There have been many events to mark National Cyber Security Awareness Month, from Twitter chats to Two Factor Tuesday. One event that stands out for information security leaders in the federal government was a conversation between Ann Barron-DiCamillo, Director, US-CERT Department of Homeland Security; Bill Lay, Chief Information Security Officer, Department of State; Dr. Ron Ross, Fellow, NIST; and Fed News Radio’s Jason Miller. The conversation, which started with a question about whether there was any difference between cyber security and data security, developed into an insightful prescription for how to keep driving the momentum agencies achieved this summer during the OMB’s 30 Day Sprint.
According to the three government leaders, while there are differences between cyber security and data security – think of the difference between infrastructure and information – you can’t have one without the other. Lay commented, “It’s very difficult to separate; you have to take a full spectrum approach.”
While Barron-DiCamillo agreed with the principle of taking a full spectrum approach to achieve more robust information security posture, she was quick to point out that federal agencies’ “attack surfaces are growing daily…[and that] it’s not practical for federal agencies to try and protect everything.”
Instead, she suggested that agency CIOs and CISOs take a risk-based approach, where both information assets and systems are prioritized based on their value to the agency and role in meeting the mission. Ross added one additional criterion in risk assessment, which was to consider “not only what your agency values but think about what the attacker values too.”
Ross and Barron-DiCamillo were also in agreement that it was imperative to “establish roles and responsibilities” that further limited the number of attack surfaces without compromising on the agency’s ability to meet its mission, particularly as government moves into the era of the Internet of Things.
Ross noted, “There’s lots of data…and it’s growing by the day… [it would be] highly unusual that one person needs access to the entire data base.” To this end, he suggested hardening the system to provide an additional layer of protection and building in role-based access as part of the initial architecting to effectively limit the scope of an attack.
One challenge all three agreed was facing agency CIOs was how to manage the big data generated by all the security tools employed by agencies. If information is siloed, it has no meaningful value. But if it can by shared within and across agencies, then it has immense strategic value. When information is shared, not only are false positives reduced, but it makes finding the needle in the haystack that much easier.
Agencies contribute to the identification of vulnerabilities and indicators of compromise, which can then be shared via the government-wide dashboard being implemented by the Department of Homeland Security and fed into incident response programs run by Barron Di-Camillo and the US-CERT team.
Without a deep awareness and thorough understanding of data security, government agencies, as Lay pointed out, are just a “hop, step, and jump” from a hack of a social media platform to a compromise of a critical mission function. By incorporating information security into the architecture of systems as both a technical and role-based requirement, agencies will be in a far stronger position to defeat cyber attacks and successfully deliver on their missions.