cybersecurity, identifying a cyberthreat from a foreign adversary, preventing or prosecuting cases involving serious felonies, stopping or mitigating threats of serious economic harm, combatting serious threats to minors.
State & Local Cyber Legislation Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. Many states are also investing efforts into state cybersecurity task forces to focus more on the issues surrounding cybersecurity.
California
Washington
The California Electronic Communications Privacy Act (CalECPA) requires a warrant to track the location of electronic devices, like cell phones, or to search them. The law bars any California state law enforcement agency or other investigative body from forcing a business or individual to unwillingly submit any metadata or digital communications, including text messages and chat, email, cloud-stored documents or any manner of discovering devices on a network.
The State Cybercrime Act addresses the crimes of computer trespass, electronic data service interference, spoofing, electronic data tampering and electronic data theft. Specifically, the act helps prosecute and punish cybercrime activity. It also helps preserve existing laws for computer trespass and identity theft while recognizing new categories of crime like tampering or “denial of service� attacks.
Utah The Computer Abuse and Data Recovery Act enacts provisions related to unauthorized access to information technology. Specifically, the law provides civil penalties for an individual who, without authorization from a protected computer’s owner to obtain information from the protected computer, causes the transmission of a program, code or command to the protected computer, or traffics in a technological access barrier that could be used to access the protected computer.
Wyoming Senate File 38 was one of several bills brought to the Legislature by the four-member Joint Task Force on Digital Information Privacy. This legislation requires agencies to adopt policies for data collection, access, security and use. It also directs the state CIO to develop guidelines for local governments for data collection, access, security and use; provides a definition and requires a report.
A GovLoop Guide | 34
Idaho Last year, Idaho policymakers came together to create the new Cybersecurity Task Force, which Gov. Butch Otter created to find and patch vulnerabilities in the state’s systems. The task force includes members of the private sector as well as those from the state’s Bureau of Homeland Security, Department of Administration, Department of Health and Welfare, Tax Commission and Transportation Department.
Delaware The Cybersecurity Initiative (CSI) was established in 2014 as a partnership among the state, the University of Delaware, federal agencies and the private sector to develop a workforce and research center targeting cybersecurity.
Georgia Recently adopted legislation to create the Senate Data Security and Privacy Study Committee to undertake a study of the conditions, needs, issues and problems that may exist with existing security procedures, practices and systems in place across the state and local governments.
Florida
Arkansas Arkansas amended its State Multi-Agency Insurance Trust Fund Act to provide for a new expenditure from the fund for cybersecurity risk insurance premiums and expenses.
HB 1033, regarding information technology security, revises the duties of the Agency for State Technology (AST). Specifically, the bill directs the AST to develop guidelines, policies and processes for state agencies to mitigate security risks; allow state agencies to contract with private-sector vendors to complete risk assessments and establish computer security incident-response teams.
The State of Government Cybersecurity | 35
TRACK, PURSUE, AND NEUTRALIZE THREATS.
The longer threats remain undetected, the more damaging they become. Take control of your information and fight threats on your terms. It’s time to start advancing security. Take the next step at symantec.com
Copyright Š 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
A GovLoop Guide | 36
INDUSTRY SPOTLIGHT
The Right Investments to Safeguard Against Insider Threats An interview with Jim Kunkle, Vice President, Public Sector at Symantec Now that some of the greatest threats to the United States are from cyberattacks, rethinking your agency’s defense infrastructure is critical. “The federal government has done a good job of investing across the board in protecting their infrastructure from outside threats, but protecting against breaches from the inside is the next big investment area,” explained Jim Kunkle, Vice President, Public Sector at Symantec, a global leader in cybersecurity.
Email phishing attacks have increased by 55 percent from last year, and they are also becoming more targeted, making it harder for agencies to defend against them. In response, tools like Symantec’s Phishing Readiness are designed to help organizations test and train their employees. The program helps teach workers how to recognize and avoid phishing attacks in emails, allowing them to better protect both themselves and their employer.
In their 2016 Internet Security Threat Report, Symantec reported that 48 percent of cyber breaches in the U.S. government were the result of accidental data exposure or loss by well-meaning employees. An additional 10 percent was the result of actions by malicious insiders. Naturally, it comes as no surprise that government agencies are taking action to prevent and protect their infrastructures against insider threats.
