The federal government deals with a staggering amount of malicious traffic every day. Over the years, the perimeter that traffic attempts to breach has changed due to new technologies like cloud, BYOD and the Internet of Things.
This evolution means it’s becoming increasingly difficult for information security professionals to guard federal systems. Fortinet recognizes this and is moving toward a model in which agencies can rely on artificial intelligence and machine learning to discover threats quicker than ever before.
FedScoop sat down with Jim Jasinski, Fortinet’s vice president of federal cybersecurity, to talk about how he sees the government moving toward a new cybersecurity stance in the wake of unprecedented hacks and what needs to be done beyond what’s possible with technology alone.
Editor’s note: This interview was edited for length and clarity.
FedScoop: There seems to be a lack of real-time reporting within the federal government when it comes to breaches. Is there any way the government can quickly catch up without maxing out budgets?
Jim Jasinski: A lot of it comes down to cyber etiquette. It’s a not a question of technology, it’s educating your employees to be more alert. You can say that until you are blue in the face, but then if you are trying to keep something out, you get an email message that says, ‘Dad, you need to look at this” – you’re going to open it. That’s human nature.
Technology is evolving so fast that human intelligence can’t keep up. It has to be machine intelligence making those decisions. What we’re doing is creating internal segmentation. Instead of having simply a perimeter defense or monitoring and detecting, we have broken down different levels by the devices and location so it gives you a better idea.
FS: Agencies have been very reactionary to malicious activity, often because they don’t know about a breach until weeks or months after it occurred. How can agencies be more proactive?
JJ: I think the attitude has to be that there are many defenses and there is no single solution. It’s not a question of protecting at the perimeter; it’s also protection inside. I like to think of it as a parallelogram instead of a rectangle. There is no one point in which you can stop and say “we’ve achieved that.” That’s why we have this internal segmentation approach, to try and prevent dwelling within the system. What you try to do is recognize patterns. You might be in the HR department, and if you have no right to go into the financials, that’s a pattern you look for. That’s what happened in these breaches; using privileges and then walking to the system itself. That’s what eventually alerted [the Office of Personnel Management].
FS: How do you sees threats evolving? What is being targeted and how can the government prevent the known adversaries from breaching their networks?
JJ: It’s evolving in the sense that somebody might articulate, ‘I want to breach this or get into that system,’ but the information at large is a value in and of itself – whether it’s for a country or an individual. Look at health records: They have much more value over what a credit card holds.
And attribution is the biggest problem. I don’t know if we can say [in the OPM breach] if [it was] the Chinese or the Russians or someone acting on their behalf. If you are a country and you know they are interested in nuclear secrets or whatever, and you are a criminal and you want to sell those nuclear secrets, you’re not being sponsored by that country. What you are doing is getting something you can sell to them. I think a large part of what you see is individuals on their own initiative or knowing what the interests are of organizations and appealing to that organization.
FS: Did you ever think the threat landscape was going to grow this fast?
JJ: I don’t think there’s any doubt that everyone recognizes that. There is a real threat out there, and as devices get deployed, the excitement is in the offensive, not the defensive. The attitude that a lot of organizations had was, ‘I can create a perimeter, a firewall, on that threat’ and focus on [stopping] offensive weapons that go out and get data. Whether it was dealing with the mob, which is something we used to do, or against countries. The applications will come from the government, but the intelligence to creating the solutions comes from private industry.
FS: How do agencies prevent becoming the next big hack headline?
JJ: It’s always an investment and a measurement of risk. There is no perfect solution or approach, so it’s identifying what the risk is and how I protect that risk. For every organization, it’s going to be different. If you are at [the Department of Health and Human Services], it’s going to be health records, but there is value in other areas of HHS. Personnel records, identity management, access management – there’s lots of different ways in which agencies have risk. But there’s no magic formula.
FS: Will CISA, if passed, help in that a better info sharing infrastructure could mitigate risk?
JJ: I’ve been meeting with [the Department of Homeland Security] and [the National Security Agency] in which they knew a breach was happening, but they didn’t have the classification to be able to tell a certain entity – partly because it was classified data, but secondly, when you give information, you are revealing your methods and means, and you have to be careful about that. Sharing of data, which is what these bills are really about, is critical for helping mitigate risk, but it’s not a solution. There is always going to be this dialectic between privacy and security. Every security company, every business, every government wants to have as much information as they possibly can, because it helps in understanding the risk and how to counter that risk.