Cybersecurity needs tech, social and policy solutions

If you sell cybersecurity products to the government it’s important to understand that agencies aren’t just trying to protect against hacking, and that the technology is about more than just ones and zeroes.

Rather, cybersecurity encompasses a much larger set of related topics which influence how the government makes investments. Technology, workplace issues, and regulatory and policy concerns are all part of a comprehensive 360-degree view of cybersecurity.

This comprehensive approach to understanding cybersecurity was the topic of a recent panel discussion titled “Cyberattacks: A 360 Degree View,” featuring experts from academia, as well as federal and local government. Panelists included:

• Gary Barlet, chief information officer, U.S. Postal Service
• Douglas Maughan, Ph.D., cyber security division director, DHS Science and Technology Directorate
• Ernest McDuffie, Ph.D., lead research scientist, Cyber Security Policy and Research Institute, The George Washington University
• Michael Dent, chief information security officer, Fairfax County, Va., government

One aspect of cybersecurity discussed was information sharing – a very timely topic, indeed. After years of false starts, it looks as though this year will finally see legislation passed on cyber information sharing. There are several bills on the Hill and related administration initiatives all pushing for more rigorous threat information sharing initiatives.

Barlet said he believes information sharing will eventually become mandatory, and agencies will stop doing business with noncompliant organizations. Industry could profit through targeted government investments resulting from this tangible response to cyber threats and focus on information sharing.

CYBER THREATS AND RESPONSES

Speaking of cyber threats, McDuffie repeated the common refrain that when it comes to cyber threats “we have to be right all the time, while the bad guys have to be right only once.” Recent attacks demonstrate the government’s challenge in tackling the enormity of the cyber threat. This underscores the need for proper cyber hygiene especially since vulnerabilities are often traced to government buying practices.

Maughan complained about the poor quality of software being bought by agencies, coupled with the volume of software development. The takeaway for vendors here is, if you are selling a non-security-related product, demonstrate how security is baked into your product and the role it might play in protecting or making the environment more secure.

The government is trying to get smarter and more strategic around cybersecurity investments by looking into predictive analytics and human-out-of-the-loop technologies. Panelists all said they believed the government has done very little in this area – which is a salient take home point; because, understanding how agencies operate is of utmost importance. While your customers may be vocally receptive to automation and machine learning, bureaucratic stove-pipes can still get in the way. Navigating such hurdles is often just as important as the capabilities you are trying to sell. 

In terms of cyber responses, namely taking the offensive, McDuffie said that it’s not as cut-and-dried as confronting a person in your house with a ski mask. This highlights the challenge government agencies face when it comes to attribution, an area where industry can help, particularly in the areas of real-time threat detection and identification. 

CYBER WORKFORCE, PRIVACY, POLICY, AND SPENDING

The development of a cyber-workforce is a top priority for CIOs at all levels of government. The panelists maintained that federal and state governments remain a few years away from fielding a well-trained cyber workforce.

On the human development front, a good percentage of breaches begin by unwitting employees with inadequate security controls. Often, lack of education and careless mistakes are the sources of government security breaches, not solely insider threats.

Despite this, on a global scale the U.S. is still a cybersecurity leader. Our R&D is helping other countries stand up operational programs and other forms of assistance. International partnerships are not often talked about or well understood, but they are critical.

Looking ahead, the panelists agreed that it’s important, but challenging to strike a balance between a need to protect sensitive cyber information while also protecting civil rights and privacy. The last few years have seen executive orders and policies out of NIST aimed at standardizing the federal government’s approach to cybersecurity.

While these were generally agreed to be steps in the right direction, Michael Dent bemoaned the challenges facing IT shops as they attempt to upgrade the security of their footprint. Often, legacy systems can’t be upgraded due to budgetary concerns or fears it would interrupt essential services.

Cyber spending is increasing, but government agencies and industry alike are treading water at best in the face of cyber-attacks and breaches.

CYBERSECURITY DEMANDS A 360 DEGREE VIEW  

Fortunately, there is buy-in from senior agency executives who recognize investments in new tools and innovative solutions are critical to keeping pace with the threats that are out there. A steady dialogue between industry and government is critical.

Ultimately, the best approach to cybersecurity is a multi-faceted one that looks at the issue from a 360-degree perspective, encompassing technological, social, and policy driven solutions. Selling cybersecurity products to the federal government requires understanding these all-encompassing concerns. The degree of your success in selling security product X or Y depends in large part on understanding government pain points in the areas of workforce gaps, legacy systems, baseline requirements, undereducated end-users, and stove-pipes.