Government agencies should not just limit themselves to defensive strategies to protect against cyber threats, which is why offensive capabilities are essential as well. Tools like Symantec’s Cyber Simulation help employees train while helping employers identify the best for their IT teams. Similar to how a pilot can practice flying a plane under a variety of conditions in a flight simulator, cybersecurity employees can use it to practice identifying cyber attacks while understanding how hackers penetrate a system.
Agencies need nimble solutions to prevent varied types of insider attacks, especially since attack tactics are constantly changing. Using data gathered from hundreds of millions of emails and enterprise customers, Symantec’s Global Intelligence Network helps agencies recognize their security weaknesses. “It’s really about determining what the mission critical information is, locking that information down, and then being able to continue operations in a compromised manner,” Kunkle said. One strategy government has adopted to limit insider threats is a stronger authentication process. It is easy to control and monitor access via a government supplied computer on the agency’s network thanks to the adoption of identification cards such as the Common Access Card (CAC) used by Department of Defense. But, as needs for access to government data become increasingly mobile, this system of protections may no longer be effective. Instead, identity protection needs to be incorporated into online, mobile programs, like Symantec VIP software for information protection. This two-factor authentication system is especially helpful for government agencies that provide electronic capabilities or access to citizens. For example, the Department of Veteran’s Affairs is also using a two-factor authentication system in their enterprise portal that veterans use to apply for benefits.
The simulation can be customized to allow agencies to perform different offensive tasks. For example, one custom engagement focused on trying to disable and disrupt critical government infrastructure around an oil company, including financial and logistical systems. “It’s difficult to be able to test your skills in terms of live hacking and offensive capability without actually taking down a network,” Kunkle explained. Cyber simulations offer the opportunity to test a team without doing actual damage. There is no easy, single solution to stop insider threats, and Kunkle warned that agencies should be investing in a number of technologies to prevent system exposure. Through commitments to data encryption, data loss prevention and lockdown technology that limits access privileges, governments can significantly diminish the potential for disastrous insider threats and protect information. Constant defense against cybersecurity threats is the new normal for government agencies with valuable electronic data. Adequate protections should safeguard three main areas: your infrastructure, your agency’s information and identity protection for both your employees and any citizen-oriented services.
Protecting logins can only go so far in limiting threats, so it’s important to offer employees better training to prepare them for cyber threats and attacks.
The State of Government Cybersecurity | 37
Cyber Initiatives: Where Government Stands Along with legislation, the federal government has launched a number of broader initiatives to address cybersecurity.
Update on 30-Day Cybersecurity Sprint In the wake of the headline-grabbing breaches at OPM, federal CIO Tony Scott launched a 30-day cybersecurity sprint in spring 2015. As part of that effort, Scott instructed federal agencies to immediately take a number of steps to further protect federal information and assets as well as improve the resilience of federal networks.
The initiatives of the sprint include the following: • Deploy indicators provided by DHS regarding priority threat-actor tactics to scan systems and check logs. • Patch critical vulnerabilities without delay. • Tighten policies and practices for privileged users by limiting number of privileged users and functions that can be performed when using privileged accounts. • Accelerate implementation of multifactor authentication by requiring a Personal Identity Verification (PIV) card or an alternative form of multifactor authentication.
How results were measured: Federal CIO Tony Scott will lead in assessing progress. The results are shown in the administration’s FY 2014-FY 2017 Cybersecurity Cross Agency Priority (CAP) Goal Report, which measures the following initiatives from the cyber sprint: • Information Security Continuous Monitoring (ISCM) – Provide ongoing observation, assessment, analysis and diagnosis of an organization’s cybersecurity. • Identity, Credential and Access Management (ICAM/Strong Authentication) – Implement a set of capabilities that ensures users must authenticate to information technology resources and have access to only those resources that are required for their job function. • Anti-Phishing and Malware Defense (APMD) – Implement technologies, processes and training that reduce the risk of malware being introduced through email and malicious or compromised websites.
