Joseph Kinder recently retired from U.S. Cyber Command after 30 years of U.S. naval service. He serves as general manager of cyber operations and tactics at MetroStar Systems.
Government agencies and those cleared contractors that support their data, websites and other IT services can learn from a common “sea-story” often told among sailboat skippers on the Chesapeake Bay: “When sailing on the Chesapeake, a sailor has either run aground or is about to.”
The corollary is that when dealing with government websites and the data behind them, you’ve either been “hacked” or you’re about to be. For the past three to five years, those who hope to breach our public-facing websites and exploit our applications and data have far outnumbered those assigned to protect them.
With that in mind, there are several steps agency and command leadership can take to harden their cyber defensive posture:
1. Establish an active role for leadership in the security strategy and governance of your core IT workforce.
Far too often when post-“incident” debriefs occur, leadership is unaware their lead IT security personnel was involved in providing insight into priorities for the allocation of their very limited IT security budget. They had no idea how security measures were evaluated, nor were they involved in decision making on necessary changes to security postures. It’s said, “If the boss doesn’t care, no one else will.”
2. Prioritize your cyber terrain.
Spend the time to establish the importance of those services or data stores key to the agency or command’s mission. Include key leadership across the organization and ensure they “buy in” on the priorities.
Get the most bang for the cyber buck by allocating resources to those areas with the highest priorities. Use risk management decision making methodologies when determining the value for such expenditures.
Be prepared to recognize that in some instances, the vulnerability and probability of an exploit of a critical segment of your system may require new resources -- lots of new resources.
3. Take a hard look at your public-facing Web presence.
Are you providing access to your data that supports mission requirements? Or is your site for information only, with no data being exchanged?
In both situations, you remain a target and as such must take precautions to make yourself a “hard target.” Ensure your IT staff has the latest security patches in place on those areas most likely the target of an exploit. Remove old data access points if they no longer meet mission needs, or consider how to consolidate those accesses to improve situational awareness and reduce attack surfaces.
4. Develop cyber intelligence from multiple sources.
Frankly, most vendors provide unclassified updates concerning their own vulnerabilities as soon as they are discovered. Chief information officers openly share leads, concerns and understanding of potential new threats and or vulnerabilities. How well are you plugged into this information? How do you act when this information comes into the organization? Always, always, always convene the agency’s/command’s governance or security working group to assess your risk.
5. The most lethal threat is from inside the agency or command.
Be creative and establish ways to reward good stewardship and/or punish the foolish, lazy, sloppy and/or criminal digital buffoonery.
6. Make yourself a hard target and fight hurt.
Don’t be too quick to shut down the network or website while assessing a potential breach or exploit. That’s the best way to provide bragging rights to an adversary, no matter who they are or their intentions. Keep them guessing and perhaps they move on to the next target or potential victim.
Always remember that when you’re in a cyber firefight, you have all the resources of the federal government behind you. Ask for help and help will come, and of course when sailing on the Chesapeake, try to stay between the buoys.