In my blog from a few months ago, I outlined several predictions for 2016 – one of which was that cybersecurity challenges would spur federal leaders to pursue new approaches to this continuing problem. Such a prediction might not seem like a stretch in light of the continuous barrage of headlines related to data breaches and other cyber threats, but since that blog the Obama Administration has indeed taken several notable steps in the first few months of 2016.
One such recent development was the inclusion of a new federal chief information security officer position in the Obama Administration’s 2017 budget request. Having a C-level official who can coordinate security policy, planning and implementation across the federal government will raise cybersecurity to the highest level of awareness and action in the federal government. The CISO position is part of a $19 billion cybersecurity budget request by the Administration, an amount that indicates just how much of a priority this challenge has become. According to the White House, this represents a more than 35 percent increase from fiscal year 2016 request in overall federal resources for cybersecurity, “a necessary investment to secure our nation in the future.”
Of course, a budget request means nothing if the resulting policies and requirements are not executed appropriately and efficiently. And that’s where the real work starts for federal agencies. Agency security professionals will be faced not only with increasing cyber threats, but also new compliance requirements and other mandates from OMB.
This may seem overwhelming to federal security leaders, many of whom are no doubt already stretched to their limits and worried about their in-house security capabilities. But I strongly believe that success in any complex undertaking starts with breaking down the complex to the basic elements. Any successful IT initiative comes down to three key ingredients: people, process and technology. Policy directives such as the Cybersecurity National Action Plan can help address the “people” and “process” aspects of this three-legged stool, but the “technology” aspect remains especially challenging.
Federal CIO Tony Scott speaks about the concept of “secure by design” – building security into systems at the start, as opposed to retrofitting them with tacked-on protection. Many or even most of the federal government’s systems in use today were not developed with security as a top design consideration, so adding protection at this time has proven a major hurdle. Scott often compares this to installing airbags in a 1965 Mustang: installing them would not only look terrible, it probably wouldn’t even make the car safer.
Instead, we need to think about entirely new approaches to protecting our data and systems.
As I noted in my earlier blog, traditional perimeter-based defenses are not going to keep attackers out 100 percent of the time. Bad actors ultimately will get in sometime and somehow. In addition to focusing on how to keep them out, we should also seek to minimize the damage they can do if indeed they do get in.
“Secure by design” will require a different approach: modern architectures designed to run in the cloud; multi-factor authentication, virtualized and software-defined networks and data centers, and high value assets protected through micro-segmentation.
Challenges related to cybersecurity remain enormous, and we are playing catch up from many years of reliance on outdated technologies. However the recognition and direction we are seeing from those at the highest levels of government is a welcome and positive move.
This post was first published in Federal Times at http://www.federaltimes.com/story/government/it/blog/2016/04/12/federal-cybersecurity-off-flying-start-2016/82797020.