As digital transformation drives modernization (and increases the attack surface area), agency infrastructures are starting to evolve to protect against DDoS attacks impacting elections, health care systems and other critical infrastructure.
Government agencies are putting new cybersecurity plans in motion. For instance, in May, the Department of Defense released a new policy memo in an effort to restrict personal mobile devices inside secure areas of the Pentagon. That same month, the State Department released a report outlining new goals across the federal government aimed at improving cybersecurity. The Election Assistance Commission also revised the Voluntary Voter System Guidelines to combat growing digital threats. Even more recently, the Pentagon announced it is seeking a game-changing solution to thwart nation states from breaching DoD’s network — a desperately needed solution to combat the more aggressive attacks that threaten today’s critical infrastructure.
With these security changes making headlines, it’s clear government agencies are realizing traditional perimeter security must become a thing of the past. Agencies need to adopt zero trust security architecture, which means “verify and never trust.” It assumes every user attempting to access information has malicious intent and cannot be trusted. The only way to ensure government agency data, infrastructure and organizational networks are protected from growing digital threats of today’s connected world is with the zero trust model.
The votes are in: Motivations of today’s hackers
The media reports countless cases of malware, ransomware and nation-state hacking, among other tactics which aim to exploit weaknesses in legacy security architectures. It is evident that today’s targeted threats need to be proactively identified, blocked and mitigated by the Department of Homeland Security and state election departments.
However, to prevent the kind of cyberattacks that rocked the 2016 election or the cyberattack on Atlanta, local government agencies of all sizes need to implement policies and procedures to protect their critical systems from targeted attacks. Agencies also need to make election security a top priority during the midterms and heading into the 2020 elections, which is why DHS and the Election Assistance Commission are making moves to help states safeguard their voting systems and monitor tampering of election infrastructure.
Organizations can take a page from DoD’s book and begin tightening rules on using personal and unclassified government-issued mobile devices, or adopt the department’s solution to effectively block nation state attackers. By prioritizing a culture of cybersecurity and funding for cybersecurity policies and protocols, as well as adopting the zero trust security model, policymakers can better protect users, devices and applications from malicious activity.
Time to adopt a zero trust security model
In addition to policies and procedures, agencies should look toward the zero trust security model, where you assume every user is coming from a hostile environment regardless of whether they are entering from in or outside of the network. Digital transformation requires government agencies to adopt this evolution to security architecture, as user devices, as well as applications and data, are moving outside the traditional enterprise perimeter and zone of control. The expectation has always been that users and applications inside a network are trusted, but the reality is that the users and applications have left the “inside.”
It will take time for organizations to migrate to this architecture. Even Google took several years to implement its BeyondCorp Zero Trust implementation for its internal IT. Government agencies can follow suit, so long as they develop a roadmap and adopt a threat protection solution — one that will immediately block employees from accessing malicious domains and stop threats earlier in the security kill chain.
As more government agencies adopt the zero trust mindset, they can disrupt attacker’s dependence on easy lateral movement within their target environments. After all, evolving attacks only look sudden if you can’t see what’s happening behind the curtain. And, given the continuous growth in the number of mobile devices and the ever growing amount of data, the time is now for federal government agencies to adopt this security model.
Patrick Sullivan is director of security technology and strategy at cloud service provider Akamai.