Matt Hartley oversees civilian federal programs at ForeScout Technologies Inc.
It feels like a bygone era but a few years ago IT systems were remarkably confined. Federal PCs and servers fulfilled narrow purposes and there was little impetus to dramatically change cybersecurity strategies that focused on controlling perimeters or layering ever more security on desktops.
The leap from those days to the rapid deployment of the internet of things across government is remarkable. The old school perimeter-focused approach to security began to show its age in the face of mobile, cloud and bring-your-own-device trends. Yet, the impact of those smartphones and tablets pales in comparison to how the internet of things is changing IT assets and cyber risk imperatives.
Because the IoT is relatively new, it brings unfamiliar complexities for federal IT professionals. Nearly nine in 10 agencies consider the security of IoT devices as “essential” for executing their mission. However, 58 percent describe themselves as—at best—only “somewhat” confident in their ability to protect these devices, if not “not very” or “not at all” confident, according to research from the Government Business Council, the research arm of Nextgov’s parent company.
One initiative aiming to measure and mitigate IoT risks to civilian federal agencies is the Homeland Security Department’s Continuous Diagnostics and Mitigation program. Launched in 2013, CDM provides the capabilities and tools to secure networks, enables agencies to automate searches for known cyber flaws and identifies the most critical risks for agencies to address first. The CDM program is the government’s bid to move from a periodic, compliance-based security posture to continuous assessment and mitigation of risks to federal civilian IT networks. While not intended to solely address IoT risks exclusively, CDM may ultimately achieve this goal because it focuses on three core concepts regardless of the IoT or security technologies at hand.
First, Know What’s on the Network
IoT worries are fueled by uncertainty, so CDM began by “shining a light” to discover a true, real-time view of devices connected to federal networks. According to Homeland Security, one of the CDM program’s key successes is its discovery—on average—of 44 percent more connected assets across agencies than what organizations originally reported. As the time-proven adage goes, “you cannot protect what you cannot see,” and Homeland Security and all agencies likely know that any remaining visibility gaps in their network represent a serious risk to their enterprise. Indeed, complete and continuous visibility is the nucleus of phase one in the CDM effort.
Next, Know What is Happening on the Network
Which devices are coming and going? A continuous foundation in visibility makes it easier to sort out employee laptops from iPhones, badge-scanners, office equipment or security cameras. By classifying connected “things,” you can you study what they do—or, more tellingly, what they are supposed to do, versus what looks unauthorized or malicious. What purpose do the devices serve? What kind of traffic do they create? Which users do they support? Answering these questions lets departments identify IoT assets performing the most critical functions.
Mitigate the Risk in Real-Time
When agencies have continuous visibility and classification capabilities they are empowered to mitigate risk in real-time, such as restricting or isolating certain devices from wider traffic, or cordoning-off certain risky devices altogether.
Helpfully, Homeland Security provided agencies CDM tools that automate risk mitigation based on policy, enabling security teams to establish scalable rules reflecting their respective missions and risk tolerances. However, enforcing IoT policies—as with rules governing PCs or employees—is only possible when you have real-time insight overall the total assets and workforce. The ability to identify, measure and mitigate risk at machine speed will ultimately be the true measure of CDM’s success and the potential for this exists once visibility and classification are fully achieved in the next phase, called CDM DEFEND.
Having worked with federal cybersecurity teams for years, what I find most striking about the IoT stakes facing government is the pivotal space of time that initiatives like CDM have to shape and control a connected future like nothing we have seen since the dawn of the web. When I talk with federal CIOs, it is telling that none of them plan to buy appreciably more laptops in 2018 – but every one of them believes they will have greater multitudes of IoT gear in their departments.
The pace of technology is always disruptive, but the IoT’s shockwave can also help government modernize technology, improve citizen service and even become more secure in the process. The principles of CDM are a good reminder for .gov and the Fortune 500 alike that security can coexist with change and innovation as long as you continually shine the light, study what it reveals—and act.