Overall, agencies have made significant progress in several key areas. While 10 agencies missed the mark, 14 major civilian agencies surpassed Scott’s goal of 75 percent for strong authentication. Agencies increased strong authentication use for privileged users from 33 percent to 75 percent.
A GovLoop Guide | 38
Between April and July 2015, the following agencies demonstrated the most progress in areas like strong authentication:
Veterans Affairs 10%81%
Interior Department 43%89%
Nuclear Regulatory Committee 0%78%
Office of Personnel Management 42%97%
General Services Administration 4%99%
Agencies made significant progress meeting the Cybersecurity CAP Goal targets in FY2015 Q4 Information Security Continuous Monitoring (ISCM)
Identity, Credential & Access Management (ICAM)
Anti-Phishing & Malware Defense
Number of CFO Act agencies that met the Hardware Asset Management target
Percentage of Civilian users (privileged & unprivileged) using Personal Indentity Verification cards
Number of CFO Act agencies that met the Other Defenses target
19
81%
76%
14 10
8
7
10
42%
FY2015 FY2015 FY2015 Q2 Q3 Q4
FY2015 8/28/15* 11/16/15* *Cyber Sprint updates Q2
FY2015 FY2015 FY2015 Q2 Q3 Q4
Source: Performance.gov 2016
As of Nov. 6, 2015, federal agencies further increased their use of PIV to 81% Latest results
% of users using Strong Authentication
100%
81.4%
as of 11/16/15
Q3 Update 8/25/15
76.1%
Cyber Sprint Results
Cyber CAP Goal initiated
72.1%
42.4% 41.0% 30.2% 14.3% 7.5%
7.2% 1.0%
1.2%
1.1%
19.7%
42.2% 26.4%
16.9%
1.2%
11.6%
5
5 6/ 20 1
/1
4
/2 01
11
06 /0 1
/2 01
3 06 /0 1
/2 01
2
The State of Government Cybersecurity | 39
06 /0 1
/2 01 06 /0 1
06 /0 1
/2 01
1
0 /2 01 06 /0 1
/2 00 9 06 /0 1
/2 00 8 06 /0 1
/2 00 7 06 /0 1
/2 00 6 06 /0 1
/2 00 5 06 /0 1
06 /0 1
/2 00 4
0%
Other Cyber Initiatives to Watch Cybersecurity National Action Plan (CNAP) Security experts are lauding the $19 billion cybersecurity plan as the highlight of Obama’s budget proposal for the 2017 fiscal year. If the president’s budget is approved, CNAP will: • Establish the Commission on Enhancing National Cybersecurity; • Replace, retire or modernize legacy IT systems with a $3.1 billion Information Technology Modernization Fund; • Appoint a federal Chief Information Security Officer to oversee the plan’s execution; and • Encourage multifactor authentication to secure online accounts for both agencies and private citizen services.
Comprehensive National Cybersecurity Initiative (CNCI) President George W. Bush launched the initiative in January 2008. The CNCI consists of a number of mutually reinforcing objectives designed to improve security in cyberspace. The major initiatives include: • Manage the Federal Enterprise Network as a single network enterprise, with trusted internet connections that collapse the number of portals between government networks and the internet; • Deploy consistent intrusion-detection capabilities across the federal enterprise; • Catalogue, coordinate and redirect as appropriate cyber research and development efforts; • Develop a governmentwide cyber counterintelligence plan; and • Define the federal role for extending cybersecurity into critical infrastructure domains by working with the private sector. Progress Report: Building on the CNCI in 2009, President Obama directed the National Security Council (NSC) and Homeland Security Council to conduct a 60-day review of the plans, programs and activities under way throughout government to address our communications and information infrastructure. This became the Cyberspace Policy Review. The Cyberspace Policy review loosely expanded on CNCI in determining how next steps would be taken on the initiatives. A GovLoop Guide | 40
National Initiative for Cybersecurity Education (NICE) Established in 2009, in support of the Cyberspace Policy Review, and led by National Institute of Standards and Technology (NIST), NICE is a partnership between government, academia and the private sector focused on cybersecurity education, training and workforce development. The mission of NICE is to energize and promote: • Robust network; • Ecosystem of cybersecurity education, training and workforce development; • Coordination between government, academia and industry to build on existing successful programs; and • Facilitate change and innovation and bring leadership and vision to increase the number of skilled cybersecurity professionals. Progress Report: NICE builds on both the Cyberspace Policy Review and the 2008 CNCI Initiative 8: “Expand Cyber Education.” Since then, NICE developed a three-pronged approach: enhance awareness by improving citizens’ knowledge about cyberspace risks and cybersecurity in general; expand the pipeline by strengthening academic pathways leading to cybersecurity careers and evolve the field by increasing the quantity and quality of the cyber workforce.
