In our hyperconnected world, cyberthreats against federal agencies are increasing in frequency, sophistication and impact, opening up to attack vast amounts of sensitive data that is housed on government IT systems and the nation’s critical infrastructure, such as airports, hospitals and power plants. These threats often pose a greater threat than physical attacks on our nation and are incredibly difficult to identify.
Each day, the Department of Defense, which protects our national security and terabytes of some of the country’s most sensitive data, thwarts 36 million email breach attempts. With new threats every day and criminals who regularly diversify their attacks, experts predict cyberattacks will get worse before getting better. Federal agencies, like the DoD, can turn the tide on the battle now by rethinking how to best prioritize their spend, time and talent to more nimbly detect hackers and prevent future threats.
As recent events like the Russian meddling during the 2016 U.S. election and the Baltimore ransomware attack last month confirms, the United States faces an array of cyberthreats from digitally savvy terrorists, criminals, hacktivists and foreign adversaries who are looking to cause disruption or erode U.S. national security. Despite this persistent and dangerous threat, research shows that many federal agencies have yet to adopt standards and strategies to shore up their cyber defenses.
A January report from the Pentagon’s Inspector General found hundreds of vulnerabilities within the DoD ranging from the serious to the mundane, like the failure to use strong passwords and encrypt USB drives. That said, the DoD’s global network is host to millions of devices and employees, and monitoring it all for cyberthreats is an important and massive undertaking. Rather than try to boil the ocean by throwing time, talent and tools at the problem, here are four key areas we recommend the DoD prioritizes to boost its cyber readiness and detect vulnerabilities in real-time:
- Break down silos to improve information sharing. The DoD is already taking proactive steps to address this by adapting a culture that encourages “cyber fluency” and exploring cloud environments to provide flexible and scalable resources. However, in a rush to gain cloud capabilities, many departments and components within DoD have deployed single and multi-cloud environments within siloes. This has led to multiple disparate and disjointed clouds across the agency. The department has taken promising steps to streamline its cloud environment through the to-be-awarded Joint Enterprise Defense Infrastructure (JEDI) contract.
- Tighten control of the contract process to limit vulnerabilities. The DoD recently tightened the cybersecurity standards contractors need to meet in order to do business with the Pentagon to help strengthen everyone’s cybersecurity posture. The Pentagon said it will seek solutions that are affordable, flexible and robust and cut procurement times for software and hardware to keep pace with the rapid advancement of technology. Additionally, the DoD says it will identify opportunities to procure scalable services, such as cloud storage and expandable computing power, to ensure that its systems keep pace with commercial information technology and can scale when necessary to match changing requirements.
- Implement a process for ongoing assessment and real-time monitoring. In 2013, the Department of Homeland Security launched the Continuous Diagnostics and Mitigation (CDM) program with a goal to allow agencies to monitor their IT systems and respond almost instantaneously to vulnerabilities. Core to this program is the ability to detect, prioritize and mitigate cyberthreats based on how severe they might be. With the help of automated tools like real-time analytics and decision dashboards, Agencies participating in DHS’s CDM program can generate visibility of its full attack surface in hours — a task that previously took two weeks to interrogate and understand. This visibility helps the DHS secure over 5.4 million network-connected devices across the federal .gov networks. Similarly, creating a process by which the DoD had a consolidated view of threats across its global network and IT systems would enhance its capabilities to diagnose and mitigate vulnerabilities.
- Cultivate a strong cyber workforce. Like the private sector and other federal agencies, the DoD has struggled to maintain cyber talent in recent years. A recent survey of 250 senior technology decision-makers found 83 percent have open cybersecurity positions to fill at their company, with 72 percent saying it is particularly challenging to identify and hire new, high-quality cyberwarriors — like advanced threat hunters and reverse malware engineers. To stay competitive in the talent race, nearly half (47 percent) admitted to prioritizing incentives like more competitive compensation and benefits (54 percent) over paying for additional education, training and other forms of professional development. To effectively and sustainably address the cyber talent gap, agencies should take a multidimensional approach whereby employees are equipped with well-defined career paths that allow vertical and horizontal movement to gain differentiated experience, as well as diverse and experiential modes of training like Capture the Flag events.
Cybercriminals — be they criminals, hacktivists or foreign adversaries — have every incentive to interrupt, destroy or infiltrate federal agencies and they are always trying. A robust cyber defense is not an end state that we attain but a goal that should constantly be pursued — one that requires constant reflection on what and where to prioritize.
Greg Decker joined Booz Allen Hamilton in 2006 where he has continuously evolved his role in the development of capabilities to continuously monitor and automate cybersecurity for government clients. Greg serves as the chief engineer for the firm’s Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) program. Greg is a U.S. Military Academy graduate and holds an MBA from John Hopkins University, and certification as a Project Management Professional (PMP) and Security+.