.
Cybersecurity; the top of every corporation, organization, and in fact, nation’s agenda, for arguably the majority of the 21st century.  The U.S. government is working to keep up with the private sector and remain ahead of the countless impeding cyber-attacks. But where specifically do federal agencies fall short in cybersecurity, and what can they do about it? In order to assess the current state, progress, and future of U.S. government cybersecurity, GovLoop, an organization based in Washington with the goal of connecting and improving government, and Akamai, a leader in Content Delivery Network (CDN) services, partnered to conduct a review of federal cybersecurity. In this review, over 350 federal employees were surveyed; the survey focused on reviewing cybersecurity in government in 2016 and predicting key challenges for 2017. The results of the survey point to a future where constant innovation, assessment, and research is necessary to protect the infrastructure of our nation. In 2015, federal departments reported 77,183 cybersecurity attacks, a 10% increase from 2014, and that number is predicted to rise. Agencies are split when it comes to the level of preparedness they feel; according to the survey, 47% of the government agencies that experienced the aforementioned attacks felt capable of responding. Possibly, a certain level of preparedness resulted from the Obama administration’s FY 2014-2015 Cybersecurity Cross Agency Priority (CAP) Goal Report, which monitored and measured agency improvements in specific high-priority areas, including strong authentication. The CAP report inspired success in certain areas; the percentage of civilian users with personal identity verification (PIV) cards about doubled and over half of the survey respondents say that their own security procedures were extended to include mobile protection. Despite these small successes, the review uncovered three main cybersecurity challenges that must be further addressed. One of the most pressing (albeit difficult to address) challenges is the rapidly increasing sophistication of cyber threats. Of special concern are Distributed Denial of Service (DDoS) attacks. These attacks have the ability to crash sites by flooding them with traffic, and recently, the average size of one DDoS attack has more than tripled. Such expansive and evolving attacks necessitate the prioritization and protection of federal agency information. It may be better to devote more resources to protecting the most critical information, rather than attempting to spread resources to cover everything. The second concluded major challenge for the federal government is resource constraints. In general, cybersecurity and IT federal funds are not expanding at the same pace as cybersecurity threats are. It does not help that many federal agencies still use legacy systems; over half of the federal IT budget goes to support these outdated systems. In addition, it is challenging to compete with the private sector and incentivize young, talented IT professionals to come work for the government. The President’s budget for 2017 requests $19 billion, a significant increase from 2016, largely to support cybersecurity infrastructure. $3.1 billion is proposed for the IT Modernization Fund, to replace many legacy systems. However, such additional funds are not guaranteed; federal agencies should operate under the assumption of a very limited budget. The last main challenge noted in the review is the lack of education in the cybersecurity workforce (and federal workforce in general). Employees can unknowingly compromise key security procedures if unaware or misinformed, and many federal agencies depend too heavily and solely on their IT teams. Better overall “cybersecurity hygiene” should be practiced throughout agencies, in order to minimize successful cyber-attacks. Where there are challenges, there are of course potential solutions. Akamai’s review reveals three possible cybersecurity strategies for the future: continuous monitoring and advanced authentication, cloud-based solutions, and improving employee education and hiring practices. Two-factor authentication, DHS’s Continuous Diagnostic and Mitigation (CDM) program, and the use of site defenders, which maintain website performance and address threats simultaneously, are ways in which the first strategy can be operationalized. Cloud-based technology allows for the easier integration of data from multiple systems and centralization, giving leaders better visibility. Improving employee education and hiring techniques will take the most time, but has the potential to reap perhaps the greatest reward in the long term. DHS has provided a Cybersecurity Workforce Development Toolkit, which can be highly beneficial but will take a lot of time to implement. In the meantime, web-security services can be used to supplement the additional IT workforce needs. Another way for the federal government to innovate is to conduct what are called “bug bounties.” This practice entails publicly opening up websites and systems to “hackers,” approved researchers, who compete for reward money by hacking in order to expose vulnerabilities, which can then be fixed. According to the Akamai review, this strategy is commonly used in the private sector; it was used for the first time in the public sector in a 2016 initiative called “Hack the Pentagon.” Over the course of one month, over 1,000 vulnerabilities were exposed and quickly fixed. The DoD paid a total of $150,000 (in reward money to hackers), when a project of such scale would typically have cost over one million. The review suggests that bug bounties such as this, in combination with solutions like adopting cloud, practicing continuous monitoring, advanced authentication, and better employee training and recruiting, have the ability to give federal agencies the edge they need to combat the growing number of cyber adversaries. Not to say that there are no additional areas the government should focus on for the future of cybersecurity. Other important developing areas include big data analytics (more devices result in increasingly large pools of data to be analyzed), the “internet of things” (equipment such as cars, refrigerators, and other automated devices must be protected as well as servers), and cognitive computing (utilizing machine learning). With many high-priority areas and an ever-expanding threat, the future of government cybersecurity may seem menacing. However, if the government maintains a flexible yet urgent stance, open to innovation, and presses forward in the areas where success (long-term and short-term) is most possible, the future is also hopeful.  

