GovLoop

Looking to Minimize Cybersecurity Threats? Get Back to Basics

analytics

No doubt, the government has evolved to keep pace with the 21st century tech boom. But plenty of challenges still exist today, and few are more pressing than those in cybersecurity.

Per the Government Accountability Office, between 2006 and 2015 reported cyber incidents rose from 5,503 to 77,183 — a staggering increase of more than 1,400 percent. Considering the diverse functions of government, that leads to a definite conclusion: Digital security must be treated by agencies across the board as an increasingly crucial topic.

Christopher Dorobek discussed the issue this afternoon, along with Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), and Francesca El-Attrash, a staff writer at GovLoop. The trio went into detail on cybersecurity challenges and pointed to a handful of solutions for government bodies and private sector consumers alike.

Ross, who leads the Federal Information Security Modernization Act (FISMA) Implementation Project, said he believes that managing access points in the Internet of Things (IoT) remains among the most impactful.

As an example, he and Dorobek pointed to the breach of Target’s network, which resulted in the exposure of credit and debit card information from some 40 million accounts in 2013. The hackers pinpointed an unexpected entry point, by stealing credentials from a Pittsburgh heating and ventilation company, which had access to the network in order to monitor and maintain the store’s systems. From there, they infected the network at large with malware that stole user data.

Ross used the anecdote to reiterate his main point: If you’re looking to bolster your systems in 2017, double-down on cyber basics.

“The fundamentals never change,” Ross said, “it’s just how we apply them, and how we get smarter, that’s going to make a difference.”

A system is only as strong as its weakest link, he said. At the top of the chain sits the application; below that the middleware; then the operating system; then firmware; then integrated circuits; all the way out of the network. When these stages receive imbalanced attention, it opens the whole system to cyberthreats.

Agencies at all levels have worked to minimize these threats. For example, some have gone beyond basic awareness trainings and begun officewide phishing exercises, El-Attrash said. (“Phishing” refers to the illegitimate effort to acquire information by posing as a trusted entity in electronic communication such as email.)

But all the training in the world can’t guarantee impenetrability, she explained. Agencies face a number of internal challenges to cybersecurity, including lack of training, lack of motivation among employees to stay engage on cyber topics, and a demand for cyber experts that outweighs the supply.

Last month, GovLoop published a relevant resource guide written by Catherine Andrews, senior director of editorial, titled “7 Cybersecurity Tactics to Watch in Government.” Those tactics were:

“Cyberthreats aren’t going away any time soon,” El-Attrash said. “So it’s really important that agencies keep pace.”

Recent federal actions — including the August American Technology Council report on IT modernization — have pushed the government’s tech efforts in the right directions, Ross said. Federal entities are working to simplify the infrastructure by, for example, standardizing the network acquisition support arm within the General Services Administration (GSA) and cutting back on parts that aren’t necessary.

Ross likened the situation to how virtually all football teams, whether amateur or professional, spend the first weeks of the season on tackling and blocking fundamentals. That’s what the government needs to focus on, he said.

For individual consumers, he posed a bit of somber but useful advice.

“Limit the amount of web surfing you’re doing — you have no idea if that website has been previously infected,” Ross said. “Be very conservative and expect the worst when working with email and web.”

Exit mobile version