Cyberattacks are constantly evolving, and cybersecurity practices must evolve with them. The federal government is no exception to this rule, where perimeter hardening has given way to a focus on continuous diagnostics and mitigation, identity management, threat intelligence and the protection of critical infrastructure. Against this background of change, high-profile data breaches continue to dominate the news, from OPM’s infamous loss of federal employee SSNs to the Equifax breach, which potentially compromised the identities of 145 million Americans.
So for government agencies in the midst of IT modernization, what’s the best way to ensure infrastructure protection?
Start at the root - these are the five initial areas government agencies can focus on:
With huge media attention on the risks of identity theft, the federal government has already turned its cybersecurity focus toward the human/user aspect. Many of these attacks were made possible by stolen user credentials and mismanagement of permissions. However, while authentication will still be important for preventing data theft, identity management only answers half the equation.
The other half of the equation, the machines that users – both legitimate and malicious – access the network through, remains inadequately addressed. Machines use keys and certificates to authenticate themselves on a network and to communicate between each other. Just as a hacker can steal an employee’s password and other login information to access a system, so too can machine credentials be used as an attack vector to intrude into a network.
Current trends show that there will soon be a large emphasis on the protection of machine identities in addition to continued focus on user identities. This shift in priorities will come just in time as the federal government gears up for its next large cyber initiative: protecting critical infrastructure.
The National Institute of Standards and Technology (NIST) has been leading the federal government’s next cybersecurity push since the Obama administration issued an executive order in 2013 focused on building the resilience of the nation’s critical infrastructure. In response, NIST has developed the Cybersecurity Framework to integrate industry standards and best practices into the federal government’s risk management strategies.
Meanwhile, the Oval Office continues to prompt strengthening of federal networks and critical infrastructure, most recently with Executive Order #13800, which states: “Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents.”
Government’s new focus on securing critical infrastructure comes none too soon as hackers start to target facets of daily life, affecting not only virtual environments but threatening physical ones as well. The latest target of these attacks hits close to home: the U.S. power grid. In September, cybersecurity researchers reported that a hacking campaign had successfully gained access to the company networks of over 20 power grid utilities. In a small number of cases, the intrusions gained direct access to control surfaces used to send commands to circuit breakers and other equipment.
None of the infections were used to sabotage the power grid, but the threat posed by the large-scale success of this campaign is only underscored by experiences outside the United States. Suspected Russian hackers attacked Ukrainian utilities in December 2015, shutting off power to a quarter million people. The perpetrators behind the U.S. intrusions remain unidentified, but this is only one campaign in a series of attacks on U.S. infrastructure stretching back to 2010. Without a significant response, these intrusions are likely to continue.
Federal initiatives to better understand and develop the Cybersecurity Framework are a promising start to protecting critical infrastructure; agencies will need to continue adapting as cloud transitions add virtual machines to their networks. Strengthening user identity will remain important and securing machine keys will become more so as federal departments work to protect infrastructure. Education around the required management of agency keys and certificates, the need to secure and protect these identities, and the role that they will play in critical infrastructure protection offers a good starting point as agencies adapt to a new cyber landscape.
To compliment these trends, see Venafi’s tips for securing systems made vulnerable by government IT modernization, such as how to protect machine identities, on Carahsoft’s blog.