In recent years, amid hacks and breaches, a flurry of cybersecurity philosophies gained popularity and prominence as the strategy du jour for government agencies.
One school of thought advocated for organizations to build more doors, more walls, more hurdles, to essentially keep cyberenemies out of their networks. Another posited that agencies could partition off some of their most valuable goods, making them all but inaccessible. Others believed increased encryption would stop, or at least limit, the digital intrusion.
Each was viewed by some as a kind of panacea to the federal government’s perplexing cybersecurity problem. But then, as is always the case with cyber, everything changed.
No single system and no single protection philosophy is 100 percent successful. The hacks and breaches of federal agencies in recent years have proved that no system is impenetrable.
Matching Cybersecurity Technology to a Strategy
To survive and flourish in our new era of unrelenting threats, federal agencies should not focus on particular technologies. Instead, they should clearly define their cybersecurity strategy and then seek out technology that matches those attributes.
A year ago, President Barack Obama made resilience a pillar of his plan to protect Americans in the digital world. As part of the initiative, the Homeland Security, Commerce and Energy departments worked together to establish a National Center for Cybersecurity Resilience.
What does this characteristic look like? Resilience does not mean the ability to predict, or even fully comprehend, every attack an agency faces. Instead, resilience operates from the assumption that attacks are inevitable, and that the true measure of a system is how it responds in the face of those attacks. As former heavyweight champ Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.”
In a pugilist’s parlance: Can your protection plan take a punch?
Fewer IT professionals believe their organization has a higher level of resilience than it did in 2015, according to the Ponemon Institute’s 2016 State of Cyber Resilience study. The study blames the slip on silos and turf wars within agencies, insufficient planning and inadequate awareness of risk — a stark reminder of just how much work remains in fortifying federal networks.
At the same time, federal leaders also must demand their agencies operate with a high level of agility.
“The only certain feature of this environment is uncertainty, which makes agility a necessity,” wrote Navy Adm. Michael Rogers, the head of the U.S. Cyber Command, in a 2015 memo. “We must train and exercise to operate with degraded systems, because digital connectivity should never be taken for granted.”
An agile approach calls for pivoting quickly from one security strategy to another when under attack. Perhaps more important, it means having the ability to execute everyday tasks despite a cyber event. Federal leaders accept that any delay in services — to citizens and employees — is too long. That’s why so many agencies have turned to the cloud, where security and agility are built in.
Agility also must include the ability to purchase new capabilities as necessary. Last year, Alejandro Mayorkas, the deputy secretary at the Department of Homeland Security, said that if the United States wants to adequately compete against cyberthreats, it must accelerate its agility, specifically through acquisition processes.
Technical solutions may evolve, become obsolete or keep out what are now nonexistent threats. Acquisition requirements change. But resilient and agile systems give the government the best chance to do their highest priority work: serve employees, residents and taxpayers alike.