Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Search Tags: KCG\'s Trusted Advisor Center
To Improve Cybersecurity the Federal Government Must Enhance Its Partnership with the Private Sector
Cybersecurity is a shared responsibility. During National Cybersecurity Awareness Month, the Administration has educated the general public about the evolving risk of cyber threats through its "Stop. Think. Connect." campaign and reminded the American people, government agencies, and industry that everyone has a role to play in guarding against cyber attacks. At the same time, Administration officials have leveraged the momentum of National Cybersecurity Awareness Month to announce changes in government organizational relationships designed to enhance the security of federal information assets and networks in cyberspace, such as the Memorandum of Agreement between the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) formalizing agency roles and responsibilities for coordinating cybersecurity. One area that has received less public attention is the need for government to enhance its partnership with the private sector.
Building this partnership and clarifying these roles and responsibilities is critical. The private sector's resources are inextricably linked to our government's efforts to successfully secure federal information in cyberspace for several key reasons, most notably:
- Much of the nation's cyber infrastructure is owned and operated by the private sector. Because the public, government, educational institutions, and industry rely on cyberspace, an attack against a major player in the Information Technology (IT) infrastructure sector may not be just an attack against a company. Instead, it may result in an attack against the Internet itself and may impact citizens, governments, and companies across the globe. The federal cybersecurity community must clarify the degree to which government and industry should partner to prevent, detect, and defend against these challenges
- Each key sector of the nation's Critical Infrastructure and Key Resources (CIKR) leverages cyberspace to perform mission-critical tasks.Cyberspace minimizes and, in some instances, eliminates jurisdictional, organizational, and technical boundaries of CIKR sectors (e.g., emergency services, defense industrial base, communications, government facilities, etc.). While the increased capability to share information across sectors enables private sector and government CIKR stakeholders to perform more efficiently and effectively, it also creates additional vulnerabilities in cyberspace. In order to truly be prepared to meet the challenges posed by cyber attacks that could threaten the security of multiple CIKR sectors, the federal government must enhance its partnership with private sector CIKR stakeholders
- There is a shortage of cybersecurity talent in government. While the Cyberspace Policy Review included the need to expand and train its workforce as a key priority, and efforts are underway toward that end, the reality is…the government can't do it alone. Cyber attacks are a constantly evolving, significant threat to our national security and the federal government. In the short-term, the federal government has an immediate need for a qualified, seasoned cybersecurity workforce (e.g., Information System Security Officers (ISSO), cyber strategists, security operations specialists, and program managers, etc.) and must fill these gaps by augmenting its existing workforce with the resources available in the private sector. Long-term, the federal government must assess its broader cyber workforce strategy and the role that the private sector plays in meeting mission-critical cyber requirements
Prepare for the worst…and hope for the best. This unofficial mantra of the emergency preparedness and response community also applies to cyber preparedness. This week seven federal agencies, 11 states, 12 international partners, and 60 private sector companies are doing just that: preparing for the worst in cyberspace. These organizations are all participants in Cyber Storm III, a global cybersecurity preparedness exercise led by the U.S. Department of Homeland Security. By the end of the week, these organizations will have responded to a fictionalized cyber threat scenario designed to test their individual and collective capabilities to respond to cyber attacks and the National Cyber Incident Response Plan (Interim Version, September 2010). Federal cyber preparedness has never been more important. The threat to federal information assets and networks is diverse, persistent, and growing. In recent testimony before the U.S. House of Representatives, General Keith Alexander, Commander of the U.S. Cyber Command, stated that U.S. Department of Defense networks are "probed roughly 250,000 times an hour" and characterized the "…shift toward operationalizing cyber tools as weapons to damage or destroy" as a "great concern to us at Cyber Command." The National Cyber Incident Response Plan states:
- Preparedness activities, including establishing common situational awareness in a common operational picture, are shared responsibilities across Federal, State, Local, Tribal, and Territorial governments and the private sector.
- Governance: bringing together the mission, policies, architectures, and organizational alignment to establish the who and what for risk management strategies.
- Risk management: establishing risk tolerance thresholds and implementing the technologies and processes that will assess, prioritize, and monitor risk on a continual basis.
- Compliance: ensuring the organization maintains a cyber security posture compliant with federal laws, regulations, guidelines, and standards with the ability to demonstrate sound risk management strategies when scrutinized by internal and external auditors and Inspectors General.
- Operations: designing, implementing, and monitoring security controls at the operational and tactical levels to include the ability to adequately respond to, withstand, and remediate cyber attacks.
By evaluating federal cybersecurity programs through this framework, agencies can better understand their capabilities and live up to their shared responsibility for cyber preparedness.
People exercise risk management, consciously and unconsciously, every day.
Many of us drive on a daily basis. Some speed, and risk the chance of getting caught, while others are more conservative and drive the exact speed limit. We base our decision on whether or not to exceed the speed limit on the information available to us at the time, including our knowledge, past experiences, or the conditions we see in front of us. We weigh the risks against impacts and consequences, making decisions based upon our tolerance for the outcomes. The same is true for federal cyber risk management.
Securing federal information and assets in cyberspace is the primary driver behind cybersecurity. Even so, other factors help define risk, including the potential for negative publicity if a cyber breach occurs, the impact to budget/performance plans if FISMA grades fall short, or the potential for investigations or congressional hearings if the burning issue of the day burns a bit too bright for too long. Federal cyber risk management fundamentally boils down to making risk decisions based upon an agency's risk tolerance - and the drivers behind an agency's tolerance vary across the federal government.
Risk is defined as the likelihood of a future event that may have unintended or unexpected consequences. Federal agencies make the best cyber risk management decisions by using data and information to evaluate the agency's strengths and weaknesses for delivering on its cyber mission in the context of potential threats.
Agencies must use information and data from various disparate sources across the enterprise to make these decisions, including audit log information, vulnerability data, asset information, the agency's regulatory compliance status, external and internal threat activity, human capital risks to the cybersecurity mission, and many more. As challenging as it may be for agencies to consume large volumes of disparate data, it is a challenge that is essential to overcome for agencies to make the best cyber risk management decisions.
Is this achievable? Absolutely. The business intelligence movement established the foundation allowing agencies to minimize risk exacerbated by ad-hoc decision-making. Leveraging business intelligence capabilities for cybersecurity enables agencies to aggregate data across technical and organizational stovepipes and to provide agency cybersecurity leaders with mechanisms for making informed, risk decisions. By better understanding the cyber landscape, federal cybersecurity leaders can - much like our speeding driver example - understand "how fast" to drive and make better investment decisions when addressing enterprise cybersecurity risks.