Federal cyber leaders are working to keep mission-critical data secure and available to employees working from home, in the office, and in the field at the tactical edge. Despite progress and intense focus, a boom in cybersecurity breaches is commanding national attention and highlighting the need for IT and security modernization throughout the Federal government.
Christopher Wray, director of the Federal Bureau of Investigation, compared the deluge of ransomware attacks to the environment following September 11, 2001. “There are a lot of parallels… and a lot of focus by us on disruption and prevention,” Wray said.
Ransomware incidents have tripled in the past year, he explained, “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”
The Biden Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity enforces this point with the caveat that “cybersecurity requires more than government action.” Agencies must renew their sense of urgency to take bold action to revitalize government security architectures and embrace cybersecurity and risk-management as a springboard for mission innovation.
Time for Definitive Action
“Threats are evolving much faster than the government, and even the private sector, have seen in the past,” explained Rob Davies, chief operating officer at ViON Corporation in a recent interview. Agencies are taking a more fluid risk-management posture.
As agencies develop EO-mandated zero trust plans, the private sector is sharing guidance and lessons learned. Cameron Chehreh, federal chief technology officer at Dell Technologies, encourages leaders to use zero trust as an opportunity to shift their paradigm from “security as mission inhibitor” to “security as mission accelerator.”
“It’s about leveraging existing governance and processes as well as available technology to address needs rapidly and effectively,” Davies shares.
Driving Innovation with Managed-Risk
“Accepting risk is healthy,” Chehreh says, “It’s helping to drive innovation as agencies understand that cybersecurity is not just a ‘check-the-box activity’ to obtain authority to operate (ATO) on the network.” Chehreh says cybersecurity must be a dynamic, daily process that focuses on users and their risk posture throughout the day.
This is particularly important for agencies with remote teams working in unpredictable environments. They are at increased risk for cyber threats. Emergencies direct attention away from standard operations, giving criminals an opportunity to strike.
As an example, the Federal Emergency Management Agency (FEMA) executes missions remotely, under challenging conditions. In this case, a zero trust architecture provides mission agility by securing technologies and applications at the edge that are critical to operations such as disaster relief.
Ted Okada, chief technology officer at FEMA, recently shared the agency is working towards these goals to allow teams to securely store data and compute at the edge, closer to the source.
This approach helps the organization automate compliance and security, and deploy new mobile and remote technologies faster and with greater confidence as they respond to catastrophic events.
Often agencies try to protect all parts of their infrastructure equally. Zero trust models align protection with data and application value – and allow teams to continuously assess risks to those critical assets.
When building a strategy for the greatest impact, Davies advises Federal leaders to first consider their agency’s unique operations. This will inform changes that are central to the mission.
“Take the time to dig deep and answer core questions that relate to the zero trust pillars, including – Where does my data reside? Where does it move to and how is it used daily – in transport and sessions? Which applications are critical to our mission? Who are our users, and where are they physically located? What devices do they use today? What will they be using in the future?” he said.
“The key to moving fast is understanding your stakeholders – their motivations and what they need to achieve,” Chehreh said.
It’s all about embracing and executing best practices, Davies adds. Agencies can look to and build upon the pillars of zero trust: device security, workload security, infrastructure security, network security, data security, and process. And ultimately, Chehreh emphasized, “never lose sight of what sits at the very top of these pillars – the mission.”