The current landscape of cybersecurity can be described as, at most, tumultuous. Only the last six months have shown the frequency, devastation and extent of modern attacks. When accompanied by what appears to be an inescapable skills gap, cybersecurity professionals are constantly behind the curve. This sounds especially to the federal government and those who work daily to keep our country’s information safe and nation-state hackers at bay.
Recent inflows of funds and requests to increase the Cybersecurity and Infrastructure Agency’s budget to better address the steady wave of cybersecurity issues may serve as a beacon of hope for some. However, increases in federal spending do not always equate to better solutions. As many information security agents and intelligence officers can relate to, a larger budget has its many advantages, but it does not magically escalate equipment or counteract threats. In fact, according to McKinsey & Company research, there is no direct correlation between cybersecurity spending and the overall success of the program. While the intention to improve our nation’s cyber defenses is justified, there has been little progress with an increase in budgets in the past. It is time to take advantage of new resources, beyond cash, to address these issues directly.
A turning point in the industry
The United States has steadily delved into the pockets of cybersecurity priorities, as attacks by nation states like SolarWinds exploit government agencies with ease and, even more recently, the Colonial Pipeline ransomware attack targeting critical infrastructure and private companies at a fast pace.
The Biden administration has recently distributed its cybersecurity executive order that aims to protect federal agencies, but also secure private companies that contract with the government in any capacity. This development is a very welcome change and has also been expected for the federal supply chain. The order also demands an increase in standards for software development, emphasizes transparency and notification of potential attacks, and conducting systematic investigations into successful breaches. These are all steps in the right direction and that differentiate the status quo when defending against sophisticated cyberattacks.
Threats do not discriminate by sector, why do cyber defense teams not work regularly in a coordinated manner? As cybersecurity professionals witnessed with SolarWinds, opponents did not attempt to violate strictly private or public sector networks. In addition, the industry even saw an unprecedented event, as the Justice Department announced a court-authorized effort to disrupt the operation of Microsoft Exchange nationwide. Answers like this should not be ordered by a court, but a team-oriented standard.
One way to achieve this successfully is through greater collaboration with the private sector. By restoring public trust and interest, leveraging existing untapped talent, and prescribing the latest training for cyber teams, industry professionals in both the public and private sectors can increase the odds in their favor and perhaps reposition them. if to have the advantage. Instead of reactively responding to case-by-case attacks, the federal government and private companies can use all of these resources to work proactively together to prevent attacks in the first place.
By developing this process to work with the private sector in both solutions and training, the federal government can simultaneously scale its cybersecurity staff, which was lacking compared to its private sector counterpart. It is clear that management has a positive trend in light of recent news from the executive order, but we must continue to create avenues where training tools for public sector professionals are easily accessible if we are to meet the needs of the mission and finally, avoid the growing skills gap.
Practice, Practice, Practice
In theory, uniform training between agencies is a simple solution. Providing the most up-to-date resources to improve existing equipment is a key component to building a solid defense. The Biden administration has called for recruiting and retaining technical talent that strengthens national security and the foreign policy staff. However, this must go beyond exclusive recruitment to also include the training of existing talent within the public sector. Custom development, curated learning paths and alignment of training with industry standards such as the NIST cybersecurity framework and DoD 8140, as well as tailoring them to specific roles ranging from the analyst of the security operations center up to the CISO are ways to help scale the current federal cyber staff. Ultimately, secure cyber professionals are complete cyber professionals, regardless of industry.
According to Manufacturing x Digital (MxD), the Department of Defense is spending more than $ 300 billion each year on government contracts. However, there is a caveat: the DoD 8140 directive (formerly DoDD 8570) requires that any contractor must comply with specific training and certification provisions to ensure that sensitive data is secure. Applying these exact same requirements to internal staff would help secure systems, but they also require the necessary resources to do so. These qualifications required by DOD agencies can be transferable and, more importantly, useful in general.
If recent history has taught us anything, it is that the cybersecurity industry in general, and the federal government in particular, cannot continue to focus on cybersecurity as it has been in recent years. The federal government will never advance the enormously growing threat landscape until more than additional funding is offered as a potential solution to the persistent problems affecting the industry. The best defense is a strong offense and the federal government must begin to set an example to be followed by others.
Jonathan Meyers is Chief Computer Officer and Chief Infrastructure Engineer at Cybrary.