28 Mar Federal Cybersecurity Challenges in 2018
By Bob Heckman, Vice President and CISO, Cybersecurity Center of Excellence
Welcome to our new blog column from the Criterion Cybersecurity Center of Excellence (CoE). As the company’s CISO and head of the CoE, I wanted to share with you the cybersecurity challenges for the Federal government we are tracking for 2018.
Throughout 2017 it seemed like whenever you turned on the news or checked your feeds you heard about another hack, leak, or breach putting sensitive information at risk. I’m sure most of you have received a notice or an offer for free identity theft protection as a response to the recent Equifax, Verizon, or Kmart breaches (or the OPM breach in 2015). The U.S. Government has been focusing on keeping federal agency information systems secure for a long time. However, the process for safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is woefully insufficient and remains a long-standing concern. In fact, the lack of security of federal cyber assets has been on GAO’s High-Risk List since 1997! So, what’s the problem?
Over the last several years, GAO made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations identified actions for agencies to take to strengthen technical security controls over their computer networks and systems. They also included recommendations for agencies to fully implement aspects of their information security programs, as mandated by the Federal Information Security Modernization Act (FISMA) of 2014 and its predecessor, the Federal Information Security Management Act of 2002, and to protect the privacy of personally identifiable information (PII) held on their systems. However, many agencies continue to be challenged in safeguarding their information systems and information, in part because many of these recommendations have not been implemented. As of October 2017, about 1,000 of GAO’s information security–related recommendations had not been implemented.
So, what can Federal departments and agencies expect to see in the year ahead? Unfortunately, more of the same.
This past year, cyber criminals caused major service disruptions around the world, using their increasing technical proficiency to break through cyber defenses. In 2018, experts expect the trend to become more pronounced as these attackers will use machine learning and artificial intelligence to launch even more potent attacks. Gear up for a busy year ahead. Incidents like the WannaCry attack, which impacted more than 200,000 computers worldwide in May, are just the warmup to a new year of more virulent malware and DDoS attacks. Meanwhile, cyber criminals are poised to step up their attacks on the millions of devices now connected to the Internet of Things both in offices and homes.
From new forms of malware, more expensive ransoms as more ransomware hits more organizations, Internet of Things (IoT) device problems at home, AI and machine learning gone astray (as a cyberweapon), cryptocurrency problems, cloud computing breaches and plenty more of everything we already saw in 2017…you can imagine their impact on Federal departments and agencies. Other common challenges include increased scope and impact from DDOS attacks, the number of cybercriminals (and crimes) increasing, continued shortages of qualified security professionals — with new attempts to deal with the staffing problems, popular (and easy to use) home devices (such as Amazon Echo) getting hacked in new ways and much more nation-state hacking.
No doubt, more sophisticated attacks, phishing attempts, and data breaches are coming. The following is a list of some of the most common security challenges and predictions for next year, courtesy of Symantec.
Challenges and threats for 2018 include a wide range of topics:
- Blockchain will find uses outside of cryptocurrencies but cyber criminals will focus on coins and exchanges
- Cyber criminals will use Artificial Intelligence (AI) & Machine Learning (ML) to conduct attacks
- Supply chain attacks will become mainstream
- File-less and file-light malware will explode
- Organizations will still struggle with Security-as-a-Service (SaaS) security
- Organizations will still struggle with Infrastructure-as-a-Service (IaaS) Security — more breaches due to error, compromise and design
- Financial trojans will still account for more losses than ransomware
- Expensive home devices will be held to ransom
- IoT devices will be hijacked and used in DDoS attacks
- IoT devices will provide persistent access to home networks
Several laws and policies establish a framework for how the federal government should protect its information systems. However, GAO reported that departments and agencies are not consistently implementing the framework, and additional actions are needed. For example, agencies are supposed to:
- Patch vulnerable systems and replace unsupported software
- Comprehensively test security on a regular basis
- Strengthen oversight of IT contractors
- Better identify cyber threats
- Improve their responses to cyber incidents and data breaches
- Better recruit and retain a qualified cybersecurity workforce and improve workforce planning activities at agencies.
The Federal government continues to struggle to implement the most basic and fundamental building blocks of an effective cybersecurity program. Meeting the advanced challenges and threats in 2018 is going to be a substantial undertaking. It will take coordinated effort across the government, with strong strategic direction from the White House and effective oversight, to make sure that federal departments and agencies are taking all the necessary steps to protect our nation’s systems and information.
Criterion’s Cybersecurity Center of Excellence
Today, evolving cyber-threats faced by Federal departments and agencies cover a wide range of malicious activities from nation state sponsors, criminal organizations, terrorist groups, hacktivists, insider threats, and others. These threats are highly advanced, group-based entities that seek to operate inside of and maintain a presence on and in their target’s systems. This threat, coupled with increasing regulatory requirements and oversight, the move to a risk management versus a compliance approach, and growing resource constraints presents huge challenges. To be effective in this operational environment, Federal departments and agencies must employ a cybersecurity program that focuses on operating in cyberspace instead of reacting to it. The need for innovative cybersecurity approaches, methodology, and best practices that address interoperability, usability and privacy is critical for the nation and Federal government. Criterion’s Cybersecurity Center of Excellence (CoE) enables greater development and application of practical, innovative, and continuously improving cybersecurity approaches, methodologies, and technologies to meet these challenges.
Moving forward, various members of Criterion’s CoE will be sharing thoughts, commenting on trends, and sharing information they think is valuable through this blog column. We welcome your reaction and questions. Please respond to firstname.lastname@example.org.
About the Author
Mr. Bob Heckman is a Vice President and Chief Information Security Officer. Bob leads Criterion’s Cybersecurity Center of Excellence and is responsible for executing the firm’s cybersecurity strategy that includes improving and optimizing the performance and security of our networks and systems, providing a dedicated group of experts focused on cybersecurity best practices who deliver innovative solutions and achieve operational excellence for each of our customers, and ensuring our IT Infrastructure enables the delivery of services to our clients. In addition, Mr. Heckman provides strategic leadership of the company’s information security programs, and is aligned with Criterion’s technology capabilities, specifically in the area of cyber operations.
Mr. Heckman is a graduate of the Air Force Communication Electronics School and Marine Corps Communication Electronics School. He also attended the School of Electrical Engineering at Ohio University, and is a Certified Information Systems Security Professional (CISSP) and member of the International Information Systems Security Certification Consortium (ISC2). Bob is a Cyber Division Member of the National Defense Industrial Association (NDIA), and a previous Cyber Committee Board Member for the Armed Forces Communications and Electronics Association (AFCEA).
Reference: 2018 Cyber Security Predictions. https://www.symantec.com/blogs/feature-stories/2018-cyber-security-predictions