Keeping agency systems diverse could protect them from attack, two cybersecurity professionals said.
President Donald Trump’s cybersecurity executive order directs agencies to share more of their tech services, like payroll and human resources management systems, in an effort to also unify their cybersecurity protections. But not everyone thinks consolidating services is the federal government’s best bet for robust cybersecurity, including representatives from IBM and General Dynamics.
Some common standards can “help everybody understand” how to efficiently set up safe systems, but identical systems “make it easier to repeat the attacks,” Beth Dunphy, IBM’s program director for cybersecurity technologies, said on a panel at the AFCEA Homeland Security and Federal ID conference in Washington.
Attackers could benefit by knowing that multiple agencies are using the same tools in the same way and could potentially just replicate the same attack vector, she explained. “Every organization is unique…[and has] its own risk tolerance,” she said. “At the end of the day, having a little bit of complexity and a little bit of difference can go a long way.”
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The internet of things, a term for a network of devices and digitally-enabled objects, can create that complexity, though it also widens the attack surface, Robert Carey, General Dynamics Information Technology’s vice president for cybersecurity, cloud and unified communications solutions, said on that panel.
“There’s a network of things out there that you never thought about trying to control,” he said, which creates a “balance between...a homogenous infrastructure” and a “lateral diversity.”
“That strikes fears into the hearts of many, but in the diversity, there’s also some safety because it takes a lot to manage that,” he said.
Systems that can gather data from and monitor disparate devices running on disparate systems become much more critical for cybersecurity than having homogenous services, he explained.