This week, President Obama proposed a budget increase of 35% for cybersecurity spending in the overall FY2017 budget. Alongside the $19 billion ask, he also unveiled a new Cybersecurity National Action Plan (CNAP), which purports to “take near-term actions and put in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.” In the CNAP, he called for (among other initiatives) the establishment of a national cybersecurity commission, a $3.1 billion Information Technology Modernization Fund, the creation of a Federal CISO position and a public awareness campaign that empowers Americans to secure their online accounts.
Between the proposed budget and plan, there are a numbers of areas we could touch on. But for the purpose of this blog, we’ll keep it limited to one:
- Is this budget going to be invested in technology that truly makes a difference?
There is no question that modernizing our government’s computer systems is of utmost importance. Both President Obama and Federal CIO Tony Scott have made their intentions clear. After all, antiquated systems are not compatible with modern security tools. An overhaul will also assist with cyber training – especially training revolving around combating 21st century exploits like phishing.
The federal government has taken several measures to bring IT and security in line over the past few years. Strategies include the use of cloud technologies, converged infrastructure, advanced analytics, next-generation firewalls and various forensic tools. But, there are limits: White House cybersecurity coordinator Mike Daniel has stated that while these solutions will improve the country’s cybersecurity footing, they will not completely stop attacks from occurring. Breaches are a fact of life. Visibility, modernization, and cyber skills will take us only so far.
It’s not all doom and gloom, though – the federal government has money, power and brilliant minds at its disposable. What matters is how all these assets are used.
As stewards of critical federal information, our government leadership must turn towards protecting the rich “targets” that are sought by our adversaries. By “targets”, we mean data.
Officials need only look as far as the OPM breach to understand the gravity of this task. It’s a breach that stands to have major ramifications for years to come. State secrets, military and intelligence information as well as critical infrastructure are all at risk. Reaching the perimeter is simply a means to an end when it comes to accessing targeted data.
The government must take care to see the forest from the trees. That means not just protecting the perimeter, but the data that runs our country. One way to do this? Building out a big picture cybersecurity strategy that embraces and prioritizes encryption and privileged access controls. We strongly believe doing so will foster a more secure government and minimize the attack vector. My colleague Andy Kicklighter put it best in a blog post addressing the Cybersecurity Sprint:
Priorities need to be on the data that is the target of these attacks. A detailed discovery process needs to identify where it is, lock down the access to it at both system levels (OS and file systems) and from within applications, and then accounts with data access need to be watched. This combination, which is best done with encryption, access controls to encrypted data and then monitoring of access patterns for accounts and users that have this access is the best first step to take to limit the damage from penetrations to the network that WILL HAPPEN and then stop the extraction of data before it becomes too critical.
Nothing is an absolute in security. There is no perfect, black and white answer. I understand encryption isn’t a “Holy Grail.” Encryption without operational control of “who/what/where/when” of access is somewhat meaningless. Encryption WITH access-based controls? Meaningful. While it won’t stop bad actors from gaining access to accounts, it will remove many threat vectors associated with SysAdmins and root access.
In comments to reporters on Monday, Daniel stated “If we do not begin to address the fundamental cybersecurity challenges we face effectively, we risk cybersecurity and the Internet becoming a strategic liability for the U.S.” We agree. The status quo isn’t working. It’s time to look beyond the perimeter and give data the attention its due.