Data leakage, data integrity, identity authentication and management are top concerns of agency leaders. Learn how to boost security spending despite budget pressures and how find out how a security ecosystem keeps attacks at bay and fits into the cloud-first movement.

Cybersecurity spending gets boosts despite budget pressures

Federal spending on cybersecurity will outpace overall spending on IT during the next several years, increasing 9 percent annually, from an estimated $9.5 billion in 2011 to about $13.5 billion in 2015, according to estimates by IT research and consulting firm Input. This is nearly double the expected 5 percent growth in federal IT spending during that same period.

“The lion’s share of cybersecurity spending is for day-to-day operational information security activities, such as network security and network monitoring,” said John Slye, principal research analyst at Input. Slye estimated that as much as 90 percent of the cybersecurity budget covers operational information security while the rest is allocated for programs such as education, training and compliance with federal security requirements, such as the Federal Information Security Management Act.

Ray Bjorklund, senior vice president and chief knowledge officer at Deltek FedSources, said the increases in cybersecurity spending reflect the growing challenges that the government faces. "The threats are expanding in size and complexity, requiring a response that grows faster than other IT requirements," he said.

Government depends heavily on industry for cybersecurity solutions and personnel. Spending on cybersecurity services is expected to reach about $7.5 billion in 2015, while spending on software will be $4.5 billion and hardware about $1.4 billion.

Automating cybersecurity

Cybersecurity encompasses a broad range of products, services and activities. One critical area is the automation of cybersecurity activities. “We have to get to a place where people do the things that people do well and machines do the things that they do well and then have all of them work together more effectively,” said Philip Reitinger, deputy undersecretary of the Homeland Security Department's National Protection and Programs Directorate.

Reitinger’s office recently released a white paper, “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action,” that explores the feasibility and implications of automated and collaborative monitoring and response.

“I see real opportunities in software to automate traditional network management and network security, areas of intrusion prevention and defensive countermeasures, and remediation,” Slye said. “Where we can, we need to automate monitoring and response for the bread and butter attacks, so we can free up people to make decisions on the anomalies.”

Cloud computing and security

The federal government could migrate as much as $20 billion in annual IT spending to cloud computing, Federal CIO Vivek Kundra has said. But as agencies shift more data, applications and services to the cloud as part of the administration’s cloud-first initiative, agency leaders will want assurances that their information remains secure.

“The transition to an outsourced, cloud computing environment is in many ways an exercise in risk management,” Kundra wrote in the Federal Cloud Computing Strategy released in February. Cloud security risks must be carefully balanced against the security and privacy controls available and the expected benefits, he said.

Back to Top

Cyber ecosystem could more easily keep attackers at bay

A new white paper from the Homeland Security Department’s National Protection and Programs Directorate (NPPD) suggests that government and industry can create a much healthier, more resilient and more secure cyber ecosystem by enabling devices to share information and work together against cyberattacks.

Released in March, the paper, “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem With Automated Collective Action,” explores a future in which cyber devices collaborate in near real time to anticipate and prevent cyberattacks, limit the spread and consequences of attacks across participating devices, and recover to a trusted state. “These ideas have been discussed in the cyber community for a number of years,” said Philip Reitinger, deputy undersecretary of NPPD. “We wanted to bring them together to understand what that [healthy] ecosystem looks like. What are the elements and how do you get there?”

Attackers wield an advantage over defenders, Reitinger said. Attackers need to find only one weakness or point of entry, while defenders must protect many more. In addition, software, systems and people are imperfect. A security breach or compromise is nearly inevitable. “If somebody wants to get access to your computer system, it doesn’t really matter how well defended it is,” Reitinger said. “If they have enough time and throw enough resources at the problem, they will get in.”

The three foundational building blocks of a healthy ecosystem — one defended by automated collective action — are authentication, automation and interoperability, according to the paper.

Authentication enables networks and devices to know who is connecting and why, providing greater assurance that participants are authentic. Automation enables devices to respond immediately to intrusions and anomalies, adjusting at Internet speed, because the devices can be programmed to take appropriate actions, such as refusing to receive or forward messages from infected sources. Interoperability enables devices to share information and alert other devices across the network, which act in concert to identify infected devices, neutralize their ability to spread the infection, and take remedial action.

Comment on DHS’s White Paper

The Department of Homeland Security welcomes feedback from industry, academia and others on its white paper, “Enabling Distributed Security in Cyberspace.” The paper is available at Here and comments can be sent to cyberfeedback@dhs.gov .

The defenses within a healthy ecosystem can intervene at any point during complex attacks. Like the human immune system, cyber devices would respond automatically to potential intrusions and attacks, deploying a host of defenses in collaboration with trusted partners. “With a rich web of security partnerships, shared strategies, preapproved and prepositioned digital policies, interoperable information exchanges, and ‘healthy’ participants — persons, devices and processes — a healthy cyber ecosystem could defend against a full spectrum of known and emerging threats,” the white paper states. Some simulations indicate that just 30 percent to 35 percent of devices would need to cooperate for the collective response to succeed.

