As federal and state agencies are forced to do more with less, concerns continue to mount, Illena Armstrong learned during an SC Magazine roundtable.
To find a generally accurate barometer to gauge the typical pace of government, just turn to personal experience.
As an example, recall a recent jaunt to the Department of Motor Vehicles to renew a driver's license or, perhaps more fitting given still bleak economic forecasts, a visit to the state Unemployment Insurance Agency to verify eligibility for extended benefits. The lines to talk to an agent undoubtedly were long, the conversation with the government representative likely patience-trying, the follow-up paperwork tedious, and the desired end result long in coming.
Similar types of impediments experienced by the average Joe or Jane when attempting to check a government-related item off their to-do lists are often felt by the lead executive responsible for the security of a particular agency or department. As the economy lurches for a comeback, even the most stalwart pro can grow weary of wrangling for needed funds and resources.
“It's a mixed bag,” says Bob Maley, founder and principal at consultancy Strategic CISO and former CISO of the state of Pennsylvania. Across government, various agencies and states have some high-caliber people who are doing a lot with a little, he says. “The sad fact is that's the exception rather than the rule.”
As well, when it comes to adopting new technologies and processes, let alone those that may help avert some yet-to-occur data security happening in the future, government frequently is late with support.
“Government may be the slower ones to embrace new technologies,” Maley says.
Part of the reason for this is the time it takes to get projects finished, he adds. Approval processes to acquire funding, to choose vendors and more are extremely time-consuming.
“That time cycle is far more extensive than in the private sector,” he says. “I've got to believe it's the state of bureaucracy that slows things.”
These hardships and many others voiced at an SC Magazine Government Security Roundtable, sponsored by ArcSight, an HP Company, and held late last year, still hold true for many in this space, according to experts, who were interviewed in just the last month. Many attendees of last year's Roundtable struggled with funding or resources and found the cycle too long to get projects supported. Collectively, the Roundtable group also fretted about newer or growingly difficult-to-secure technologies, such as mobile devices, cloud services and social media.
“As we embrace technologies, as we should, the question is: Are we executing [them] in a secure way?,” asked Randy Vickers, a speaker at the Roundtable, who, at the time, was director of the United States Computer Emergency Response Team (US-CERT), a division of the U.S. Department of Homeland Security (DHS).
For many Roundtable attendees and several industry players now, such questions often guide every move, but a host of challenges often thwarts even the best of intentions. All the while, growing numbers of attackers, who adopt laser-like focus to zero in on the weakest points of an infrastructure, have strengthened their tactics with seemingly endless amounts of funding and support.
For Vickers, who is now vice president of cybersecurity consulting and strategy at TopMast, a strategic advisory firm, the best way to tackle existing threats and minimize impacts due to attacks, no matter their point of entry, is to create and execute a strong risk management plan. Sounds simple enough, but implementing such a blueprint requires organizations to understand what their important assets are and what could “cause the greatest impact to their mission,” says Vickers.
When executive leaders look, from multiple aspects, at new technology deployments, such as those mentioned at the Roundtable – including ease of use, mission enhancement, cost and, yes, security – they make great strides in hindering the attacks targeting these, he adds.
Many IT security pros likely welcome such advice even more today than during last year's SC Roundtable given the spike in high-profile attacks against government agencies and critical infrastructure companies over the last several months. Although traditional forms of cybercrime focusing on data theft for profit gain still reign, government-sponsored strikes and hacktivist attacks have spiked.
For example, the group LulzSec took responsibility for hitting websites belonging to the Central Intelligence Agency, the U.S. Senate and a slew of others. Too, various federal agencies and defense contractors, such as Lockheed Martin, have experienced system breaches likely spearheaded by foreign intelligence groups.
Perhaps unsurprisingly, vectors of attack discussed more than any others at SC's Roundtable included cloud services, mobile networks and social networking. Indeed, these areas still pose vexation for many.
Part of the predicament, says Kris Rowley, CISO for the state of Vermont, is that there are so many types of devices that many IT security pros have trouble keeping on top of operating system and security updates for them.
Eric Avakian, the current CISO for the state of Pennsylvania, agrees, pointing out that mobile device policies are key to locking down critical data.
But older attack methods are still in use. IT security leaders must remember that even some of the newest attacks still rely on more traditional means of entry, such as social engineering, Prescott Winter, CTO of ArcSight's public sector division, said during the Roundtable. Getting end-users to “work smarter” is a constant priority, the former CTO at the National Security Agency/Central Security Service, added.
“In security, it is important to know what the risks are and to minimize them to acceptable levels to enable the business,” says Avakian. “Organizations can stay ahead of the threat landscape through ongoing research and by ensuring their security architectures keep ahead of new threats.”
Contact [email protected] for a full, ebook version of this story.
Photos by Aaron Clamage