Guest Blogs

This article is part of a series that explores zero trust, cyber resiliency and similar topics.

Over the past year or so, I’ve discovered the secret weapon that IT leaders of various U.S. government entities have deployed as they implement zero trust architectures. Their first step has been to create a comprehensive educational pathway for their workers. This is because no one can implement zero trust alone.

Zero trust: Only education can move you forward

More than just a technology focus, zero trust (ZT) is an invitation for all of us to think differently about cybersecurity. We are losing on the cybersecurity battlefield, and continued investment in more advanced versions of the same architecture patterns will not change that.

The novel 2034 by James Stavridis and Elliot Ackerman perpetuates a fundamental misunderstanding of how technology should be employed and managed in future conflicts.

The continuing narrative is that we should purposely degrade our systems in a conflict with a peer competitor because of the possibility of a degraded spectrum, cyber attacks, space-based detection and jamming. But if we preemptively degrade our technology in a peer conflict, we will lose.

In the novel, after a conflict with the Chinese Navy in which the U.S. technical systems were incapacitated, U.S. ships preemptively disabled “any interface with a computer, a GPS or [any interface] that could conceivably be accessed online.”

In the ever-growing and complexifying ecosystem of the Internet of Things (IoT), demand for connectivity is stronger than ever and only bound to intensify. Statista predicts that by 2025, there will be 38.6 billion devices connected to the internet, which will put even more pressure on organizations to monitor their infrastructures.

For system administrators, there are several obstacles to keeping pathways clear and the flow of data smooth. Here are a few of the most common roadblocks when it comes to IoT monitoring, as well as a few ways to overcome them.

Roadblock #1: Managing different interfaces for different devices

When it comes to nefarious deeds, the COVID-19 pandemic has been a gold mine for bad actors. In addition to wreaking havoc for individuals and healthcare organizations, federal agencies are also prime targets. Case in point: a portion of the Department of Health and Human Services’ (HHS) website was recently compromised, in what appears to be a part of an online COVID-19 disinformation campaign. 

In a time of heightened cyber risk and limited human and fiscal resources, how can agencies protect their networks from malicious actors by taking a page from the COVID playbook? They can diligently practice good (cyber) hygiene.

In fact, there is a direct correlation between personal and cyber hygiene.

The Department of Defense (DOD) is dramatically increasing its digital security expectations for defense contractors and subcontractors. Having been on both sides of the partnership between government and the public sector, I am happy to see DOD is not only raising the bar on cybersecurity but also providing guidance on the implementation of cybersecurity best practices within the defense industrial base.

The rising prominence of the Cyber branch in the U.S. military, and namely the Army, begs the question “What will the Cyber branch be used for?” Citing the Defense Department’s plan for the Cyber branch, as well as the Signal branch’s shifting roles in the realm of cyberspace, the responsibilities of both branches are becoming clear. It is evident that as time goes on, the Cyber branch will become focused mainly on the defense of the military domain and cyberspace.

By now, federal agencies universally recognize that data is an asset with seemingly limitless value as they seek to reduce costs, boost productivity, expand capabilities and find better ways to support their mission and serve the public.

By 2030, artificial intelligence (AI) is projected to add $13 trillion to the global economic output. In government, AI applications promise to strengthen the federal workforce, safeguard our nation against bad actors, serve citizens more effectively and provide our warfighters the advantage on the battlefield. But this success will require collaboration and advancements from government and industry.

Last year was a banner year for cyber fraud. In just the first six months of 2019, more than 3,800 breaches exposed 4.1 billion records, with 3.2 billion of those records exposed by just eight breaches. The scale of last year’s data breaches underscores the fact that identity has become the currency of the digital world and data is the fuel that powers the digital economy. What’s also clear looking back on 2019 is that digital identities are continually being compromised on multiple levels. 

Supply chain security has been of concern to government leaders for decades, but with attacks now originating in industrial control systems (ICS) from supply chain vulnerabilities and with an increasing reliance on the Internet of Things (IoT), Congress is stepping up its involvement. For example, legislators have promised that more stringent standards will soon be enforced.

When it comes to artificial intelligence (AI), the Department of Defense (DOD) has put a firm stake in the ground. The department’s AI strategy clearly calls for the DOD “to accelerate the adoption of AI and the creation of a force fit for our time.”

In every recent discussion I have had with government and defense leaders around IT modernization, the conversation quickly leads to cloud and its role in enabling agile ways of working for government. Many agencies have already developed cloud migration targets and are looking at how they can accelerate cloud adoption.

