As cyberattacks increase and the Biden administration draws attention to the threat, state and federal cybersecurity leaders met recently to discuss what it takes to effectively raise their defenses and how the government federal can significantly support this work.
Malicious attacks have become more frequent and more complex, causing the Cybersecurity and Infrastructure Agency (CISA) to issue almost as many cybersecurity emergency directives during the first half of fiscal year 2021 as did for the previous five years together, according to Matt. Hartman, CISA Deputy Assistant Director of Cybersecurity.
Hartman spoke Wednesday during a virtual conference convened by the Advanced Research Academic Research Center (ATARC), a nonprofit organization that aims to foster public, private, and academic collaboration on the challenges posed by emerging technologies.
State-level cybersecurity professionals said during the conference that they were focused on getting more complete images of their systems and where the vulnerabilities are and looking for advanced technological tools and financial resources that could take their defenses to the next level.
MAKE FINANCING MATTER
Funding is a persistent hurdle for state and local agencies, which may have difficulty getting the money to implement the desired security upgrades.
However, the federal government is expected to open new streams of support with U.S. Representatives Yvette Clarke and Ritchie Torres who will add $ 500 million in state and local cybersecurity aid to the American Jobs Plan in a recent example.
Not all funding programs are created equal and administrators need to remember that there is a difference between the budget for grants and the budget for grants that states can actually use. The impacts of any financial infusion depend largely on the amount of stipulations adhered to, said Vinod Brahmapuram, Washington state CISO.
All states are at different stages of cybersecurity upgrades and many may be in the midst of enacting multi-year plans for technology maturation. When funding is only available for well-defined use cases, state leaders can struggle to figure out how to make use of the money in the context of their current efforts, Brahmapuram said.
“If the state is not allowed to use funding opportunities to support the trajectory in which they are now, it is almost [to a] point that you don’t know how to incorporate this financing at all “, he explained.
Problems can also arise when federal funding is only made available to states if they make matching contributions, which Brahmapuram said can have the effect of setting the price of agencies.
CHOOSE SAFETY RULES
Following optional cybersecurity standards may provide better guidance for agencies to try to improve defenses, but they may not be one-size-fits-all, said Adam Ford, CISO of Illinois. While Illinois has found it useful to adopt the National Institute of Standards and Technologies (NIST) cybersecurity framework at the state level, Ford said it recommends that localities follow a different set of guidelines for their risk assessments.
The state is focused on making cybersecurity as simple and accessible as possible for localities, Ford said, and that means reducing the recommendations to a few steps. This led the state to encourage localities to follow the controls of the Center for Internet Security (CIS), which comprise only 18 points.
For many agencies that want to increase security, the first step is to get better visibility into what their current weaknesses, blind spots and attack surfaces are, Ford said.
Several speakers said that artificial intelligence (AI) and machine learning in particular can be powerful tools to help agencies maintain a clear visibility of what is happening in their systems and where threats can arise.
Mark Dehus, senior information security manager at Lumen Technologies, discussed the value of using machine learning to monitor potentially vulnerable parts of a system, such as equipment that needs to be kept safe from malicious prey .
Intelligent automation systems can observe large numbers of entities and activities that occur in a system to check for known types of attacks, and tools can work to analyze only those potential threats that are serious enough to require attention. human, and then alert staff about these cases. . This may be essential to reduce staff threat detection workloads to controllable sizes, Dehus said.
Using automation to filter out potential threats leaves specialists free to focus on what their time really demands, such as unusual events that can be new types of attacks, said Shane Barney, CISO of the United States Citizenship and Immigration Services (USCIS).
Shane Barney speaks during the ATARC conference.
Brahmapuram also highlighted the potential of using AI technologies to analyze and identify the normal and expected behavior of particular systems and, in comparison, what marks the activity that moves away from these patterns and therefore s ‘should be examined as a possible threat.
Efforts like these can help advocates detect and respond to new threats more quickly.
Many agencies have moved into the cloud, and in doing so will have to put developers at the forefront of their IT security teams, said Barney, who reflected on the lessons learned from USCIS’s transition to becoming almost totally cloud-based. during the last decade.
“If you’re in the cloud, if your infrastructure is code, your security is code too,” Barney said. “You are changing traditional security analysts for development teams.”
Cloud-based organizations need to have security staff who have a deep understanding of the code and can recognize when something is wrong.
The rapid pace of development cycles makes it much more important for agencies to have security teams that can understand the potential risks associated with each new version of software in order to better anticipate threats, Barney said.