For government security professionals, focusing on priorities is key in these trying economic times, reports Illena Armstrong.
Rising incidents of hacktivism, cyber espionage and other online attacks have most organizations reframing their risk management plans to include more than a few tweaks.
However, many information security executives are finding that implementing desired policies and supporting technologies to forge needed enhancements is proving tricky during a time of constrained budgets and resources.Federal government leaders especially are having difficulties as dollars dedicated to their initiatives either remain the same or continue to drop – even as the adoption of business-enabling technologies, such as cloud and mobile, spikes, according to IT security leaders attending a recent SC Magazine Government Security Roundtable in Washington, D.C.
“It is how [we] cover and continue the mission that makes the difference,” said one attendee from a large research-driven agency who asked for anonymity. “[We] can't control everything. We just don't have the resources.”He and others at the roundtable said getting monetary and other support needed to fully safeguard critical data, related informational flows and overall IT environments remains a huge stumbling block. Adding to this are worries about government agencies' use of public-facing applications to exchange various bits of critical information with constituents.
Participants said it is tough enough getting needed budgets, much less convincing staff and government leaders to adhere to some additional controls despite their increasing reliance on cloud services, mobile devices and other technologies. Finding ways to circumvent rules, or simply submitting requests to go around them, has become a frequent practice in many government agencies, some said during the gathering.For instance, IT security pros may find themselves confronting a high-level individual in their organization who does not wish to follow policies. And, even with technologies in place that may help to enforce these, individuals will request and circumvent the rules. “He knows he's the subject matter expert, and no one's going to challenge him,” said the aforementioned IT security pro at the roundtable, sponsored by HP Enterprise Security.
In addition, desired redundancy in IT staff and systems is often given short shrift, he said. Having dedicated roles and backup staffers when others go on vacation or are otherwise unavailable are good practices, but higher-ups often are unwilling to fund these.“Until we find a way to address these challenges, I don't know how we can effectively address [associated security problems],” he said.
Whether some relief is in sight for federal cyber security practitioners is unclear and certain to remain so until after this year's presidential election. President Obama's budget proposal for 2013 does serve as a kick-off for negotiations with Congress. Already, however, talks are proving contentious.
Still, Obama's wish list of spending priorities seems to favor IT pros, with $78.8 billion on overall IT operations proposed. Of that, millions are earmarked for sundry cyber security operations and research initiatives.Possible reinvigoration of IT security funding and support couldn't come soon enough. For the first time ever, hacking, as opposed to lost or stolen mobile devices, is the top reason for data breaches, according to the year-end “Data Breach Intelligence” report from Risk Based Security, an affiliate of the Open Security Foundation. Its findings revealed that hacking resulted in the exposure of 83 percent of the 368 million total records compromised last year.
But, trying to cover every possible entry point or be ready for every kind of attack is folly, said retired Lt. Gen. Robert Elder of the U.S. Air Force, who is now a member of the faculty at George Mason University in Virginia and was the lead speaker at the event.“You need to take a look at this end to end,” he said. “Because there are so many different attack vectors, perhaps you should do something more like one does in the military. Typically, you don't try to find everything.” Instead, security professionals should understand the key areas requiring protection so that the appropriate systems with the most at-risk data are defended properly.
“So, if we start thinking about [the] targets, then that could be helpful,” Elder said. “You can't defend the ocean, so what parts can you defend?”Whether it is a government agency working with citizens online or a bank interacting with customers who rely on its website for processing transactions, organizations must employ the expertise of IT security heads who fully understand the systems they can't afford to have go offline for any length of time. This comes down to a risk equation: balancing the risk of having one's network compromised with the risk of not making any money, said Elder. And this means that if much of an organization's livelihood “is based on the integrity of transactions,” then its executives must establish a risk management plan that won't allow for “a single one of those transactions [to] go bad.”
As well, given the myriad attacks hitting government entities and private companies alike, organizational leaders should “assume somebody's already inside somewhere,” said Prescott Winter, public sector CTO with HP Enterprise Security and former CIO and CTO of the National Security Agency.“That issue of linking your assets and the state of the assets, I think, is really critical,” he said during the roundtable. “That's the basis of your risk management framework and that's an area where, lamentably, many customers are way short of where they need to be. And then you begin to look at the likelihood of who is inside, what they are doing, what the policy is in relation to this risk management framework and what you have to fix first.”
This becomes even more critical as agencies and private companies look to the cloud to ensure that their computing power keeps up with the growth of their businesses, or to rectify some of the missteps they have made when establishing their networks.Elder, who has been involved in judging college and high school cyber security competitions that task contestants with architecting hardened systems from scratch, said such challenges reinforce for him how building security in from the start works. Often in the real world, though, systems are “cobbled together,” and require throwing good money after bad to maintain them.
“Most businesses, because they're having to do things incrementally, can't work with the potential of re-architecting a system,” he explained at the roundtable. Further, he said, “What you do to complicate the hacker's world also complicates your system administrator's piece.”This is a huge reason why cloud services are proving so attractive to many organizations, including the federal government. Indeed, over the last several months, various federal agency officials have been defending moves to the cloud as they come before congressional leaders, who are requesting assurances that in undertaking such transitions national security risks will not spike. For his part, Elder said that while cloud computing can remedy certain issues, such as system redundancy or scalability, he worries that other unforeseen risks could crop up.
Many federal officials, though, generally have maintained that the problems they face now would be no different in the cloud and, in fact, security could be enhanced.Whatever the environment and despite its unending changes, to keep it and the data on it secured, associated risk management planning must be robust and well-maintained, said HP's Winter.
“I've talked to a number of CSOs and CISOs who say, ‘You know, we're just running hither and yon trying to fix everything,'” he said. “And I say, there's a way to fix this. Begin to establish a proper risk management framework with some clear priorities driven by your mission. You are not going to be able to fix everything everywhere with equal priority. That goes then to aligning your assets with the things you're trying to accomplish. How do you run a network, how do you do patch management, how do you do change management, how do you actually look at all the things going on inside. It's discipline. It's training. It's process.”
Photo: Robert Elder, a research faculty member at George Mason University in Virginia and formerly an Air Force lieutenant general, participated in the SC Magazine Government Roundtable. Photo by Aaron Clamage.