Although the OPM breach has been the major source of cybersecurity discussion the past few months, it is certainly not the only issue that needs to be addressed. During the panel discussion at the NACo Summit we also covered topics like the White House Cybersecurity Sprint and how to better protect systems and data for long-term security.
If you are not familiar with the 30-day White House Cybersecurity sprint, it is a 30-day initiative of the White House meant to serve as a “quick-fix” to review and identify cybersecurity measures that work and do not work in the U.S. Federal government. The Cybersecurity Sprint included 4 imperatives: patching critical-level software holes “without delay”; tightening technological controls and policies for “privileged users”; dramatically accelerating the widespread use of “multifactor authentication”; and “immediately” deploying so-called indicators. However, the sprint failed to address encrypting all sensitive data (which had been mandated by OMB after the Veterans Affairs 26.5 million data breach) and performing assessments of existing applications – which are also critical, in my opinion.
To counter this oversight, as a first step to ensure systems and data remain secure, I would do an assessment to determine what assets exist and if they have an inventory of these assets in which the data is categorized by sensitivity. Second, I would identify and analyze the risk based on the business impacts with respect to all the assets in place. Third, I would develop a plan of action and prioritize remedial action or roadmap for fixing the most important risks first and others in order of priority as budget allowed. I would then position the organization to move to Security Intelligence, based on predictive cyber threat analytics. As a final step I would implement a continuous improvement plan to take advantage of what was learned after implementing Security Intelligence and because, as we all know – risks and threats are always changing and the bad guys are constantly changing their methods of attack.
Although the bad guys are constantly adapting and changing methods of attack, the biggest cybersecurity threat has been and will always be people. People have been proven to be the biggest threat since a Health and Human Services Office of Inspector General report back in the late 1980s that determined people are the weakest link; whether it is intentional like Snowden and Private Manning or unintentional via social engineering or phishing attempts or just plain carelessness like sharing passwords with co-workers. In order to start to solve this issue, organizations need to have “tone at the top”, meaning the head of the agency or department emphasizes how important security is; where people are held accountable when breaches occur; and where training consists of more than just the annual training. One of our clients even had a stand-down where worked stopped for the day and everyone came together (from the CEO, all the way down the organization) to discuss everyone’s role in protecting the systems and data of the organization.
The White House continues to make strides in the right direction in the war against cyber-threats (see the latest report where progress has been made in implementing multifactor authentication for all users and especially privileged users). My only hope is that all and not just some of the major vulnerabilities are addressed and corrected in order to prevent recurring instances. Among these are that all sensitive data must be encrypted; all systems and applications need to be timely updated with patches; and all personnel need to be trained in cybersecurity, and not just once. Furthermore, as threats adapt and become more complex, so does the need for advanced cybersecurity analytics resulting in Security Intelligence. And government leaders need to continually emphasize that it’s everyone’s responsibility to keep their agencies’ systems and data secure!