How Federal Agencies Can Improve Cybersecurity with Better Data Encryption

Everyone’s talking about encryption. Within the past two years, there have been some 13 major data breaches involving public and private sector organizations.

These cyberattacks cost U.S. businesses and agencies as much as $400 billion a year in direct damages and post-attack disruption to daily operations, according to an estimate last year from the British insurance company Lloyd’s.

One thing all of these events have in common is that sensitive information — personal, financial or medical — was stolen or exposed.

What’s needed is a way to protect the data itself. Many organizations employ data-at-rest security to protect sensitive information. This helps when equipment is lost or stolen. However, relying solely on this method is not sufficient. As CNBC reported on Verizon’s 2016 Data Breaches Incident report, 30 percent of all data breaches in 2015 were “due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data.”

The requirement to protect the data itself is reflected in a statement in the Cybersecurity Act of 2015: “Encrypt or otherwise render indecipherable to unauthorized users of ‘sensitive and mission critical data stored by the agency’ or transiting agency information systems.” I think it’s time we listen.

Why Data Encryption Matters

In order to do so, we need to extend data protection beyond organizational borders, enabling protection of Personally Identifiable Information (PII), Protected Health Information (PHI), Federal Tax Information (FTI) or any other type of data shared with partners, suppliers and outsourcers.

This will solve the issue of advanced threats by protecting data at rest, in motion and in use across different systems. We must address security gaps in coverage and complement capabilities of existing tools in order to integrate with different platforms.

One event illuminating the extent of the wave of cyberattacks was the August 2014 hacking of the Department of Health and Human Services' server. This was a “denial of service” (DoS) attack that occurred across numerous websites, including Healthcare.gov, preventing user access. Federal officials said consumer information was not compromised, but the incident was a big scare to those who had signed up or were applying for healthcare plans.

One might ask what a DoS event has to do with encryption, and that’s a legitimate question. The answer is this: A DoS is often used as a distraction tactic to tie up security personnel while the attacker is searching the network for tantalizing data they can steal. Encrypted data is useless to them.

As soon as the government was notified, the Department of Homeland Security and the U.S. Computer Emergency Readiness Team took immediate action to remediate the situation. While the response was prompt, the event was a rude awakening for the government. It also brought federal agencies a step closer to taking smarter, more effective security measures.

But one more incident happened to press the need for improved data security. The Office of Personnel Management breach of 2015 was the most massive and far-reaching cyberattack in U.S. government history. The attackers stole the sensitive personal data of about 20 million current and former federal employees and contractors. After the extent of the damage caused by the breach became apparent, there was a call for reforming how the government (and other large organizations) manage their security.

According to the HPE Cybersecurity Risk Report of 2016, sensitive data is vulnerable to attack and most data protection techniques shield only stored data. But recent advances in encryption techniques can protect data no matter where it resides, how it is transported and even how it is used without impeding mission performance.

Securing Data Anywhere

The key to improving security isn’t in building more perimeter-type defenses such as firewalls, but in securing the data itself through a more comprehensive approach.

The National Institute of Standards and Technology (NIST) has published a new Advanced Encryption Standard mode called format-preserving encryption (FPE), which is critical in protecting sensitive data. FPE works by encrypting all or portions of many types of data, such as Social Security and credit card numbers, while preserving their format (e.g., 16 digits or 3-2-4) to make them useless to hackers, but still usable by those with a need to know. FPE is able to secure data as it is captured, processed and stored across a variety of devices and systems used by the public and private sectors.

The NIST standard also makes it much easier to apply encryption across government agencies, because it works with existing data types and does not require expensive data architecture upgrades. HPE assisted in developing the core specifications of this innovative technology. The NIST standard helps mitigate risk, while keeping an organization’s existing IT infrastructure intact and much easier for federal officials to utilize.

Commercial organizations in the banking and retail markets have used FPE for years to protect and manage authorized access to selective customer data. With NIST approving this new standard, government organizations will now be able to protect agency data from becoming accessible to attackers or mistakenly disclosed to an employee or contractor.

This technique is part of a broader government effort to improve security, such as federal CIO Tony Scott’s 30-day Cybersecurity Sprint. Scott’s Cybersecurity Strategy and Implementation Plan (CSIP) is helping push comprehensive cyber strategies forward. It states: “The Cybersecurity Sprint team’s review made clear that we must continue to double down on this Administration’s broad strategy to enhance federal cybersecurity and fundamentally overhaul information security practices, policies and governance.”

Although there is not one single solution to solving cyber threats, encryption provisions and strict policies are reinforcing better security in today’s world. In the end, the NIST approach and the encryption mandate in The Cybersecurity Act of 2015 are critical, necessary initiatives. Encryption technology has come a long way, and tools like FPE expand the arsenal of defenses that federal agencies can use against cyberattack.