Federal agencies are exploring new technologies like artificial intelligence, blockchain, 5G and "internet of things" to improve IT mission delivery. But with emerging tech comes new security risks.
Vincent Sritapan, cyber section chief at Cybersecurity and Infrastructure Security Agency, said even just the shift to telework forced federal agencies to reevaluate security processes.
“[Telework] really changed the way people provisioned services, secured services and enabled their workforce,” he said during the ATARC 2021 Cybersecurity Summit last week. “How we do cybersecurity — really the paradigm has shifted. [For video meetings] I need to make sure I have a dial-in number, enough service lines available for all the people in the room. We used to have issues of too many people on the call or in the room or no dial-in info for a video conference. Is it password protected? Those types of things have changed how we look at cybersecurity today. I do think understanding the impacts of COVID-19 and how we work today, the cybersecurity paradigm has shifted.”
Greg Crabb, CISO for the Postal Service, said the service begin exploring blockchain technology 18 months ago to trace mail-in ballots from voters to election authorities to ensure no ballots are lost and all ballots are counted.
"You as the citizen need to have the assurance that your transaction was fair and completely represented in the course of the election," he said. "That's just one project we're working on, which points to how other organizations may want to consider the physical-to-digital convergence."
With the country's 18,000 election authorities, the Postal Service is a unique provider to all those authorities, he said. Blockchain could help reduce risk around election hacking and fraud.
“We promulgate requirements based on how a mail piece should be designed, but it's up to the election authority to decide to design it with a barcode so we can tell you it was received by the election authority. That's a form of connection to the citizen that's extremely important," he said. "I'd love to talk more about this concept of using blockchain and physical mail to provide a quicker, more citizen-visibility on the vote as well as improving election authorities' performance and citizen assurance perspective.”
Emerging technologies like artificial intelligence, machine learning and "internet of things" pose great potential for efficiencies at federal agencies, but also new risks.
"What we're seeing a lot of is this emergence of tools based on AI and ML, in IOT and analytics across the board as an enabler," said Frank Briguglio, global public sector strategist at SailPoint, during the ATARC summit. "It's also introducing risk, and I think we need to wrap our arms around the things touching our networks. In this space, I think AI/ML is something that we'll continue to grapple with as an enabler and risk in our environment."
Regardless of what new emerging technologies federal agencies explore, Federal Aviation Administration Electrical Engineer Marvin Woods thinks the core of cybersecurity comes down to culture.
“There needs to be an emphasis on culture,” he said at the summit. “Cybersecurity has to be equivalent to physical security in the workplace. I think through positive reinforcement we need to encourage people to let them know, you're looking at that data and it's the same data you look at every day, but it's valuable, and someone wants it for good and bad reasons. If you manage data, you're an important part of cybersecurity.”
When exploring new technologies, IT professionals don’t always think about the security risks partly because, “I think we think of cybersecurity as a science fiction thing,” Woods added. Sometimes federal agencies think of cyber threats as a future problem, and don’t address the risks here and now. As cyber priorities keep getting shifted to the back burner of federal priorities, cyber risk increases.
“That’s a threat, but it's a threat someday in the future,” Woods said. “The future could be tomorrow or five years in the future or 24 months from now. So let's start the discussions about the practices we need for whenever that threat or risk may be.”
As federal networks and agencies prepare their infrastructure for 5G capabilities, Sritapan emphasized awareness around different risk profiles and security standards for devices and 5G itself.
“In the mobile space there's two parts: the 5G part, but [also] mobile app security,” he said. “Traditional enterprise mobile security, best practices, whether developing mobile apps, provisioning devices, hardening devices, mobile threat defense, all of those are still foundational. They are distinctly different in the mobile environment in terms of what you can do on a mobile operating system versus a desktop. They function differently, the architecture is different.”
5G security standards aren’t set in stone yet, either. The Federal Mobility Group, for example, is exploring 5G testing methods and security, and NIST is working with industry to develop security standards as well.
“If you think about 5G today, there are 3GPP standards that are occurring,” Sritapan said. "Security is not required for telecommunications technology. It's up to the carrier to implement [security standards]. You've got to keep in mind even if they put everything on there, there's still a gap. We have to understand that as the technology develops, it's either going to make it more secure, but are all those features turned on or are we bringing in new vulnerabilities?”
Until federal organizations and industry come to a final agreement on 5G security standards, he said, federal agencies need to stay on top of the cybersecurity basics like monitoring assets and authorizations, identity management and patching.
“Stick to the basics. From a short-term strategy, you want to get your house in order,” he said. "Long term, if you look at the national strategy to secure 5G efforts, there's a lot going on there.”
Correction: An earlier version of this story misrepresented a quote about 3GPP. It has since been corrected.