Cyber leaders say federal agencies should break down information silos, centralize their cyber operations, and use data to drive security decisions in order to barricade their networks against hackers.
Agencies “have made tremendous progress” on strengthening their defenses in the past few years, but cyber criminals and nation-state actors are becoming “more sophisticated and brazen," said Matt Hartman, deputy executive assistance director of cybersecurity at the Cybersecurity and Infrastructure Security Agency.
“We ended 2020 facing one of the most sophisticated supply chain compromises to date,” Hartman said during ATARC’s Cybersecurity Innovations Summit last week, referring to the SolarWinds breach. “We're seeing a ramp-up in frequency and complexity of an already concerning cyber landscape.”
SolarWinds headlined one of three emergency directives issued by CISA in the past six months, signaling an unprecedented uptick in cyber activity compared to previous years. Hartman advised federal agencies to step up information-sharing with CISA regarding vulnerabilities and incidents. The sooner CISA knows what’s happening, the sooner CISA can warn other entities, provide guidance and help secure networks.
Private and public sector collaboration is another imperative.
“We need to remove barriers to information-sharing in the government and private sector,” Hartman said. “Industry is often uniquely positioned to see vulnerabilities or breaches first. IT service providers need to share information with the government and even be required to do so in the event of certain breaches.”
Federal agencies migrating their IT operations to the cloud face potentially higher cyber risks as they relearn cybersecurity within the context of the cloud.
Shane Barney, CISO at Citizenship and Immigration Services, said the agency's shift from legacy IT infrastructure to the cloud prompted him to rethink cybersecurity in terms of security versus risk operations.
Data-driven decision-making is a buzzy phrase for federal agencies modernizing their IT, but Barney challenged federal agencies to apply that same principle to their cybersecurity operations.
“Your security has to match (your scale and scope), so we have a very proactive risk-based organization,” Barney said. “Data-driven security, this is more behavioral-based like threat-hunting, but extending those not just to specialized teams but across your security enterprise. Start with your system operators and give them toolsets and techniques to do threat-hunting at all levels.”
USCIS leads DHS components in its adoption of Agile methodology and DevSecOps, from which Barney learned an important lesson about preventing cyber information silos.
“Something we got from the Agile development world is feedback loops,” he said during the ATARC event. “Ensuring all these processes have some sort of feedback into an organization for security ops. This really drives home the point of automation. Data in the cloud is immense. We take in eight terabytes of data in a single day. Automation becomes critical to your operations.”
Barney began building a cyber threat intelligence platform two and a half years ago, which helped USCIS centralize cyber ops and weather the effects of the SolarWinds breach. Constantly innovating your security program is a must, Barney said.
“The need to innovate within security is so critical,” he said. “We have a bad tendency to say, 'Oh this is a good tool, we'll use it for the next 25 years,' and it becomes obsolete well before then. Checkboxes don't equal security. That shouldn't be a hallmark or an indication of how secure something is or is not.”
One of the major cyber challenges facing federal agencies as they migrate to the cloud is open source code risk. Federal agencies now worry less about hardware risks, but need to worry more about software risks and software supply chain security.
“Code is also a part of the supply chain, we've leveraged a lot of open source code in our organization and have had trouble with that,” Barney said. “That becomes a really critical area you have to watch out for. We had a couple of close calls there.”
Chris Butera, technical director for cyber at CISA, said federal agencies should focus on basic cyber hygiene measures and information-sharing before addressing their cloud software supply chains.
“The federal government has renewed momentum in addressing this,” he said during the ATARC event. “What we try to do for all organizations is take a resilience-based approach to cyber incidents. If you can contain that cyber incident from spreading to your entire enterprise, recovery can be much quicker, as well as having a plan to operate if your IT enterprise is not possible.”