Advice for the U.S. government: Stop talking and start doing
When it comes to cybersecurity, the United States government is great at talking the talk, yet consistently falls short of walking the walk. Unless the U.S. government actually implements the cybersecurity best practices it touts, the nation and its citizens will continue to be at an increased risk of a cyberattack.
The government has already acknowledged the need for multi-factor authentication. In 2003, it started fielding Common Access Cards (CAC) in the military, as well as Personal Identification Verification (PIV) cards in civilian agencies. At that time, the game plan was to complete the MFA implementation across the government before the end of 2008. In April 2015, MFA implementation levels hovered below 50 percent.
The massive breach at the Office of Personnel Management (OPM), which leveraged compromised user name and password credentials, could have been stopped with more rigid MFA practices. It wouldn’t have made this attack impossible, but it would’ve dramatically increased the cost of the attack for the adversary.
The federal government must start acting on the very practices it advises, or else we’re likely to see more breaches. Here are three actions U.S. government agencies can take to reduce the risk of a cyberattack.
Understand your information
Most federal agencies don’t have a good understanding of what they possess or the value of their information. As a result, they attempt to protect all information equally. This is what happened with OPM, as well as in many private sector breaches. Not only is this approach ineffective, it’s also expensive.
Best practices dictate that information should be protected proportionate to the risk of loss or tampering. The greater the risk, the greater the controls in place to mitigate that risk.
Admittedly, this approach requires deliberate effort. At the minimum, agencies should annually review data inventory and identify high-value assets to align cybersecurity programs based on the value of the information and the organization’s risk posture. This approach helps ensure that data is adequately protected, but also reduces costs because the most expensive, secure methods are reserved for the highest risk assets.
Fully implement MFA
The federal government was supposed to implement MFA by 2008. In the aftermath of the OPM breach, it was discovered that not only had the OPM failed to implement two-factor authentication, but “most civilian agencies of the U.S. federal government still hadn’t implemented their own smart card (Personal Identity Verification, or PIV) systems at the time of the OPM breach.”
Even now, 18 months into the Trump administration, based on FISMA reporting, still fewer than 60 percent of agencies have implemented MFA.
It’s a known fact that MFA raises the cost for attackers to get into both public and private sector systems. The technology behind the CAC and PIV cards is dated, and there are plenty of less expensive and effective options to implement MFA (especially for mobile devices).
Combined with software-defined perimeter technology, MFA can easily make the government’s identity and access controls great again. It’s time for the government to follow through and complete the implementation of MFA.
Consolidate and optimize data centers
The government has done a lot of talking about data center consolidation—and for good reason. Today, nearly 11,000 aging, expensive and poorly secured data centers are reportedly in operation across the US government—and that’s two years after the White House’s Office of Management and Budget launched the Data Center Optimization Initiative (DCOI).
The government could save billions of dollars — and bolster its cybersecurity — by consolidating aging data centers and leveraging world class data centers offered by the commercial sector.
The government has already seen a glimpse of the cost savings that can come from this effort. According to Dave Powner, director of IT management issues at the Government Accountability Office, the retirement of 4,300 data centers from 2010 to 2016 resulted in cost savings of $2.8 billion. That is more than the cost of a B-2 bomber, or the amount the Center for Disease Control gets to protect against infectious diseases.
Closing government data centers and transferring the workload to more modern commercial facilities is an easy win for taxpayers. The commercial sector already processes classified information in its government-rated facilities. The question, then, is whether agencies go “all in,” and take full advantage of the cost savings and cutting-edge technologies of commercial data centers—or whether they continue to manage an overabundance of expensive and poorly secured data centers.
The government has access to the technology and IT services it needs to protect citizens data and significantly reduce spending, while simultaneously reducing cybersecurity risks. It’s time that the government finally walk the walk and put these best practices to service for the common good.
Brigadier General Gregory J. Touhill (ret). is President of Cyxtera Federal Group. Prior to joining Cyxtera, Touhill was appointed by President Barack Obama as the nation’s first ever Federal Chief Information Security Officer in 2016, where he was responsible for ensuring that the proper set of digital security policies, strategies and practices were adopted across all government agencies.