In 2011, the Department of Homeland Security attempted to address the historic need for federal cybersecurity agencies by launching Cyberstat. DHS cybersecurity experts collaborated with agencies to develop focused action plans to improve their information security stance.
However, Cyberstat sessions disappeared and the biggest problem of agencies that could not measure risk accurately through intra-agency efforts became more evident. Congress then passed the Federal Information Technology Acquisition Reform Act, known as FITARA, which commissioned CIOs from federal agencies to invest in their agencies’ IT and enforced scorecards. to monitor the security and IT performance of the main agencies.
It is advancing rapidly through 2020 and the Cyberspace Solar Commission recommended an Office of Cyber Statistics to collaborate with the National Institute of Standards and Technology to “identify and establish significant metrics and data needed to measure cybersecurity and risk reduction in cyberspace ”.
In retrospect, the most significant obstacle to progress in cybersecurity is not the technical challenge or even the gap between the workforce and skills: it is a weakness in the ability to measure. The attention of most federal agencies is devoted to compliance or the metrics that mark the dashboard and, to a lesser extent, to more accurate and detailed data.
Measurability is important
If the federal government cannot accurately measure the security data it collects, the risks will remain unknown and pose dangers to our nation’s cybersecurity stance. Cyber metrics typically answer one of three questions: what is the security of a network (a baseline), how can network security be documented (compliance), or how can network security be improved ( gap analysis and specific improvement).
According to the National Institute of Standards and Technology, organizations struggle to systematically measure the impact of their cyber investments. Agencies invest in security, find threats, and generate data on the use of various security tools and policies, but have difficulty measuring return on investment or quantifying the potential value of different improvement options.
There are also activities such as physical security and close IT support (staff who typically do password management and make inventories of IT assets) that directly affect cybersecurity, but which federal agencies do not reflect in their budget. cybersecurity. These activities are usually excluded because they are performed by other parts of the organization, but agencies do not reflect the contributions of these activities to cybersecurity. This means that the total investment (the “I” in ROI) is too low. Whether this missing data is relatively minor or a significant sum probably varies by agency.
Information professionals, both CIO and CISO, typically focus on measuring the impact on information security, usually in terms of confidentiality, integrity, and availability. Some federal agencies struggle to translate these information-focused measures in terms of mission impact and ultimately in terms of risk.
Paving the way for public-private cyber-associations
As federal agencies try to manage risk, identify the ROI of cybersecurity and IT improvements, and continue to invest in digital transformation, it’s time to leverage the capabilities of the private sector and build public-private partnerships (P3) focused on the mission.
In this case, federal agencies should take advantage of P3s to make security the default condition of information and communications technologies as it becomes increasingly important in our lives, prosperity, and national security. P3s can help examine third-party risk, minimize exposure to network security through a modern threat model, and help develop and implement cyber deterrence strategies. As a recent example, the Trusted Internet Connections 3.0 Test Lab and the Advanced Technology Academic Research Center partnered with 10 companies for agencies to accelerate the creation and adoption of more useful guidelines on the implementation of network security technologies.
While some may criticize the value of public-private partnerships or question the motivations of private sector participants, both parties are key stakeholders in ensuring that we focus on cybersecurity for the client or individual citizen, for the ‘organization, whether a government company or agency and as a nation. These relationships also help ensure that the government is able to leverage the solutions and lessons learned from the private sector rather than “reinventing the wheel” at the expense of both time and money.
There is considerable recognition of the need for these opportunities for collaboration, both within government and with the private sector. For example, the FBI, which recognizes that no agency can combat cyber threats alone, leverages the capabilities of the private sector in its cyber strategy. The President’s National Infrastructure Advisory Council (NIAC) completed a study that recommended the creation of a center to improve the sharing and real-time processing of public and private risk data, and the bipartisan Solarium Commission acknowledged that cybersecurity cooperation with the private sector would be operational. a key component in enhancing national cyber resilience.
A massive migration to zero confidence
As the threat landscape grows, federal agencies can no longer delay the implementation of the zero-confidence model on all of their networks. Zero trust is a concept first created and implemented in government. However, some federal agencies are still struggling with the implementation process or, in some cases, do not know how far they have come in their large-scale adoption.
While progress can be made through static deployment, such as segmenting networks and establishing user and access categories, to be fully effective, zero trust must be dynamically implemented in order to operate in real time and adapt to change. organizational needs. For example, many federal agencies had to move to remote work, which drastically transformed operations in the threat landscape.
Zero trust is based primarily on the visibility, control, and protection of IT resources. Mass adoption and implementation of zero trust among federal agencies can be accelerated through the adoption of NIST Zero Trust Architecture and the agencies ’recent initiatives to create reference policy templates, patterns, libraries, and implementations that can help ensure that an agency implements zero trust in a standard way across the entire organization and across all networks, endpoints, and clouds.
A secure and scalable cyber future
Experienced cyber leadership and a genuine understanding of how to leverage government experience and private sector capabilities are the most innovative and impactful investments that will occur within agencies and in collaboration with the private sector to safeguard critical infrastructure. .
There is no silver bullet to scale and improve federal cybersecurity. However, the combination of relevant and actionable cybersecurity metrics, faster federal adoption of zero trust, and enhanced P3 collaboration will have a transformative impact on modernizing the country’s cyber stance, risk balance, and acceleration. from progress towards building a more resilient digital infrastructure.
Jim Richberg is the head of information security at Fortinet Public Sector Field.