A Primer for Federal IT to Protect Networks, Data
New federal agency leaders, along with the fresh crop of chief information officers, chief technology officers and chief information security officers, face formidable cybersecurity responsibilities when it comes to protecting federal networks and data against a growing number of dynamic threats. The chaos produced by last month's WannaCry ransomware attack was just a taste. Many of these government leaders soon will discover the infrastructure they must defend is extremely heterogeneous, consisting of a wide variety of hardware and software, and most federal enterprises have a large percentage of legacy systems that have unique cybersecurity challenges.
For those agency heads tasked with ultimate accountability for managing cyber risk under the presidential executive order signed May 11, the good news is that many federal technology leaders are selected because they don’t shy away from challenges. Their approaches hold great promise in improving cybersecurity and reducing digital risk.
These new tech leaders also can benefit from lessons learned following the cybersecurity reawakening after the 2015 Office of Personnel Management (OPM) data breach. That hack gave way to many initiatives that raised the bar on federal cybersecurity, including a “cybersecurity sprint” to reduce digital risk as quickly as possible. Agencies have noted progress on topics such as multifactor authentication, the Continuous Diagnostics and Mitigation (CDM) program, the use of independent/external verification and validation of security posture, and the use of cybersecurity best practices such as those outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. In fact, last month's cyber executive order requires that all federal agencies immediately adopt the NIST framework.
Still, much work must be done to mitigate the constantly shifting cyberthreat. So much so that White House homeland security adviser Thomas Bossert asserted that safeguarding federal networks and data is his number one priority. He added that the administration already has waded through 15 recent reports on cybersecurity—from the Center for Strategic and International Studies’ Cyber Policy Task Force report to the Commission on Enhancing National Cybersecurity—and 175 more recommendations. Furthermore, President Donald Trump’s 2018 budget blueprint calls for “a suite of advanced cybersecurity tools and more assertive defense of government networks.”
Using natural laws for data protection
Technology leaders and career IT professionals leading agency cyber change have a great ally in their pursuit of enhanced digital defense. The commercial sector has been innovating for years to address key cyber challenges. This includes new approaches that lay the groundwork for dramatically reduced risk: a trusted security foundation. This unique, well-conceived approach begins as close to the fundamental laws of physics as can be, relying on quantum effects to generate encryption codes. Agencies can leverage quantum effect-based encryption plus advanced key management to encrypt all data holdings, a layered protection that has not existed in the federal sector to date.
Encryption is a fundamental tool to protect data. Data encryption transforms information in a way that only authorized parties can read it, thus decreasing the hackability and exploitability of sensitive information. While encryption isn’t a defense against ransomware attacks such as WannaCry, it does ensure attackers don’t have access to stolen data any more than their victims do. Also, many incidents such as the OPM attack could have been thwarted with enhanced encryption.
One challenge in any data encryption implementation is setting up the right structure to properly manage the encryption keys and policies. Encryption and key management solutions would have prevented the White House leaks as they provide protection against other threats, including the insider threat, and visibility into how the information is used by authorized users for added compliance benefits.
In cryptography, a key is a variable value applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text. Most security applications today use “pseudo-random” numbers to generate keys, even though those numbers truly are not unpredictable and have been linked to multiple breaches.
The new federal IT leaders and the agency heads they support have their plates full. They must modernize and innovate while reducing digital risk. Fortunately they can put a trusted security foundation based on quantum effects on their side.
Bob Gourley is a co-founder and partner of Cognitio and publisher of CTOvision.com and ThreatBrief. His first career was as a naval intelligence officer and he was the first director of intelligence (J2) at the Defense Department’s cyber defense organization JTF-CND. Jane Melia is vice president of strategic business development at QuintessenceLabs, a provider of quantum cybersecurity solutions and maker of quantum random number generators. The views expressed are their own.