Cybersecurity Strategy and Implementation Plan (CSIP) Following the 30-day cybersecurity sprint, OMB developed CSIP for the federal civilian government, which identifies a series of objectives and actions to further address critical cybersecurity priorities across the federal government. Objectives include: • Prioritized identification and protection of high-value information and assets; • Timely detection of and rapid response to cyber incidents; • Rapid recovery from incidents when they occur and accelerated adoption of lessons learned from the sprint assessment; • Recruitment and retention of the most highly qualified cybersecurity workforce talent; and • Efficient and effective acquisition and deployment of existing and emerging technology.
The State of Government Cybersecurity | 41
Download Your Free Report
Cisco 2016 Midyear Cybersecurity Report Learn security industry insights and key findings taken from threat intelligence and the latest cybersecurity trends.
A GovLoop Guide | 42
INDUSTRY SPOTLIGHT
Moving Toward a Holistic Cybersecurity Experience An Interview with Will Ash, Senior Director, U.S. Public Sector Security at Cisco Whether you’re dealing with top secret data at Langley or working with thousands of people’s health data at NIH, you want your systems to be secure. As government organizations continue to modernize, their cybersecurity efforts continue to expand. However, despite agencies’ best efforts, nefarious actors have still been able to infiltrate systems and obtain sensitive data. To understand the best ways to secure agency networks, GovLoop spoke with Will Ash, Senior Director of U.S. Public Sector Security at Cisco, an industry leader in networking and cybersecurity. Ash explained that, “the biggest impediment to ensuring cybersecurity is planning, budgeting and executing around single security products as opposed to a more holistic threat defense strategy.” Cyberattack preparedness spans a three-stage continuum: before, during, and after an attack. “Working with a single service or product to plug one of the holes in the continuum prevents agencies from achieving end-to-end protection,” Ash explained. An integrated architectural approach that covers the entire continuum allows for fewer security breaches. Taking a holistic approach to cybersecurity can appear overwhelming. However, Ash said that end-to-end security efforts are often the simplest option. “Cisco has the ability to maintain an open architecture that is automatically integrated. This brings greater effectiveness and value to the agency which is deploying the integrated threat defense architecture,” he said. Ultimately, security is an enabler for government agencies’ missions. “Regardless of mission area, whether it’s public health, law enforcement, national security, or one of the many others, we feel very strongly that security can not only lower risks associated with a specific mission area, but also help agencies innovate faster and reduce costs,” Ash said. As we move into the digital age, the attack surface that can be infiltrated is expanding and becoming more complex than ever. As agencies continue leveraging mobile devices, the internet of things, and the benefits of the cloud, cybersecurity must continually enable the agencies’ mission. One way Cisco has been able to do this is through its Identity Services Engine (ISE). A single sign on architecture, Cisco ISE ties users with a sign on across applications and devices. This ensures that the right person has the right access from the right device. “Essentially, it’s enabling an agency’s mission in this new digital age where so
much value is brought to the table through cloud and mobility and other types of applications,” Ash explained. Fortunately, many of the different government policies and frameworks align well with Cisco’s approach because they are so holistic in nature. Ash explained that many government standards and initiatives, such as NIST 800-53, OMB’s CSIP, or DHS’s CDM take an end-to-end approach to cybersecurity and spread their guidance and plans across the entire continuum in an integrated approach. However, not all government agencies’ cybersecurity plans have shifted to integrated, holistic methods of cybersecurity. For the agencies that still need a push in the right modernization direction, they must begin to look at the bigger picture in optimizing cybersecurity efforts. Incorporating capabilities like Cisco ISE cannot occur in a silo and must be integrated into overall plans for IT modernization. Integrating cybersecurity plans into IT modernization includes two parts. “First, outdated infrastructure often has vulnerabilities ripe for exploitation. Second, updating to modern infrastructure provides an opportunity to build advanced cybersecurity into its design,” Ash explained. Another element of comprehensive cybersecurity is Talos, Cisco’s threat intelligence group. Talos’ threat intelligence powers the cybersecurity architecture that Cisco provides. “Talos researchers track threats across the entire network, including datacenters, endpoints, mobile devices, virtual systems, web, email, and cloud,” Ash explained. Talos helps agencies by identifying root causes of attacks. During ingestion of threats across the network, Talos scopes outbreaks, understands what happened, and brings all of the information together. “This data is translated into real time protections that can be delivered immediately across the integrated threat defense architecture through automation,” Ash said. Looking forward, it’s imperative agencies take a holistic approach to cybersecurity. “The value of approaching cyber in a holistic, endto-end, integrated way is a differentiator,” Ash underscored. “That approach will address a major impediment in government cybersecurity. Cisco is in a unique position to provide value to government cybersecurity efforts, allowing government agencies and employees to successfully complete their mission in this digital age.”
