With great amounts of data come great responsibility. As federal agencies collect more data, figuring out who should — and shouldn’t — be handling it is a crucial cybersecurity concern, according to several federal officials on a panel at the 2016 GITEC Summit in Baltimore.
The officials said that identity and access management — and determining when anomalous activity is the result of malicious actors or insider threats within agencies — are key tools they turn to. Yet the concerns are multiplying as data volumes grow, they said. Shaun Khalfan, chief information security officer at U.S. Customs and Border Protection (CBP), summed up the problem succinctly: As the agency aggregates more data, he said, “it’s not even a needle in a haystack. It’s a needle in a stack of needles.”
Who gets access to information?
Khalfan said that agencies need to determine which data and activity to flag for suspicious or anomalous behavior and use a risk matrix to determine the riskiest activity. For example, he said, there might be an Adobe file that is trying to access the Internet. Or, there might be a user who normally logs on from 8 a.m. to 5 p.m. but is instead logging on at 7 p.m. Is that because of suspicious activity or because the official changed their shift?
“How do you look at something that is outside of the norm?” Khalfan asked. Additionally, he said that adversaries have changed their playbook and are now looking to “blend in with the noise” and stand out less among vast troves of data.
Within an agency, there are perimeter security defenses, networks, systems and applications. Agencies need to use role-based identity and access management security controls to cut through all of that, Khalfan said.
Scott Cragg, chief technology officer for the Federal Retirement Thrift Investment Board, discussed the idea of “running dirty” in cybersecurity terms. That means operating in an ecosystem that is “not familiar, not standardized and somewhat chaotic.”While that might work in a user’s personal life, he said, that is typically not how the federal government operates, especially because security of personal and sensitive information is paramount. He noted that the healthcare industry is currently debating which institutions should hold on to which personal information of patients, and “who should have the keys to unlock it.”
“Where does data best belong? Who controls it? How you do unlock it?” Cragg asked. He suggested that the best solution is a “hybridized relationship” that takes context into account to determine which actors get to access information.
How to recruit the best cybersecurity talent
In addition to making sure systems are secure, agencies need to continue to fill the pipeline with young cybersecurity talent, the officials said. Lee Kelly, a senior member of the Environmental Protection Agency's Cyber Security Staff, said that the EPA uses initiatives like the CyberCorps, internships and career days to recruit. Kelly said that the EPA often likes to reach out to high school students as well as those in college. Just as important, he said, is giving young cybersecurity professionals the opportunity to grow professionally and personally. He also said that if someone enters the agency as a firewall administrator, they can stay in that role, but the EPA will give that person the ability to specialize in forensic cybersecurity, malware detection or other areas.
“We’re giving you the opportunity and the capability, as the needs arise, to explore those opportunities as well,” he said. Khalfan said the CBP will generally lose around 75 percent of its cybersecurity employees once they hit the GS-12 pay grade, unless he can really sell them on the agency’s mission of preventing human trafficking and narcotics from entering the country. Since many employees eventually leave for higher pay in the private sector, he said, he looks to engage with college and high schools early to keep the pipeline of talent full.
For more from the 2016 GITEC Summit, click here.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.