A new commission aimed at improving cybersecurity throughout the government has recommended a series of wholesale changes, including conducting more routine cyberhygiene, adding stronger authentication procedures and bolstering the size of the nation’s cybersecurity talent pool.
President Barack Obama created the Commission on Enhancing National Cybersecurity in February 2016 to better position the country against cybersecurity attacks over the next decade. Following a discussion of potential solutions with experts, the commission wrote a set of nonbinding recommendations and published their findings in December.
Based on those suggestions, here is where federal agencies are most likely to make improvements in the coming years.
Improve Cybersecurity Fundamentals
Commission panelists routinely cite a practice known as cyberhygiene as key to improving cybersecurity. The approach calls for agencies to oversee and maintain the critical security controls that prevent data breaches. It also includes managing security-related software patches and security configuration settings.
This is important because a September 2016 report from the Government Accountability Office titled “Federal Information Security: Actions Needed to Address Challenges” pointed to instances where agencies had failed to install important security patches, sometimes for years, and where agencies didn’t understand the security implications of software configuration settings. Those lapses created vulnerabilities just waiting to be exploited, the report states, unnecessarily putting systems and their data at greater risk.
To address the concern, the commission recommends adopting an enterprise risk management approach to cybersecurity. This would include basic steps, such as ensuring patches are installed and double checking that configuration settings are secure, as well as identifying security technology to aid the government and reduce risk.
Embrace Identity Management
The commission’s report emphasizes the importance of strong authentication procedures because compromised credentials, usually passwords, have been the root cause of many data breaches. The commission hopes to eliminate compromised authentication as the cause of major breaches by 2021.
This may sound simple, but it won’t be. Strong authentication solutions must be “secure, privacy-enhancing, efficient, usable, and interoperable,” according to the report. Creating many separate authentication procedures that can’t work together will only create more headaches and force users to manage even more credentials.
Instead, the commission recommends that federal agencies adopt stronger authentication techniques each time citizens use specific online services. Agencies should use similarly strong authentication for employees and contractors accessing government systems, which could include a Personal Identity Verification credential.
Expand and Enhance the Cybersecurity Workforce
Like the rest of the IT community, government is not immune to the shortage of qualified cybersecurity professionals. The commission suggests that federal agencies:
- Institute workforce and apprenticeship programs to train 150,000 new cybersecurity professionals over the next four years
- Train agency managers to better understand cybersecurity risk management; because cybersecurity is critical to meeting agency missions, managers must understand the subject to make better informed decisions for their agencies
- Create an exchange program between the public sector and the private sector for midlevel and senior employees, so both groups become more knowledgeable about cybersecurity principles and practices
In addition, the commission recommends that the federal government advance state-of-the-art technology for automating security operations, helping to reduce the need for cybersecurity professionals in the long term.