The State of Government Cybersecurity | 43
Executing CNAP at GSA An interview with Matthew Cornelius, Innovation Specialist and Chief of Staff in the Office of Governmentwide Policy at the General Services Administration Recognizing the need for a governmentwide approach to cybersecurity, the Obama administration announced the Cybersecurity National Action Plan (CNAP) in February 2016. The plan is ambitious, with directives to establish a cross-sector commission, fund a $3.1 billion Information Technology Modernization Fund and implement multifactor authentication in citizen-facing government services. To implement CNAP, the administration is relying on several federal agencies to enact its objectives. In an interview with GovLoop, Matthew Cornelius, Innovation Specialist and Chief of Staff in the Office of Governmentwide Policy, explained the pivotal role the General Services Administration (GSA) will play in the plan’s execution.
A GovLoop Guide | 44
Communicating With Agencies
“Executing the CNAP directives is a constantly evolving process. It is very clearly led by Office of Management and Budget (OMB) in partnership with the National Security Council (NSC), but because of the governmentwide role GSA has, as well as the primary cybersecurity mission of DHS, we are two of the agencies that are directly responsible for helping OMB and NSC act on the CNAP,” Cornelius said. While DHS is providing critical intelligence, strategy and implementation, GSA is helping standardize and accelerate many cyber acquisition and program offerings and share best practices. Specifically, the agency is focused on helping others use the most appropriate contracting vehicles for their particular needs. “GSA is doing a top-down rethink of how we manage acquisition and how we push out better information,” Cornelius said. “We are determining how to not just give the IT folks in agencies, but also the procurement folks, access to more relevant information that allows them to make better purchasing decisions around cybersecurity products.”
Delivering Shared Services A critical part of that message is educating acquisitions and IT professionals on the value of using shared services for technology procurement. By leveraging those, agencies can more quickly acquire technologies, at lower costs. “We’re helping agencies expedite the move to shared services,” Cornelius said. “In the CNAP, it explains that shared cybersecurity services can often make it more efficient, more effective and more secure for agencies, rather than having such fragmented IT management and different departments running their own systems.” In addition to identifying potential shared services to leverage, GSA has also developed its own services, like cloud. gov and apps.gov, for agencies to access. And in scenarios where a shared service vehicle doesn’t match the agency need, GSA can help them craft new ones. “We’re facilitating development and partnership with other agencies to flesh out new shared services when necessary. Ultimately, we want to keep agencies from having to build, fund and secure fragmented IT,” he said.
