In federal cybersecurity, what is being done – and what else can be done?
Dave Egts is chief technologist in Red Hat's U.S. public sector.
While cybersecurity has always been a hot-button issue for the government, certain events from last year promise that, in 2016, security concerns have the potential to skyrocket beyond anything we’ve seen before.
The questions, of course, are what is being done – and what else can be done?
In 2015, the Office of Personnel Management data breach moved security from a front-of-mind topic mainly for chief information security officers and security professionals to a front-of-mind issue for millions of government employees, contractors and their families.
Indeed, this time it was personal, not just a faceless attack on a government server. The OPM breach made it clear that security breaches can put individuals – not just agencies – at risk.
As the scope of the OPM breach became clear, the government moved to take action. In fact, we have already started to see changes in the government’s approach to cybersecurity, and those changes are impressive.
As Tony Scott, U.S. chief information officer, wrote on the White House blog, the Office of Management and Budget launched a 30-day Cybersecurity Sprint, building on the administration’s “whole-of-government” strategy, to assess and improve the security posture of federal IT assets and networks, both civilian and military.
The federal push for strong authentication not only benefits the U.S. government, but also the IT industry and users as a whole, relegating the use of usernames and passwords as the sole means of authentication to the past.
And by making authentication “pluggable,” smart software providers can meet government requirements faster, as well as for commercial customers who want to use other types of multi-factor authentication, such as one-time passwords.
Where does this leave the federal government in 2016?
Well, for one thing, we can expect that the spread of strong authentication will become just one piece of a much larger cybersecurity modernization effort to drive the “belt and suspenders” approach of defense-in-depth. Thanks to the OPM breach, in 2016, government IT professionals will no longer simply slog through security baselines in order to check a box and get systems into production.
Instead, they should be highly motivated personally to check their security postures even more thoroughly and frequently, question why specific policies are in place, work as a community to provide constructive suggestions for improvements, and use tools to automate rapid security compliance checking and remediation.
These changes will affect the government contractor community. To serve federal agencies, IT companies will need to do their best to demonstrate the products they are using offer robust security features. Strong authentication is one example; support for CAC, PIV and X.509 certificates will likely be needed just to get in the game.
Government IT professionals, cybersecurity professionals and the IT industry at large should have joint ownership of the security challenge and its solution. Agencies must keep up the pressure on the industry to ensure security is taken seriously while remaining robust and easy to use.
Agencies should also need to have a seat at the table with their security and industry partners so that the best security measures are done pragmatically and through consensus, rather than simply following what security professionals dictate.
In turn, the industry must keep supporting its commitment to provide government IT personnel and security consultants with high-grade software continually updated and hardened to help protect against security threats.
This makes a difference. We’ve seen it first-hand with the Security Content Automation Protocol Security Guide, where government security professionals worked with systems administration teams and industry to develop effective and useful security controls as a community. The SCAP Security Guide is a great example of how open source projects can help formulate an effective defense against threats.
In the end, that’s what 2016 will be about – everyone coming together to facilitate a better, more fortified cybersecurity defense model. And while there’s never going to be a completely foolproof way of preventing cyberattacks, collaboration can go a long way toward thwarting potential threats and mitigating the possibility of a breach.