The Department of the Air Force and the Cybersecurity Infrastructure Security Agency (CISA) are implementing new programs and services to secure critical data, balancing targeted modernization strategies to upgrade aging IT infrastructures with new security approaches such as zero trust.
“Organizations are often underfunded and understaffed when it comes to the to this aging IT infrastructure, so it's hard to patch it, update it — if it's able to be patched and updated. It's hard to upgrade it because a lot of these organizations are running legacy systems. It's just hard to get on top of that vulnerability process,” CISA Cybersecurity Advisor Jason Burt said during GovCIO Media & Research’s CyberScape: Insider Threats event Thursday. “The silver lining behind some of these ransomware attacks that we've seen throughout the country is that [organizations] are starting to take more of a proactive approach.”
Air Force CISO Aaron Bishop said one of the biggest challenges he faces is modernization and security at scale. The service has the largest footprint of facilities around the world in the Defense Department. To capture the value of zero trust, Bishop said he’s focused on interoperability to provide the right data at the right time. Effective and resilient communication is the crux of the push for interoperability.
"I've got over 150 mini cities running around the globe that I have to worry about. And when I say mini cities, I mean everything about it. I run airports, housing, food, sewer, utilities, security, you name it, for these little cities all over the world. And for everything from information systems to operational technologies, I have to worry about not only the cybersecurity aspects of it, but modernization and upkeep. Then, more importantly, as we change from independent mechanical systems to highly connected data systems ... I have to do the upgrades in a very deliberate way,” Bishop said.
To improve connectivity and speed up data processing, the Air Force is turning to software-defined wide-area network (SD-WAN), which offers increased data rates, reduced latency, anti-jam abilities, low probability of intercept or detection and scalability.
“That's the way we're approaching it from a network SD-WAN perspective. From a data perspective, it's more about where and what types of data do we need to collect, and where do we need to be able to move it again, to our own location, our purpose at a time and place of our choosing? That's what we're focused on from those parameters,” Bishop added.
Additionally, Air Force CIO Lauren Knausenberger is spearheading the Race to the Cloud program, which prioritizes modernization, financial efficacy and improved visibility across the interoperability of all its missions, communities and bases in both air and space. This effort focuses on onboarding legacy systems to cloud instances to drive standardization, improve monitoring and align with the recently released Zero Trust Roadmap.
“The ultimate goal is to get that data in a place and an understanding intact properly, so that we can go from any place we exist today to someplace we don't know we need to be tomorrow, should we have to move our operations somewhere else. So that's the focus of Race to the Cloud regardless of which mission,” Bishop said.
Agencies are developing similar new solutions and programs to take a proactive approach to cybersecurity and be more resilient and responsive to emerging threats.
CISA offers a range of services to help mature organizations’ cyber postures, including its Known Exploited Vulnerabilities Catalog, cyber hygiene vulnerability scanning and NIST-based cybersecurity assessments. Burt said CISA takes a two-pronged approach to its services, focusing on strategic and tactical offerings.
“We do NIST-based cybersecurity assessments ... where we break down an organization’s cybersecurity program, go through a whole series of questions across all 10 domains of cybersecurity, and we provide them with a report with options for consideration based on the NIST Cybersecurity Framework best practices. So, that's really looking at it from a strategic level. From a tactical level, we have vulnerability management services. We also do penetration tests. ... We have a whole host of other services that we offer through our vulnerability management team in order to work with partners that may not have the budget to hire these third-party vendors to better sure up their cybersecurity,” Burt said.
For fiscal year 2023, CISA will focus on four priority areas: water and wastewater K-12 education, health care and public health, and election security. To support these areas, the agency plans to increase collaboration with the private sector, especially as it defends against more formidable threat actors targeting election systems and critical infrastructure.
“We're taking baby steps toward that goal, but I definitely think we're headed in the right direction,” Burt said.