Building Security Into Everything Modernizing Technologies The goal of many of these shared services contracts is to get new, more secure technologies into the hands of agencies faster – a move that supports a key component of CNAP. As part of the president’s fiscal year 2017 budget, a $3.1 billion IT Modernization Fund was proposed. “That would provide agencies with funding to help them expedite modernization by either replacing, repairing or overhauling legacy systems,” Cornelius said. When appropriated, GSA is designated as the agency that will help administer the fund. The agency will also help other agencies develop modernization plans and, if appropriate, identify contracting vehicles to meet these new modernization requirements. “Whatever we can do through category management and making new vehicles more flexible and adaptable so that as threats evolve, the products and services we can offer will more quickly get into the agency, that’s what we’re going to do,” said Cornelius. Additionally, GSA is identifying and vetting solutions to make sure that agencies are selecting secure technology that fits their needs. While many individual providers can incorporate a variety of cybersecurity functions into their solution, Cornelius explained that many agencies need stronger guidance to match unique offerings to mission objectives and IT infrastructure needs.
Vetting those solutions before procurement also achieves the primary objective of federal CIO Tony Scott, which is to engrain security in product development and acquisition, rather than adding features after deployment. “What GSA is doing in partnership with a lot of agencies is making sure – as we are bringing vendors onto our schedules and making products and services available – that we’re doing due diligence to make sure that security is already baked into those offerings,” Cornelius said. According to Cornelius, many agency CIOs have already adopted this security-first mindset. However, those leaders still need technologies and processes that enable secure adoption. “GSA wants to be an enabler for that standpoint,” he said. “We want to make sure that through acquisition and through outreach to agencies that we are helping CIOs act on and operate around these new assumptions of what security looks like.” Ultimately, that’s the goal of GSA when it comes to executing CNAP. The agency wants to empower IT leaders to make better purchasing decisions that engrain cybersecurity into their infrastructure, operations and management. “We make sure that we are always actively communicating that we have one message and that we are getting that message out to as many agencies as possible – so that they can then have those conversations internally and decide based on budget, mission and priorities how they are going to make the best cybersecurity decisions for themselves,” Cornelius said.
“We’re facilitating development and partnership with other agencies to flesh out new shared services when necessary. Ultimately, we want to keep agencies from having to build, fund and secure fragmented IT.”
The State of Government Cybersecurity | 45
ADVANCING NETWORKS FOR THE CYBER AGE There is no question the challenge of cyber security will become increasingly frequent, complex, and challenging. Conventional networks were not designed to support the security needs of today’s cyber age. Carahsoft and Ciena have partnered to bring high-performance assured networking solutions to the Federal Government and help support military and intelligence organizations to shore up cyber resilience, increase the efficiency of network operations, and enable virtualization of network functions. By implementing SDN and NFV, federal agencies can readily leverage platforms that are immediately responsive to new loads, demands, and capabilities.
Carahsoft: Your Trusted Government IT Solutions Provider Find streamlined contract processes and be better positioned to tackle some of the toughest networking challenges by leveraging Ciena’s industry-leading packet and optical networking solutions.
Learn more at carahsoft.com or call toll free 888-662-2724
© 2016 Carahsoft Technology Corp. All rights reserved A GovLoop Guide | 46
INDUSTRY SPOTLIGHT
How the Evolution of IT Networks is Shaping Cybersecurity An interview with Bob Kimball, Chief Technology Officer at Ciena Government Solutions When it comes to defending government systems against sophisticated cyberthreats, the biggest challenge for agencies isn’t a technological one.
However, with any change that makes information more accessible to a broader group of people, there’s always the concern about how those resources and data will be secured.
Even the most secured systems can be infiltrated by hackers who prey on one of the hardest areas for agencies to manage: the workforce. “The biggest challenge is always going to be the people,” said Bob Kimball, Chief Technology Officer at Ciena Government Solutions, a global manufacturer of communications network equipment and solutions.
“There certainly are new attack surfaces that will emerge out of virtualization,” Kimball said. “The concept of centralized control of network resources and the ability to dynamically reconfigure the network to meet your mission requirements means that there’s always a dark side.”