The response to the Chief of Naval Operations (CNO) Adm. John Richardson’s repeated request to “pick up the pace” of developing and implementing breakthrough technologies for our warfighters has gone, in my opinion, largely unheeded.

This is not the result of a lack of innovative solutions. A myriad of research and development programs exists to support the development of new technologies or to adapt existing commercial technologies to defense applications. Rather, it’s the result of an arcane acquisition process that is burdensome, expensive and lacking vision. Acquisition reform is where we need to pick up the pace!

More than a year has passed since the Modernizing Government Technology (MGT) Act was signed into law, cementing the establishment of a capital fund for agencies to support their special IT projects. The MGT Act prompted defense and intelligence agencies to accelerate the replacement of legacy systems with innovative and automated technologies, especially as they explore new ways to mitigate security risks like those experienced all too often by their private sector counterparts.

Open source containers, which isolate applications from the host system, appear to be gaining traction with IT professionals in the U.S. defense community. But for all their benefits, security remains a notable Achilles’ heel for a couple of reasons.

First, containers are still fairly nascent, and many administrators are not yet completely familiar with their capabilities. It’s difficult to secure something you don’t completely understand. Second, containers are designed in a way that hampers visibility. This lack of visibility can make securing containers extremely taxing.

Layers upon layers

Implementing a new system can be an exciting time, but the nagging questions and doubts about the fate of data you’ve literally spent years collecting, organizing and storing can dampen this excitement.

This legacy data often comes from a variety of sources in different formats maintained by a succession of people.
 Somehow, all the data must converge in a uniform fashion, resulting in its utility in the new solution. Yes, it is hard work and no, it is not quick. Fortunately, this scrubbing and normalization does not have to be a chaotic process replete with multiple failures and rework.

Artificial intelligence can be surprisingly fragile. This is especially true in cybersecurity, where AI is touted as the solution to our chronic staffing shortage.

It seems logical. Cybersecurity is awash in data, as our sensors pump facts into our data lakes at staggering rates, while wily adversaries have learned how to hide in plain sight. We have to filter the signal from all that noise. Security has the trifecta of too few people, too much data and a need to find things in that vast data lake. This sounds ideal for AI.

Historically, the U.S. Department of Defense (DOD) has been the driver of technological innovation, inventing remarkable capabilities to empower warfighter mission effectiveness and improve warfighter safety. Yet over the past 25 years, a transformational shift has taken place in several key technology sectors, and technology leadership in these sectors is no longer being driven by the military, but rather by the private sector. 

Government IT professionals have clear concerns about the threats posed by careless and untrained insiders, foreign governments, criminal hackers and others. For the government, cyber attacks are a matter of life. We must deal with them as a common occurrence.

Recently, Secretary of State Michael Pompeo, in response to Executive Order 13800, released recommendations to the President of the United States on the subject of cybersecurity. Included was an emphasis both on domestic policy and international cooperation to achieve several key diplomatic, military and economic goals. The specific focus on international cooperation is a big step in the right direction. The United States has a chance to demonstrate international leadership on a complex issue, while setting the groundwork necessary to protect national interests.

Never before has there been such an intense focus on data security and privacy. With data breaches increasing exponentially and the European Union’s recent implementation of the General Data Protection Regulation (GDPR), data security has been at the forefront of news stories over the past several months, with both businesses and consumers suddenly paying very close attention. With this increased attention has come an understanding that data continues to exist even when it is no longer needed or used. Due to this newfound understanding and GDPR’s “Right to be Forgotten,” the eradication of data has new urgency and has become critical to a successful data security program.

In February 2018, the Department of Defense (DOD) Defense Digital Service (DDS) relaunched Code.mil to expand the use of open source code. In short, Code.mil aims to enable the migration of some of the department’s custom-developed code into a central repository for other agency developers to reduce work redundancy and save costs in software development. This move to open source makes sense considering that much of the innovation and technological advancements we are seeing are happening in the open source space.

Wary that the Internet of Things (IoT) could be used to introduce unwanted and unchecked security risks into government networks, senators last year created a piece of legislation that placed minimum security standards around IoT devices sold to and purchased by government agencies.  The IoT Cybersecurity Improvement Act of 2017 specifically cites the need for regulation of “federal procurement of connected devices,” including edge computing devices, which are part of the IoT ecosystem.