Data breaches pose one of the greatest threats to the federal government. As President Donald Trump acknowledged in his Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the government needs to do much more to protect the nation’s data.
To do so, the president will need to work with Congress to transform the way the federal government thinks about directing cybersecurity investments. The ever-changing cybersecurity landscape requires federal agencies to evolve beyond merely protecting the network perimeter and hosts to implementing protections on the most essential level: the data.
How the Federal Government Can Better Protect Data
When data breaches are successful, the cost to our nation can be staggering. What makes these data breaches so dispiriting is that many could have been avoided or greatly mitigated if federal agencies had invested resources in modernizing their legacy IT systems and protecting information at the data or document level.
While years of investment have worked to fortify network and host security, the data has continued to leak. Attacks continue to breach the perimeter and insiders have accidentally — and sometimes intentionally — distributed sensitive information to unauthorized recipients.
To guard data, agencies should look at the entire information lifecycle for new protection, detection and response capabilities.
Agencies Need Data-Aware Protection Mechanisms
Whether it’s fine-grained access controls to portions of data utilizing attribute-based access control (ABAC) or the encryption of digital files using digital rights management (DRM), protection mechanisms that are data-aware provide much stronger mitigations.
Combining audit information from the ABAC system with the DRM-protected document interactions can bolster continuous monitoring, providing new insights into where, how, when and by whom sensitive data is being accessed. Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.
While keeping data confidential seems to garner most of our attention these days, authenticity, integrity and digital signatures also play key roles in securing the information lifecycle. When documents are distributed electronically, it is important that recipients can confirm the identity of the person or organization that signed the document (document authenticity) and that the document has not been altered in transit (document integrity).
Feds’ Role in Accelerating Data Protection
One of the key actions that Congress can take to accelerate federal data protection is to fully fund the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program and the newly created Phase 4 “Protecting Data on the Network” requirements. The CDM program is focused on securing the entire civilian .gov network by providing hardware, software and services in multiple requirement phases across 70 civilian agencies, including 23 of the CFO Act departments.
The House Appropriations Committee recently approved a spending bill that would appropriate $703 million for core cybersecurity programs at DHS, including nearly the full budget of $276 million requested to accelerate the deployment of the CDM program.
The bill also directs CDM to fast-track and expand its Phase 4 capabilities for agencies by moving them beyond just network and host protections to include multiple data protection capabilities such as DRM. Without action, the nation’s sensitive information will remain unsecured and the risk of continued breaches will persist. I encourage members of the House and Senate to approve this funding to ensure that our nation’s sensitive data is protected from external and insider threats.
We have reached a critical point in federal data security; we can either take the necessary steps to protect the nation’s data or cross our fingers and hope there will not be another major breach. The CDM program provides a path forward. However, this momentum will be lost if we fail to make cybersecurity a priority. We must fully fund and deploy these critical cybersecurity programs and capabilities to better protect government networks, systems and, most importantly, the data of American citizens.