Defense-Focused Agencies on Defending Cyber Attacks

Throughout 2021, remote work solutions introduced opportunities for bad actors to infiltrate networks. Amid these vulnerabilities, some agencies are rethinking strategies around cloud, zero trust and multifactor authentication to secure their networks.

“There’s a lot of awareness that an end user has to have, and that’s changed,” said Department of Homeland Security CISO Kenneth Bible during the Billington Cybersecurity Summit last week. “While it’s always been important, it’s even more important in a telework environment.”

This is why security approaches specific to cloud and also zero trust measures to security are critical.

The CIA is working with a cloud-based, software-defined network architecture, making it more difficult for adversaries to gain access to it, said CIA Associate Deputy Director of Digital Innovation Neal Higgins. Zero trust is also enabling the data to essentially “protect itself.”

“The number one thing organizations can do is create a culture of security to recognize that information and data is an organization’s most valuable asset,” Higgins said at the event. “In many ways, moving to a cloud-based, software-defined network architecture allows you to make it harder for adversaries to gain access and maintain persistence … zero trust certainly assists. If the data protects itself … you don’t have to worry about maintaining the moat at the castle walls; you’re protecting the data.”

Multifactor authentication is also a necessary security measure in cloud-based environments.

“If you’re not using multifactor authentication now, if you’re not really looking at micro segmentation of your networks and … minimizing access to key parts of the network … you’re definitely at risk and behind the curve,” said U.S. Cyber Command Executive Director David Frederick.

CYBERCOM is a unique agency in that its systems include those on submarine operations and also undersea fiber optic cables — locations that are physically susceptible to cyber threats because of their austere environments.

To combat these challenges and vulnerabilities, Frederick said organizations should treat cybersecurity as a core business function as opposed to a “risk to be managed,” which requires a mindset shift. Organizations have to understand who and what is on their network and implement continuous monitoring.

“The key to effective monitoring is understanding data flows, through using allowlisting or similar tools, to affirm information that’s leaving a given network, as well as know what software is running,” Frederick said. This ties to the phrase “trust but verify.”

“The example I would give is that the [Defense Department] information network had SolarWinds installed in multiple places, but we suffered no losses or infiltration of data because we had the ability to quickly operationalize and take action quickly and mitigate those risks,” Frederick said.

Critical pieces to cloud security include critical infrastructure and software supply chains — two areas CIA is prioritizing. Supply chain is so critical because so much of the functionality is deployed as code, so even infrastructure as code in the cloud becomes a vector for attack, noted Bible.

Plus, the increased use of personal devices introduces another set of threats. This includes “smishing,” which is when bad actors use SMS messaging to take advantage of vulnerabilities — something Bible said DHS is taking a closer look at.

“It goes back to user awareness,” Bible said. “Phishing attacks are getting much more sophisticated, and it has extended over to our personal devices. Even using things like smishing [has become] a vector for launching an attack, so there’s a combination of technical things that we’ve learned and a visibility to the fact that as we go forward we have to tighten up the supply chain, as well as just user awareness. We’ve gotten used to having what we want, when we want it, and there is a risk associated with that.”

All in all, successful cybersecurity strategies require a cultural shift that requires collaboration.

“We have to develop much better information-sharing models between industry and government to make sure we can rapidly understand threats, encourage companies to share information and encourage companies to collaborate,” Frederick said.