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

The Menacing, Hopeful Future of U.S. Government Cybersecurity

cyber target security on intentionally blurred United States flag
August 16, 2017

Cybersecurity; the top of every corporation, organization, and in fact, nation’s agenda, for arguably the majority of the 21st century.  The U.S. government is working to keep up with the private sector and remain ahead of the countless impeding cyber-attacks. But where specifically do federal agencies fall short in cybersecurity, and what can they do about it? In order to assess the current state, progress, and future of U.S. government cybersecurity, GovLoop, an organization based in Washington with the goal of connecting and improving government, and Akamai, a leader in Content Delivery Network (CDN) services, partnered to conduct a review of federal cybersecurity. In this review, over 350 federal employees were surveyed; the survey focused on reviewing cybersecurity in government in 2016 and predicting key challenges for 2017. The results of the survey point to a future where constant innovation, assessment, and research is necessary to protect the infrastructure of our nation. In 2015, federal departments reported 77,183 cybersecurity attacks, a 10% increase from 2014, and that number is predicted to rise. Agencies are split when it comes to the level of preparedness they feel; according to the survey, 47% of the government agencies that experienced the aforementioned attacks felt capable of responding. Possibly, a certain level of preparedness resulted from the Obama administration’s FY 2014-2015 Cybersecurity Cross Agency Priority (CAP) Goal Report, which monitored and measured agency improvements in specific high-priority areas, including strong authentication. The CAP report inspired success in certain areas; the percentage of civilian users with personal identity verification (PIV) cards about doubled and over half of the survey respondents say that their own security procedures were extended to include mobile protection. Despite these small successes, the review uncovered three main cybersecurity challenges that must be further addressed. One of the most pressing (albeit difficult to address) challenges is the rapidly increasing sophistication of cyber threats. Of special concern are Distributed Denial of Service (DDoS) attacks. These attacks have the ability to crash sites by flooding them with traffic, and recently, the average size of one DDoS attack has more than tripled. Such expansive and evolving attacks necessitate the prioritization and protection of federal agency information. It may be better to devote more resources to protecting the most critical information, rather than attempting to spread resources to cover everything. The second concluded major challenge for the federal government is resource constraints. In general, cybersecurity and IT federal funds are not expanding at the same pace as cybersecurity threats are. It does not help that many federal agencies still use legacy systems; over half of the federal IT budget goes to support these outdated systems. In addition, it is challenging to compete with the private sector and incentivize young, talented IT professionals to come work for the government. The President’s budget for 2017 requests $19 billion, a significant increase from 2016, largely to support cybersecurity infrastructure. $3.1 billion is proposed for the IT Modernization Fund, to replace many legacy systems. However, such additional funds are not guaranteed; federal agencies should operate under the assumption of a very limited budget. The last main challenge noted in the review is the lack of education in the cybersecurity workforce (and federal workforce in general). Employees can unknowingly compromise key security procedures if unaware or misinformed, and many federal agencies depend too heavily and solely on their IT teams. Better overall “cybersecurity hygiene” should be practiced throughout agencies, in order to minimize successful cyber-attacks. Where there are challenges, there are of course potential solutions. Akamai’s review reveals three possible cybersecurity strategies for the future: continuous monitoring and advanced authentication, cloud-based solutions, and improving employee education and hiring practices. Two-factor authentication, DHS’s Continuous Diagnostic and Mitigation (CDM) program, and the use of site defenders, which maintain website performance and address threats simultaneously, are ways in which the first strategy can be operationalized. Cloud-based technology allows for the easier integration of data from multiple systems and centralization, giving leaders better visibility. Improving employee education and hiring techniques will take the most time, but has the potential to reap perhaps the greatest reward in the long term. DHS has provided a Cybersecurity Workforce Development Toolkit, which can be highly beneficial but will take a lot of time to implement. In the meantime, web-security services can be used to supplement the additional IT workforce needs. Another way for the federal government to innovate is to conduct what are called “bug bounties.” This practice entails publicly opening up websites and systems to “hackers,” approved researchers, who compete for reward money by hacking in order to expose vulnerabilities, which can then be fixed. According to the Akamai review, this strategy is commonly used in the private sector; it was used for the first time in the public sector in a 2016 initiative called “Hack the Pentagon.” Over the course of one month, over 1,000 vulnerabilities were exposed and quickly fixed. The DoD paid a total of $150,000 (in reward money to hackers), when a project of such scale would typically have cost over one million. The review suggests that bug bounties such as this, in combination with solutions like adopting cloud, practicing continuous monitoring, advanced authentication, and better employee training and recruiting, have the ability to give federal agencies the edge they need to combat the growing number of cyber adversaries. Not to say that there are no additional areas the government should focus on for the future of cybersecurity. Other important developing areas include big data analytics (more devices result in increasingly large pools of data to be analyzed), the “internet of things” (equipment such as cars, refrigerators, and other automated devices must be protected as well as servers), and cognitive computing (utilizing machine learning). With many high-priority areas and an ever-expanding threat, the future of government cybersecurity may seem menacing. However, if the government maintains a flexible yet urgent stance, open to innovation, and presses forward in the areas where success (long-term and short-term) is most possible, the future is also hopeful.  

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.