Everyday at the Corporation for National and Community Service (CNCS), Stacy Dawn witnesses first-hand the stakes of government cybersecurity. Her organization handles all of the personally identifiable information for programs such as Senior Corps, FEMA Corps, AmeriCorps, Social Innovation Fund, and others.
That’s an extensive amount of sensitive data that also has to be stored and protected for extended periods of time. “Imagine getting a 4 or 5 year old’s social security number and having to protect it for the rest of their life,” she said.
At our recent event, What’s on Fire in Government Cybersecurity, Stacy Dawn, who serves as Director of Cybersecurity and Chief Information Security Officer at CNCS, talked to us about the future of public security. More specifically, she drove home how much more we have to do if we’re truly going to secure our information and systems.
First, she said we have to gain a better understanding of what we’re protecting. She mentioned the internet of things, cloud, mobile solutions, and applications as just a few examples of the wide array of technologies that are entering the government domain and must be secured. She even joked about the potential to introduce robots into the workforce, creating new efficiencies but also greater IT vulnerabilities.
Then, Ms. Dawn said we have to identify exactly how those assets are being attacked, and by whom. While we often hear about phishing and ransomware attacks taking government IT systems hostage, Ms. Dawn impressed that much less sophisticated attacks are also a concern. “Today any amateur can get online and learn how to execute an attack,” she said. “But a simple denial of service can stop your mission.”
Given that wide array of potential cybersecurity risks, Ms. Dawn offered an extensive list of tasks government must undertake to secure its future. Her top priorities included establishing strong authentication through strong passwords, mutl-factor authentication, and the use of advanced biometrics. She also said that authentication should be married to secure network connections, including port security, encrypted wireless, mobile networks, and VPN.
But, she said, there’s still more to do. “’If I touch it, I own it,’ should be your motto,” she said. Any device connected to a government device must also be secured and administrators must ensure access to remotely wipe stolen devices.
Furthermore, on a daily basis every employee should be maintaining appropriate cybersecurity both at the workplace and on his or her personal networks.
“But wait, there’s even more to do!” said Ms. Dawn. Consider things like application downloads, software installation, software updates, and patching that must be constantly maintained across all platforms. And whatever data is accessed should be both encrypted in motion and backed up in storage.
Ms. Dawn’s list seemed nearly endless, but concluded by impressing the need to tackle every action item consistently and constantly in order to secure the future of government cybersecurity.