Who hasn’t seen the headlines about government infosec breaches over the past few years? Some of these stories have dominated the news cycle and caused much consternation, but there are important lessons to be learned.
Behind the headlines, a plethora of new requirements has strengthened the security of the .gov domain, including revisions to the National Institute of Standards and Technology’s security and privacy rules for federal computer systems.
But there’s always room for improvement. Here’s what we think could be done.
Continue to Look Forward, Not Back
The National Institute of Standards and Technology (NIST) published its latest revisions to its security controls for U.S. federal systems in August 2017, laying out recommendations that can be extended to and applied at all kinds of organizations with interconnected systems (which, at this point, is every organization!). Stay tuned for more revisions to come from NIST throughout 2018.
The NIST’s guidance is forward-looking and designed to be applied widely, with a continuing focus on security and a new emphasis on privacy. The controls extend to the Internet of Things, creating a security roadmap for technologies that haven’t been developed yet.
This progressive approach, prioritizing IoT, offers an important lesson. Focusing on IoT is crucial as technology systems evolve in parallel with public infrastructure across the country. Developing these security and privacy frameworks for systems that may not require them yet ensures that they can be put in place early, tested, and adopted widely. For example, a city that plans to implement smart grid technology by 2030 should begin to plan now for key smart grid security protocols that will be important for decades to come.
Establishing controls preemptively rather than retroactively offers a better chance for success — and a guard against failure. Eventually, the technology itself may become predictive and forward-looking. In the meantime, our human-created plans must lay the foundation.
Create a Plan That Focuses on Outcomes
Another important lesson to be gleaned from the NIST’s latest revisions is the shift to making security and privacy protocols more outcome-based, consolidated, and unified. In order to effectively implement cybersecurity policies, government agencies can follow this guidance by developing outcomes-based plans.
When outcomes are defined and put into place early, the methodology of applying the plan can be flexible. It can be used flexibly, no matter the new technology developments that arise, whether services are in-house or outsourced, according to varying timeframes and budgets, and so on.
The idea of creating an outcomes-based plan isn’t revolutionary, but it does need to be deliberately created and carried out. It’s easy to give in to the temptation to develop a plan that outlines specific tactics and ignore the overall approach. Rather, the action items should grow out of the outcomes-based plan.
Improve Authentication Protocols
Passwords are vulnerable at organizations in any industry, but it’s particularly alarming to see how many breaches of government systems have occurred through phishing scams in which users offered up their password credentials without detecting the attack.
While the government infosec leaders have focused on multi-factor authentication and other protocols, more can be done. For example, rather than using two-factor authentication with SMS delivery of passwords, which is notably vulnerable but still in use at many agencies, dedicated mobile apps like Google Authenticator can be used for push-based one-time passwords. Other authentication methods, like those that use biometrics (think fingerprint and face scanners), should be explored and implemented depending on the agency’s specific needs.
And as with private companies, the weakest link in the secure authentication chain is the human entering in their credentials. Training end users is not always effective; federal agencies should consider cybersecurity practices as part of an overall mindset shift, one that involves thoughtfully implementing customized solutions that work for users rather than challenging them or inhibiting their work. Meanwhile, ensure your IT staff is up to speed on best practices for ensuring workforce security awareness.
While particular areas of focus will vary depending on the organization, all agencies can benefit from creating forward-looking, outcomes-based plans that focus on guarding against security threats and responding effectively. And no matter what tactics are decided upon as the outcome of the plan, authentication should be a major component. With this mindset, dotgov infosec can continue to evolve and protect the most sensitive data.