It only takes one click on a malicious attachment or link to give hackers unfettered access to agencies’ sensitive data. To build strong defenses against these types of attacks, agencies need a strategy that focuses on educating the workforce and implementing technology that is secure, adaptable to change and able to meet their dynamic workforce needs. Kimball, who is responsible for identifying technology directions and product positioning for sales of Ciena optical networking products to government and research and education sectors, sat down with GovLoop to explore how advancements in the networking world are shaping the future of cybersecurity. “The networking world is undergoing a revolution unlike anything we’ve ever seen before,” Kimball said. “And that especially points to the whole concept of virtualization and what virtualization actually means to the network. The reason it’s so critical to think about the network, especially now, is because people’s expectations for how they consume information has dramatically changed over the last several years.” When it comes to work, employees want the ability to consume information wherever they are, whether that’s in another part of the office or out in the field. They want to access information on a mobile handset or their tablet. These demands are driving agencies to embrace the benefits of technology models like cloud computing, which enables agencies to provide widespread, convenient, on-demand network access to a shared pool of resources. “Providing this level of service requires a reliable network,” Kimball said. “When the network is always there and when functioning well it is not something we ever think about. However, to take advantage of the true promise of cloud the network is a critical component.” A key component of many agencies’ cloud journey involves virtualization of networks and servers to simplify IT operations, improve how resources are managed and maintained and to reduce costs.
There will be threats launched against different parts of the network that have never been threatened before. “But that’s not the end of the story because the capabilities enabled by virtualization allow new security paradigms to exist that weren’t possible through previous networking architectures and policies,” Kimball said. Think of it this way: If you get rid of physical malware appliances, you’re left with software running on generic hardware. The hardware itself will be virtually hack proof because it doesn’t have a hard drive. “Now you have the ability to do things like refresh it with a known, good copy of the software as many times as you need to. So if a cyber incident occurs, instead of the incredibly expensive exercise of re-patching and fixing all the hardware, you can just refresh it.” Because you’ve already paid for the software licenses, you won’t have to buy replacements. “You can do things like actively configure your network based on the environment,” Kimball said. “That environment could be a natural disaster, which means you may need additional communications to aid response efforts. Another benefit is the ability to reroute communications if there is a major network congestion issue. The fact that you have these capabilities to let the network itself adjust to its environment is really exciting.” Agencies no longer have to stovepipe segments of the network. For example, they don’t need a routing expert who is solely responsible for routing activities. They can now manage their networking duties under a single, common platform that is agnostic. The concern for Kimball is that some agencies will be slow to embrace these new technology capabilities offered by companies like Ciena. But for agencies that have already started down this path, the payoffs outweigh the growing pains of making a change. “These new technologies increase workforce productivity by equipping employees with resources in a much more economic fashion,” Kimball said. “To get greater efficiencies out of cost-effective resources is really something the federal government should take advantage of.”
The State of Government Cybersecurity | 47
Conclusion Since the launch of initiatives like CNCI and the 30-day cybersecurity sprint, agencies have focused their efforts on investing more policy, resources, time and talent into strengthening the nation’s cybersecurity posture. Today, the state of government cybersecurity is stronger than ever. Agencies have made significant progress in addressing continuous monitoring, multifactor authentication and anti-phishing and malware defense. Additionally, agencies have stepped up their game in terms of organizing the right leadership to lead their cyber initiatives. Significant leadership roles include CIOs, CFOs and a number of other positions to set the direction and pace. Going forward, however, agencies must continue to improve as cyberthreats evolve. The future still holds many challenges, including: • Legacy systems with thousands of different hardware and software configurations that contain vulnerabilities and opportunities for exploitation; • Inconsistencies in leadership of IT systems; • A significant skills gap in terms of qualified professionals for the government cyber workforce; and • An inevitable increase in the volume and sophistication of cyberattacks. Government can best address these challenges by properly funding cybersecurity investments; strengthening processes for developing and institutionalizing best practices; developing and retaining the cybersecurity workforce and collaborating between public and private-sector research and communities to leverage the best of new, emerging technologies.
A GovLoop Guide | 48
About & Acknowledgments About GovLoop GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com. www.govloop.com | @GovLoop
Thank You Thank you to BeyondTrust, Carahsoft, Ciena, Cisco, DLT Solutions, HP, Intel Security, Merlin International, Riverbed, Symantec and Veritas for their support of this valuable resource for public-sector professionals.
Authors Hannah Moss, Senior Editor & Project Manager Francesca El-Attrash, Staff Writer
Designers Kaitlyn Baker, Graphic Designer Jeff Ribeira, Creative Manager
The State of Government Cybersecurity | 49
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
A GovLoop Guide | 50