For all the damage that can come as the result of cyberattacks, the cost of severed trust is almost always the highest.
At every level, government requires trust: Trust between governments, between a government and its citizens, or between agencies and their contractors. Indeed, for all the damage that can come as the result of cyberattacks—including the loss of intellectual property and the compromise of physical systems—the cost of severed trust is almost always the highest.
Unfortunately, trust remains at risk this year. While cybersecurity technology has continued to evolve—due, in part, to numerous large-scale breaches in 2018—so have threats, especially as agencies and their employees rely on more data and more connected devices to get their jobs done. A risk-based cybersecurity posture is key to dealing with this reality. While trust is crucial, it shouldn’t be blind.
Transparency and Trust
To improve trust in 2019, there first must be more transparency between government agencies and their contractors. Most people don’t even go to a restaurant these days without due diligence. They check out the business’s reputation on Yelp!, OpenTable, or Facebook. The same should hold true for government agencies choosing partners. We need industrywide “security trust ratings” and organizational risk scoring in the same vein as Moody’s credit ratings or individual FICO scores. Such “trust ratings” can indicate how safe it is for contractors to handle critical data, making everything from employee cyber hygiene to past breaches as visible as any other certification or accreditation.
With that in mind, forward-thinking government contractors should plan ahead and treat security as a top priority. Move their CISOs up to report to the CEO. Report security status just as they would report revenue and operations. Relying on surface-level interventions hasn’t been enough for some time, but it will become especially troublesome as ratings breed a new level of transparency.
Agencies can and should also be pickier about their partners. Contractors will need to implement widespread, cultural changes to prove they are trustworthy, and they need to start now. Agencies should encourage breach disclosure and lead with the carrot—not the stick—in order to gain more rapid compliance with security requirements. They may have to pay a premium to contractors that prove they embrace advanced security operations. Transparency and its high trust ratings can and should be a competitive advantage for the most diligent contractors.
A New Type of Cold War
But trust isn’t only relevant within government organizations (i.e. between an agency and its employees and contractors). It’s just as important on a macro scale. In 2018, we saw trust between world powers begin to shrivel, and we saw traditionally open trade borders slammed shut as a result. Indeed, some have said that 2018 marked the beginning of a 20-year trade war. Governments are becoming bolder in their “incursions” into corporate and government infrastructure, which is going to have trickle-down effects. This year could mark the beginning of a new type of cold war—this time, in cyberspace.
It wasn’t long ago—between the late 1940s and early 1990s—that many nation-states acquired new software, hardware and intelligence through espionage. As more countries adopt protectionist postures in 2019, with tariffs tacked onto a wide and growing range of goods, such espionage is surging again, and at cyber speed. With fewer and costly legitimate avenues to bolster cyber capabilities, there is a clear incentive to steal trade secrets and use cyber tactics to disrupt other governments.
Users and Cybersecurity
The continued and persistent escalation of cyberattacks led by nation-states is very real, but it shouldn’t be addressed in a way that means compromising the trust of actual employees. If agencies react to the growing threat landscape by simply locking down security—like many countries are trying to lock down their trade borders—it will simply prevent employees from doing their jobs and may cause them to create even riskier workarounds.
Government agencies need, more than ever, to have a granular understanding of how people interact with sensitive data, no matter where it is located. By knowing how and when legitimate users—whether trusted partners or long-time employees—access trade secrets and other critical content, agencies can better detect and react to unusual behavior. This is one of the best methods to identify untrusted users, accounts or processes, including those being used by hostile nation-states.
Proactive Cybersecurity is Critical
Over the next few years, escalation in nation-state-led cyberattacks will push unexplored limits until a breach or provocation crosses a currently undefined line. The breach may be intentional, accidental, loosely directed (actors may not have full understanding of what they are targeting), or have unintentional consequences (loss of control, for example). It may impact the government, civilians—or both. It may cause financial harm or, worse, loss of life. Regardless of the impact, deterrence will inevitably fail, since it never really worked anyway, and the incursion will likely escalate into a national retaliatory response.
Proactively implementing greater transparency—through security ratings and a deeper understanding of user behavior, to name a few—can help agencies better prepare for these impending threats at every level. Enhanced inspection, proper due diligence, and the right data can help protect trust—one of the most precious commodities any agency has.
Eric Trexler is vice president of Global Governments and Critical Infrastructure for Forcepoint.