The upside is tremendous.
Digital transformation drives the promise of government transformation. But with it comes constant, fast and often unexpected change, particularly around the collection and use of data and the resilience of the systems that turn data into actionable insights. Digitization has also altered the threat landscape, increasing the potential for cyberattacks often motivated by the desire for monetary or political gain or the disruption of services. This leaves public sector agencies at risk regarding:
- Critical Infrastructure. Many legacy infrastructure systems simply weren’t built for the current hostile security environment. Only recently is their significant vulnerability being widely recognized; but competing priorities and tight budgets can divert resources away from the urgency of this situation.
- Moving to the cloud. Cisco’s 2018 Security Capabilities Benchmark Study showed 82 percent of agencies reporting at least half of their infrastructure is cloud-hosted. Unfortunately, adversaries are following.
- Internet of things. IoT deployments commonly incorporate technologies from multiple vendors, so inherent risk lies in the varying solution development and data protection approaches those vendors apply to their components. Lacking a baseline set of core requirements that address security, data protection and privacy, agencies integrating IoT face growing and often misunderstood risk.
Manage Cyber Risk with a Control Point
Visibility and control are usually the critical missing components for risk management, so start with an assessment of your critical assets, systems, data and people, where you are most vulnerable. The network is THE critical control point. Protecting it requires embedding security technology and establishing strong processes and policies so the authenticity and integrity of each device and software can be verified. That mandates transparency about how those technologies are developed.
Demand Vendor Transparency
Transparency must start with the technology vendors themselves:
- Data management. Get clear about what data vendors collect and how it is protected throughout its lifecycle; this is critical not only for regulatory compliance but to gain and keep the trust of stakeholders and citizens. Require that vendors have established policies and practices to identify and report potential breaches.
- Solution development. Request insight into the features, functionalities and security that get built into technology solutions from the beginning. This is particularly important for those multi-vendor IoT solutions.
- Vulnerability disclosure. Digital interconnection means security vulnerabilities can have far-reaching consequences beyond one region or country. Require vendors to disclose all known vulnerabilities and breaches to help you understand and mitigate risks; make sure they also actively manage the handling and closure process.
- Tools and processes. Look for vendors who invest in pragmatic tools and processes that help ensure security. For example, one way we do this at Cisco is with our Transparency Reports, through which we publicly share requests for customer data we’ve received from law enforcement and national security agencies. By already having this process in place, we can quickly adapt as the regulatory environment evolves (i.e. inclusion of requests we’ve received via the Clarifying Lawful Overseas Use of Data Act) without a lapse in service.
Build a Collective Resilience
Conversations I have with customers worldwide reveal similarities in cybersecurity challenges. How do we create a cybersecurity strategy that keeps pace with digital disruption? How do we best protect our critical infrastructure? How do we balance the use of commercial vs. customized solutions?
Dynamic cyber threat will not be solved by one vendor, one solution or even one industry. It is compounded by the cyber talent shortage and the complexity that exists across public and private environments. That makes public-private collaboration more critical than ever; think innovative partnerships that share best practices, cooperate on threat intelligence, teach how to build and deploy secure solutions, and bolster education and training. At Cisco, we feel a responsibility to partner and share best practices in constructive ways; whether it is joining industry initiatives like the Charter of Trust or actively collaborating to combat cyber-crime with organizations like Interpol.
Despite the challenges of digital disruption, the upside potential is enormous. By conducting proper risk assessment, requiring vendor transparency and engaging in innovative partnerships, government agencies can and will digitize with confidence.
Anthony Grieco is a trust strategy officer for Cisco Systems.