Gary McAlum, senior manager, Deloitte & Touche
Gary McAlum, senior manager, Deloitte & Touche
It shouldn't be a surprise, but the news is not getting any better with regard to the cyberthreats focused on federal networks. A recent USA Today article noted, after reviewing data provided by the U.S. Computer Emergency Readiness Team (US-CERT), that “reported cyberattacks on U.S. government computer networks climbed 40 percent last year, federal records show, and more infiltrators are trying to plant malicious software they could use to control or steal sensitive data.” This information, along with public statements by numerous government officials over the past several months, reaffirms that cyberthreats are relentlessly targeting (and successfully exploiting) federal networks and information. While generally acknowledged that such activities have probably been going on for years, only recently have senior leaders throughout government begun to realize the magnitude of the problem and begun to take action. Obscure vulnerabilities, complex interconnections and clever targeting through social engineering techniques are allowing sensitive information to be susceptible to compromise every day. We are beyond the “Houston, we have a problem” stage. We're at critical mass.

Despite response efforts within the government, such as the Comprehensive National Cybersecurity Initiative, our networks remain woefully under-protected against persistent cyberthreats. Simply mandating “better security” will not help federal agencies cope with this huge problem. They are already insufficiently resourced in terms of money, personnel and expertise, while trying to comply with a myriad of regulatory requirements that do not necessarily drive increased security. The piecemeal approach to IT security that agencies have been forced into over the years is like trying to patch a leaking canoe as it's floating down the river. While the traditional defense-in-depth model is still necessary (and can be quite effective when properly implemented), it alone is not sufficient to deal with today's threats. Security professionals already spend a significant amount of time and resources trying to keep up with the never-ending flow of patches across a dynamically changing enterprise, while counting on a dubious perimeter and basic anti-virus software to keep out most threats. When you factor in additional areas of concern -- including insider threat, supply chain risk and an increasingly mobile workforce -- the problem set quickly becomes overwhelming. And, we already know that, for the most part, the status quo approach is not working. Today's threats are too agile (able to adapt quickly to countermeasures), too informed (they find the vulnerabilities before you know they are there), and they are too prevalent (cyberthreats are ubiquitous, both inside and outside the firewall).

So, the real question is, how are federal agencies supposed to accomplish their missions in this environment of inevitability? There is no simple solution to this problem but there are three key, inter-related elements to an effective organizational cybersecurity strategy: senior leadership attention, a risk-based approach and focus on operational resiliency.

First, cybersecurity considerations cut across organizational boundaries and affect every aspect of an agency, spanning the people, process and technology dimensions. It is truly a strategic issue and, therefore, can't be seen as something just for the chief information officer or the chief information security officer to deal with. While cybersecurity is not a problem that can be “fixed,” it can be effectively managed. The holistic nature of cybersecurity demands senior leadership attention and an unwavering interest in how it's resourced, implemented and assessed for effectiveness. The first question any new top leader should ask in regard to cybersecurity is, “Where am I today?” Gaining an objective understanding of your organization's cybersecurity risk posture may not be a simple matter. It may be wise to invest in a third-party assessment as a baseline. Agency directors must make cybersecurity a priority and drive a consistent understanding of cyberthreats in the context of the organization's mission. This culture of awareness must be backed up by a strong security training and awareness program that is more than a “check the box for annual IA training” effort. One thing is for certain: if seniors leaders at the very top lead by example, the workforce will follow.

Second, cybersecurity requires a risk-based approach to how resources are applied. Everything can't be protected all the time and there isn't an unlimited budget to constantly throw at the problems. Agency leaders, working with their security professionals, need to understand their information enterprise. Who's on the network and what are they doing? What data resides and transits their network? What information is most critical to mission success? Where are the greatest vulnerabilities? What are the greatest threats? Answers to these basic questions (and many others) can help senior leaders develop a risk-intelligent approach to how they allocate their limited resources. A method for prioritizing how limited funds are spent is nothing new for executives; however, the framework for most of today's cybersecurity resource decisions is not always methodical and based on risk intelligent considerations. When you only have $10 to spend on cybersecurity, but $100 in requirements, you should focus on the most critical, high risk issues instead of the typical first in/first out funding approach.

Third, at the end of the day, the need for effective cybersecurity exists only in the context of mission accomplishment, which includes effectively delivering services, maintaining public trust and confidence, and protecting sensitive data. If you truly believe that your enterprise is under constant surveillance and targeting (and it is), then you should assume that the threats may eventually be successful (and they will be). You should think about operational resiliency. What processes and functions within your agency must have a high degree of assurance of continued operation, even during a major disruption? What data must always be accessible and trusted? And, when compromised, how do you quickly recover to minimize mission impact? There are certainly the typical elements of disaster recovery and business continuity planning related to these points, but operational resiliency requires in-depth thinking about how to operate in an environment where you should assume you've been periodically compromised. This element demands a proactive, sometimes unpredictable approach to how your IT enterprise is managed and protected. This is no simple task where the user expectation is 100 percent system availability and flawless operation.

Federal agencies are under relentless assault. The advanced persistent cyberthreat that is targeting our public sector networks and defense industrial base to mine information and gain competitive advantage is aggressive, sophisticated, and persistent. But the cyber cavalry is not coming to the rescue any time soon. Buying more firewalls and deploying the latest intrusion detection systems alone is not enough. Success in today's cybersecurity environment of inevitability will require a multidisciplinary approach and the critical success factor is leadership. Leaders of federal agencies must devote personal attention to this issue and make intelligent, risk-based resourcing decisions that emphasize mission accomplishment.

Gary McAlum, CISSP, recently retired from the United States Air Force after 25 years of distinguished service and joined Deloitte & Touche LLP's federal practice as a senior manager working in area of security and privacy services. During his last assignment on active duty, he was a major figure in the establishment and evolution of the Defense Department's Joint Task Force Global Network Operations, the focal point for operating and defending DoD networks. He was frequently called on to provide cyberthreat insights to a wide variety of interagency forums, including the United States-China Economic and Security Review Commission and Congressional testimony.