Michael FriedrichOctober 15, 2021
Federal Cybersecurity: Are We Doing Enough?
Whether it is a report of top vulnerabilities released by the Cybersecurity and Infrastructure Security Agency (CISA) on what seems like a weekly basis or yet another bipartisan report from congress on the state of federal cybersecurity, the message remains the same. We simply are not doing enough.
In particular, the bipartisan report, titled Federal Cybersecurity: America’s Data Still at Risk, details continuing lack of protections for PII, failure to adequately protect legacy systems, lack of patching and inadequate process and management for classified information access … and more. In one example, an agency was noted to have no records for over 14,000 IT assets. All of this leads to one conclusion: breaches like we have seen in recent months are not going away and attack planes are target rich for the adversaries.
And, during October, as we all participate in activities recognizing Cybersecurity Awareness Month, the time is NOW for a call to action. U.S. federal government agencies need to immediately do the following:
- Initiate full inventories of all devices, services, and users
- Fully enable tools to drive discovery and classification of all services and users
- Patch all servers and devices (or remove them from the network until they are) that need patches
- Get multi-factor (MFA) in front of all legacy and high value information systems
- Require all cyber tools to have a rest API capacity enabling highly interactive tooling
- Develop standards for industry supporting government to ensure reduction of supply chain attacks, such as those on SolarWinds and the Colonial Pipeline.
- Robust and automated reporting on cybersecurity hygiene of supply chains vendors
- Be unafraid to walk away from solutions that are not cutting it anymore
Finally, I would argue the most important cyber strategy and tool(s) U.S. agencies need is a Zero Trust security strategy that follows a set of system design principles and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.
The Zero Trust security model also assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privilege access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
The eight steps listed above when moved into a Zero Trust strategy all should work together. Clarify, classify and enable the access that is needed. A Zero Trust tool, such as Appgate SDP, that can interact in near real time with the other tools that are scanning, patching, etc. gives federal government agencies more agility.
While it is fair to say that some budget considerations need to be contemplated, there also needs to be accountability for waste that continues to happen every year. We need to stop doing the things that don’t work. Cyberthreats are continuing to evolve, therefore our nation’s cybersecurity needs to be more agile to deal with it.
These breaches and issues will only stop when we stop repeating the same mistakes. The time for change is now.
For more on how our Appgate Federal Division is leading the way, please visit www.appgate.com/federal-division.