The biggest challenge facing cybersecurity professionals in Federal agencies is, well, the Federal government. There are sweeping mandates to keep agencies secure. But the funding to back that guidance is tied to factors that may not even contribute to the protection of privacy and intelligence. Budgets are driven by enforceable regulations, not necessarily by the most effective protection strategies. This leaves Federal security teams facing the unenviable choice between securing their agencies and securing their jobs. But that’s a choice that may not be entirely within your control. One breach and all hell breaks loose.
According to the Government Accountability Office, “If information security controls are ineffective, resources may be lost, information—including sensitive personal information—may be compromised, and the operations of government and critical infrastructure could be disrupted, with potentially catastrophic effects.” The office also highlighted several weaknesses in current Federal cybersecurity practices, including lack of risk-based cybersecurity programs and access control systems, while calling for improvements in contractor oversight, incident response, and security programs at small agencies.
However unenforceable or underfunded, cybersecurity remains a top priority for President Obama. Outlined in a White House blog, the 2016 Federal Cybersecurity Research and Development Strategic Plan calls for “new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong.” Again, no one is arguing that Federal agencies will not need advances in cybersecurity to remain viable. But the real question is what can you do RIGHT NOW, given current funding and regulatory limitations.
In the wake of the massive data breach at the Office of Personnel Management, which exposed the records of nearly 22 million federal workers, Federal agencies are worried. But will legislators match that concern with the cash needed to implement the required cybersecurity? Time will tell. But in the meantime, the Office of Management and Budget recently upped the ante with the Cybersecurity Strategy Implementation Plan. The plan includes recommendations for basic security upgrades to prevent infiltration and breach. It’s a smart plan. And the goals are solid, but it’s the journey to those goals that remains uncertain.
The machine of bureaucratic change is admittedly cumbersome and slow moving. The U.S. Federal government is not run like a business. It is run like the slow-moving, unwieldy superpower that it is where change is slow and hard fought. Because the government is not profit driven, there may be little formal incentive to increase productivity or reduce costs. There are, however, informal incentives to allocate funds to penalty-driven programs, expend budgets, and maintain continuity. No agency wants to do anything that would disrupt service, as illustrated in the problems that plagued the launch of the Affordable Healthcare Act. So your upgrades get deferred. Then the budget disappears. And the problems remain. But you are back where you started. It’s very much a fix it now and catch up later mentality, according to an astute article in the Daily DOT.
First focus is to overcome the problem from within
In a survey commissioned by HP, the Ponemon Institute recently found that the Federal Government may be its own worst enemy when it comes to cybersecurity. 44 percent of federal workers who responded to the survey indicated that “the biggest threat to federal cybersecurity is ‘the negligent insider’ at an agency who fails to take enough precautions while using or protecting government networks.” By comparison, only 30 percent of respondents marked nation-state hackers as the primary threat.
Enforcement is everything. Employee compliance is critical. And support must trickle down from the top to the middle. The ultimate success of Federal cybersecurity relies on getting buy-in from cabinet secretaries and mid-level managers. It’s a change of mindset that may seem a bit unrealistic. But it’s the only way that the government can truly enact critical changes in cybersecurity. In the meantime, while new systems may be slow to implement due to concern over the continuity of large government programs, agencies must lock down the proper controls that will protect them throughout the process.
Agencies still need to overcome the burdens inherent in large government to enact the changes needed for effective, up-to-date cybersecurity. The good news is that you have backing from the highest levels, i.e. the oval office. But outlining and securing the necessary funding remains a challenge, as does staffing and implementation. To have any chance of bringing cybersecurity up to code, agency teams must identify, clarify, and justify the fastest, cheapest ways to mitigate the highest risks. Automating that security is one the best ways of enforcing compliance.
At Venafi, we believe that as the foundation of cybersecurity, keys and certificates are a good place to start. Without these forms of validation and authentication, we would simply not know which systems, applications, or users to trust. Control that system of trust (or mistrust) and you control access to your critical digital assets. Venafi can help automate the protection and management of your agency’s keys and certificates. Plus, it’s a smart place to invest, especially to prevent man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates to bypass even the most rigorous security controls.
Talk to us today to find out how Venafi can help you eliminate blind spots to protect your agency during the planned upgrades in your cybersecurity.