Expert Q: Protect Government from the Next Cyber Threat

When asked about recent cyber-attacks targeted to the federal government, the U.S. Department of Homeland Security Secretary Jeh Johnson said — “Federal cybersecurity is not where it needs to be.”

Today, the quantity and velocity of attacks against the government is growing, and there’s a real need to develop a comprehensive cyber strategy for government.

Protection methods that in the past were once effective are no longer rigorous enough to respond to increasingly complex attacks. With the threat landscape changing so quickly, it's especially important that government agencies develop comprehensive end-to-end security strategies.

And, when it comes to stronger end-to-end security, Chris Smith, Vice President Technology for AT&T Government Solutions, says most agencies need to keep in mind the variety of threats, as well as the technology and information most at risk.

Q: How has the threat landscape changed just in the last few months?

Threats are ever-present and accelerating. The number of attacks, occurring day-in and day-out, is increasing. They are escalating in terms of impact and the types of attacks continue to evolve — that’s the new normal. To keep up, government has to change how it responds to attacks. There’s really no end in sight because we’re so reliant on technology. The landscape is not easy today. It’s not going to be easier tomorrow, and it’s definitely not going to be easy a year — even a month — from now.

Q: Given the spread of new technology, what are the current security demands of government?

You have to start by looking at the threat actors themselves. Each one wants to do damage or harm, but they have different motives for every malicious event. Some want to steal identity or money. Then, you have hacktivists who want to damage an organization’s reputation, and you have nation states who, for the most part, want to steal intellectual property. You’ve got to think about who’s coming at you first and what it is they are after.

Next, you have to consider the complex environments that government works within today. Right now, you have very large-scale legacy operations in government — think the largest operations of their kind across the globe such as the U.S. Postal Service, Internal Revenue Service, Department of Treasury, Department of Defense or the Department of Agriculture — and these agencies rely upon information technology as a strategic asset. These environments are inherently complex due to the age and scope of the systems with a large variety of software and hardware, making them more difficult to secure.

Q: Government has recently been the target of numerous cyber-attacks. Why are agencies seeing this now, and what types of attacks are they facing?

There are many different styles of attacks. A common one is the Distributed Denial of Service (DDoS) attack, in which a group attempts to overwhelm an organization's IT resources and bring them to their knees. We see thousands of these attacks happening per day. We also have a huge amount of malware being placed on computers in order to gain a foothold into the organization. Mainly, this is accomplished through phishing attacks. Recent compromises are indicating that sophisticated attackers will expand their presence in the network to siphon off data over a long period of time.  Organizations will have a hard time identifying these exfiltrations using common identification techniques.  A new large scale data analytics model needs to be utilized in order to identify and ultimately stop attackers before they can do further damage by stealing very sensitive data or by taking down IT infrastructure, like a human resources database for instance. This style of an attack is nearly impossible to stop once inside.

But, what this all comes down to is the security of our nation and way of life. If an attack inhibits an organization's ability to serve the public, we’re talking about a very dangerous situation. Threat actors want to disrupt the operation, and if they do, we have a very serious problem on our hands.

Q: What, then, should a cybersecurity strategy look like for agencies today?

We used to say that a defense in-depth strategy — holding off the hordes at the perimeter — was the way to go. Well, today nearly every type of organization, including government, has been penetrated because it’s not good enough to only protect the perimeter. You have to understand what’s happening – inside the enterprise, inside the network, and inside the compute services. Agencies need to look closely — as much inward as we do outward — to ensure that intellectual property and information is not being delivered to unintended people.

Q: Talk about the importance of employing a strategy that is end-to-end.

End-to-end protection means you’re able to protect the information that a threat actor is after. We shouldn’t be trying to protect all things at the same level. There are certain high-level, sought after pieces of information that someone might try to obtain, and that’s where attention needs to be focused. The biggest challenge for agencies today is simply identifying the assets that matter most, and putting a high level of security around those assets.

Q: When you look at mobile device security, do you think the federal government is doing a good job?

I would say yes, agencies are addressing mobile security, but the reality is that the world is moving at such a fast pace that too often mobile device evolution can outpace security concerns. Every application that you build today should be designed to operate with mobile. It’s the way government does work today. But, mobile security really has to be a shift in mindset. You have to know the types of devices connecting to your network, and how often they’re being updated for security. Let’s be honest, smartphones and wearables are here and that means everything is going to be connected. So you have to architect your IT and push policy, with things like mobile device management, to not only meet the mobile security challenges of today, but also to address future challenges.

Q: So what are the security services that make the most sense for government today?
Cyber threats are changing so quickly that a chief information officer should be looking at security-as-a-service. The subscription-as-a-service model is useful because your security needs change as your technology needs change. Thinking about security as a service also makes sense from a performance and cost level. If you’re going out and buying all the pieces to a technology solution without routinely updating the security, then you’re putting your agency at risk. Cybersecurity is about coupling services for speed and efficiency while being able to make security updates as quickly as possible.

This content is made possible by AT&T. The editorial staff of Nextgov was not involved in its preparation.