The Executive Order on Improving the Nation’s Cybersecurity (Cyber EO) elevated the focus and prioritized action on modernizing how agencies secure their systems and data. This top-down focus was a welcome push as it provided agencies with the confidence to ask for additional funds and budget to accomplish cybersecurity plans that had long been underfunded and therefore on the back burner.
The Cyber EO also served to make zero trust the de facto architecture for cybersecurity efforts. This departure from traditional wall and moat security (designed to keep people out of systems), prioritizes granular user identification policies along with strict authentication to allow only the right people into the right systems at the right time. Even trusted users must be authenticated each time they access systems. As agencies look to modernize their cybersecurity approach with zero trust, there are three key areas that are critical for cyber transformation.
Threat Detection and Analysis
Zero trust provides a great defense but, as Tom Suder, Founder and President of ATARC recently shared with GovWhitePapers, agencies cannot forget about staying on offense. Suder pointed out it is critical to know how your defenses will be attacked and alter your game plan accordingly. This means knowing your enemy and staying on top of or even ahead of threats.
There are a number of private and public organizations dedicated to threat detection and intelligence sharing including the Cybersecurity and Infrastructure Security Agency (CISA), Defense Cyber Crime Center and the National Security Agency’s (NSA) Cybersecurity Collaboration Center. Agencies and the companies that serve the government need to tap into these resources to fully understand the current threat landscape.
A focus on threat intelligence is bolstering the security posture of several agencies.
- Energy: The Energy Department’s (DoE) Energy Threat Analysis Center (ETAC) is in pilot phase and is designed to connect cyber threat intelligence and mitigation strategies between DoE, CISA, the intelligence community, and private sector organizations. Currently, companies are seeing cyber threats on their networks and while the intelligence community is aware of these threats, a streamlined method for effectively sharing this information is critical. The ETAC brings together experts from electric power utilities, petroleum engineers, the government, and more to share information and collaborate on solutions. The ETAC has been able to identify cyber threats and get advisories out to the energy sector related to the war in Ukraine.
- Utilities: The Water Information Sharing and Analysis Center (WaterISAC) is a nonprofit led by water and wastewater utility managers and state drinking water administrators to provide critical infrastructure threat intelligence for members. The Water System Threat Preparedness and Resilience Act looks to extend this influence, helping smaller utilities join the organization and gain access to threat data.
- Infrastructure: The Idaho National Laboratory is developing an action plan with the National Institute of Standards and Technology (NIST) to help utility companies and the rest of the energy sector use cyber-informed engineering when connecting to the electric grid. The goal is to use the inherent properties of the grid (sensors and analytics) and combine that data with cyber intelligence to provide a real time look at threats.
Prioritizing threat detection and intelligence sharing is critical to a more proactive approach to cybersecurity. Also key to understanding threat impact is understanding the technologies you have in place–a process easier said than done.
Software Bill of Materials
You can only protect what you know you have. With the complexity of today’s technology, it’s no surprise that organizations do not have a definitive handle on technologies impacting their security. The concept of a Software Bill of Materials (SBOM) is gaining traction as a way to inventory technology and track risk. SBOM holds promise in mitigating the software supply chain risks that led to major security incidents including the SolarWinds hack and the Colonial Pipeline shutdown.
SBOM can be thought of as an ingredients list on food packaging. The SBOM lists all software used in a solution to show users each component of the technology. This allows organizations to understand the technologies present in their software stack so they know if a specific threat might impact them based on their “ingredients.”
Implementing SBOM
The Cyber EO included the requirement for SBOMs to be delivered as part of software sales and use. This vision of SBOMs is still in the early stages of being understood and implemented. Some software vendors argue that SBOMs could be used to reverse engineer their solutions, essentially making all software open source. However large, proprietary companies like Microsoft have recognized the value of SBOMs and have produced tools to make them available.
In this early stage of utilizing SBOMs, there are many questions and issues to be worked out including developing a standard format, and creating a way to ensure accuracy and accessibility across the supply chain. Work is already underway to mitigate these challenges.
- CISA released a report outlining and describing the various parties and phases of the Software Bill of Materials sharing lifecycle. The SBOM Sharing Lifecycle Report helps organizations choose sharing platforms based on resources, effort, subject matter expertise and access to tooling.
- The Commerce Department’s National Telecommunications and Information Administration released “minimum elements” for what SBOMs should look like.
To make SBOMs fully functional, agencies need more than just an inventory. SBOMs should be integrated with threat information so required actions are clear. Connecting systems, threats, and information on use is critical to locking in the promise of zero trust.
Insider Threat
“The call is coming from inside the house,” is not only a scary premise for a movie, but a stark and scary reality for cyber professionals. Insider threat encompasses both malicious and involuntary security breaches and spans the cyber and physical world. Whether a person knowingly accesses or downloads information or they click a phishing link, insider threat has the same impact of data loss and opening system access.
Zero trust is a step in the right direction in mitigating insider threat as it utilizes real-time credentialing to ensure users have the right access. A zero trust architecture simplifies the process of granting admin access to specific job-related information, ensuring that only the necessary details are shown rather than granting carte blanche across all systems. Just because you administer the HR systems does not mean you should have access to the salaries of employees.
Non-Technical Mitigation
Beyond implementing new security technologies, Suder points out that there are some other ways to mitigate the insider threat:
- Improve vetting – 10 years is a long time to go between security clearance renewals. Software exists today that can help pinpoint security issues with an individual between formal clearance reviews.
- Reduce paper – once something is printed it cannot be electronically protected. Printers should have strict security controls that monitor what actually gets printed. It may even be worth examining if we need printers in certain environments at all.
Similar to paper, removable devices such as external hard drives, are a huge contributor to the impact of insider threat. According to a report from the Defense Department’s Office of Inspector General (OIG), removable devices were the most common cyber weakness. Among the surveyed defense contractors, half lacked automated controls to enforce policies for handling controlled unclassified information (CUI) on removable media.
Finally, cyber education can go a long way in improving insider risk. Educating the workforce on general cyber hygiene and phishing scams as well as the security risks associated with traditional media such as paper and USBs is critical to tightening the cyber posture of government organizations.
We’re keeping an eye on these cybersecurity trends and other emerging security technologies to help the public sector community stay informed and protected. Sharpen your knowledge with the latest government and military content on GovWhitePapers and upcoming events on GovEvents.