What capabilities are needed to build such a cyber ecosystem? Rather than focus on creating new technologies, Reitinger said, agencies should build an ecosystem in which the parts work according to the principles of collective automated response. He pointed to two major efforts in the federal government that would support a healthy ecosystem, both spearheaded by the National Institute of Standards and Technology.

  1. Security Content Automation Protocol. SCAP is a synthesis of interoperable specifications and standards for enabling automated vulnerability management and policy compliance.
  2. National Strategy for Trusted Identities in Cyberspace. Released April 15, NSTIC is designed to protect identities, guard against fraud and foster economic growth by making online transactions more trustworthy. “It’s a major push forward for how we want to build out broad, interoperable authentication across the ecosystem,” Reitinger said.

Reitinger said the next step is for government, industry and consumers to have a public discussion about the issues and begin creating the demand for products and services that rely on strong authentication, work in an automated way and are interoperable across vendors. “We need industry and government to come together, not to build widgets, but to first build out the standards and processes for how all of these different pieces are going to fit together,” Reitinger said.

Back to Top

How security fits into the cloud-first movement

Security remains a top concern for agency leaders as they transition to cloud computing to comply with the administration’s cloud-first strategy. They worry that a cloud environment will heighten security problems, such as data leakage, data integrity, and identity authentication and management.

“The security issues with cloud computing are similar to those that come up with outsourcing when workloads are turned over to others at their locations,” said Lee Badger, acting program manager at the National Institute of Standards and Technology's Cloud Computing Program. “With cloud computing, people have had a concern with visibility and control. How do I know what’s going on inside the cloud related to my data and processing, and how do I have control over that?”

Badger said that multitenancy in cloud computing also raises concerns. Organizations using cloud services might share components and resources with other organizations, which could make them vulnerable to an attack if the vendor does not maintain strict separation. Although operating systems and Web servers might also have multitenancy, the security issues “come to the foreground with the cloud because we are putting so much of our data and our processing into someone else’s infrastructure,” he said.

The cloud-first strategy

The cloud-first strategy, announced in December 2010 by Federal CIO Vivek Kundra, calls for agencies to begin migrating data and services to the cloud and retiring the associated older systems. The strategy calls for using commercial cloud technologies as much as possible, launching private government clouds, and using regional clouds with state and local governments when appropriate.

A recent survey of federal CIOs reported that 57 percent of agency CIOs have active projects moving to the cloud, and another 14 percent are conducting pilot projects. But some said cloud computing has a “negative relationship with security” and were taking a wait-and-see approach, according to the survey released in May by TechAmerica and Grant Thornton.

Strengthened security under the cloud

Kundra and NIST officials say cloud computing services have potential security benefits in addition to risks. For agencies with a mobile workforce, data that is maintained and processed in the cloud can present less of a security risk than having that data dispersed on portable devices in the field, where theft and loss of devices often occur, NIST computer scientists Wayne Jansen and Timothy Grance wrote in the agency’s “Guidelines on Security and Privacy in Public Cloud Computing.”

A public cloud also could provide agencies with specialized staff in security, privacy and other areas. “The biggest beneficiaries are likely to be smaller organizations that have limited numbers of IT administrators and security personnel and lack the economies of scale available to larger organizations with sizable data centers,” Jansen and Grance said.

Cloud services also could offer agencies improved resource availability, including redundancy and disaster recovery capabilities, in addition to improved resilience when facing increased service demands or a malicious attack. Similarly, the backup and recovery capabilities of the cloud service might be superior to an agency’s capabilities. “Agencies assessing risk in the context of cloud computing should consider both the potential security benefits and potential vulnerabilities,” Kundra said.

Next steps for government and industry

To help strengthen cloud security, government needs industry to help formulate cloud standards, Badger said. NIST is leading a government/industry effort called Standards Acceleration to Jumpstart Adoption of Cloud Computing to validate the requirements for portability, interoperability and security.

“We need to create cloud systems standards that enable portability so that users can conveniently move workloads between clouds or back home,” Badger said. “This will enable a healthy marketplace of cloud services and indirectly support security by allowing customers to vote with their feet for cloud service providers that provide secure services.”

Badger also recommended that cloud providers and their partners provide as much visibility as possible into how their systems protect customer data and processing. He said he recognized that companies have proprietary processes and services that they may not wish to make public. “But the more they can disclose about how their systems work and why customers should have confidence in those systems, the easier it will be for federal customers to embrace those systems as being secure enough for their particular needs," he said.

Back to Top
This report was commissioned by the Custom Media Group, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Custom Media, please e-mail us at GIGCustomMedia@1105govinfo.com
Download the PDF Click Here