Industry Ideas for Boosting Gov’t Cybersecurity: Go Back to the Basics

A new report on ways the government can tackle persistent cybersecurity challenges contains a crowdsourced list of best practices from industry and government experts compiled in the wake of the massive Office of Personnel Management hack.

But one thing the report doesn’t contain: any surprises or secrets.

Simply by getting the basics down -- more robust training for rank-and-file employees, prioritized funding and faster breach detection -- agencies could go a long way toward improving their online defenses, according to the report.

“Much of what is required, expected or even possible in cybersecurity management is known to cybersecurity professionals, but not fully or properly implemented across the government,” the report concluded.

The “Cybersecurity Ideation Initiative Report,” dated December 2015, was made public today. Representatives for the nonprofit American Council for Technology - Industry Advisory Council said the group formally presented the report findings to U.S. Chief Information Officer Tony Scott in a meeting last week.

The group first began soliciting ideas last summer following revelations of the massive OPM hack, in which personal information of more than 21.5 million federal employees, retirees and contractors was pilfered by hackers from the agency’s background-investigation files.

All told, more than 120 tips were suggested via the group’s public website and voted on by members.

Among the suggestions:

Better training for employees: “Cybersecurity-related training in government is largely deficient,” the report stated. “Greater emphasis is needed on competencies, practice sessions and drills, and shared cyber knowledge management.”

The report recommended agencies start a “cyber tip of the day” and “cyber blunder of the day,” to begin to increase continuous awareness instead of once-a-year training. 

Hold more senior leaders accountable.  “No real accountability exists today for executives in regards to cybersecurity failures,” the report stated. “Accountability should exist in cases where known security program weaknesses, including those identified in audits and continuous monitoring, existed before an incident and executives failed to address them. Unsubstantiated risk acceptance should not be an acceptable excuse for failing to address security gaps.”

Get smarter about funding. The report recommends the creation of a “cyber investment management board,” through which senior leaders can divvy up resources for the highest-priority systems and projects. “Cybersecurity needs to be escalated from being treated as an IT concern to a business risk concern,” the report stated. “Cybersecurity decisions should involve senior leaders of an organization to enable informed risk- and security-based decision-making and implementation.”

More rapid breach detection. “Many agencies do not have proven, effective breach response plans and procedures in place,” the report concluded.

Agencies should augment “signature-based” detection techniques with behavior-based threat detection. That includes two Department of Homeland Security-managed monitoring tools -- EINSTEIN and the Continuous Diagnostics and Mitigation program -- used by agencies to detect cyberintrusions.

“When such a behavior-based system sends alerts, the probability that a cyberincident is occurring is high, meaning actions should be taken in near real-time to halt the cyber event,” the report stated.

Agencies should also think about launching special penetration teams who mimic hackers to ultimately spot threats based on anomalies Web-traffic patterns, the report said. “Red Team” penetration testing -- followed by Blue Team auditing -- can be obtained through pre-vetted governmentwide contracts managed by the General Services Administration for agencies that lack the in-house talent, the report noted.

(Image via wk1003mike/Shutterstock.com)