In his latest piece, Chuck Brooks discussed the most recent cyber breaches that have impacted federal agencies and the dire need to prevent future breaches and potential consequences of not prioritizing cybersecurity in 2021. He also mentioned the potential impact of the Cybersecurity Maturity Model Certification (CMMC) program and other issues surrounding our nation’s supply chain management heading into the new year.
“Cybersecurity is not just a technology problem, but also a national security problem that encompasses people, processes, and shared knowledge and strategies,” said GovConExpert Chuck Brooks.
You can read Chuck Brooks’ latest GovCon Expert article below:
Better Cybersecurity on 2021 Urgent Wish List for U.S. Government
By Chuck Brooks
The most recent breaches of government agencies certainly pushed better cybersecurity up the wish list for 2021. The high-profile and connected breaches of both SolarWinds and FireEye by nation-state sponsored hackers have sent alarms across the government. Worse news on the breaches may be yet to come.
It will take weeks, if not months to assess the damages inflicted by the hackers, especially what data was infiltrated by the malicious code inserted in the SolarWinds network management software platform, Orion. The breach impacted all branches of the U.S. Military and likely most federal government agencies.
According to official sources, the breach may have even reached the National Nuclear Security Administration (NNSA) where some of the nation’s most guarded secrets are kept about the nuclear weapons stockpile. Early analysis correlates that the attacks were sophisticated, skilled, meticulous, and hard to detect in what was a software supply chain attack.
The fallout from the attacks is alarming. The Department of Homeland Security (DHS) has acknowledged that government and private sector systems are at “grave risk.” Other countries and the private sector were also victimized.
Theresa Payton, who served as White House Chief Information Officer under former President George W. Bush noted the severity of the breach: “I woke up in the middle of the night last night just sick to my stomach,” said. “On a scale of 1 to 10, I’m at a 9 — and it’s not because of what I know; it’s because of what we still don’t know.”
The hacks call attention to the reality of vulnerabilities for both the private sectors in an increasingly digital world and the challenge of protecting data and privacy. Government has invested multi-billions of dollars protecting both the public and private sectors against cyber-attacks, and many have been prevented.
Unfortunately, there are a lot of assets and people to protect and any gaps can be quickly exploited and compromised in the immense network, as evidenced by the SolarWinds episode. Also, because of the growing interconnectivity of devices, automated machine-learning directed attacks, and collaboration among nation-state adversaries in offensive cybersecurity, there will be a continued need for large government investment (with more accountability) in cybersecurity.
Cybersecurity needs to be at the top of the priority list because the stakes are high, and the consequences of breaches are potentially deadly. Cybersecurity is not just a technology problem, but also a national security problem that encompasses people, processes, and shared knowledge and strategies.
Although nothing is totally invulnerable to being hacked, data can be better protected (encrypted at all sensitive levels) and segmented, endpoints hardened, identities validated, and networks can be continually monitored. Better systems and network security are critically important. A retaliatory option needs also to be further developed. Investment in offensive cybersecurity capabilities need to be a key part of the programmatic equation.
As a part of the cybersecurity strategy, greater focus needs to be on the weakest links and that includes the supply chain, especially third-party vendors, and insider threats. As a result of the breaches, supply chain vulnerabilities are now in the limelight. And they should be. I stated in my recent GovCon article “Chuck Brooks: Government Focused on Securing the Cyber Supply Chain” that supply chain cyber-attacks can be perpetrated from nation state adversaries, espionage operators, criminals or hacktivists.
Their goals are to breach contractors, systems, companies and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
Supply chain issues are being formally adapted into security strategy by the federal government. On May 15, 2019, the White House Presidential Executive order was issued to help secure the supply chain (both public and commercial) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States.”
The remedy to fixing supply chain vulnerabilities is heightening government and industry collaboration highlighted in the policy initiatives, such as NIST, and in task forces on supply chain security established by the Executive Branch. More precisely, it requires enacting a risk management process that identifies vulnerable systems (especially legacy) and gains visibility into all the elements of the supply chain.
A General Accounting Office (GAO) report, released last week highlighted the importance and difficulties of protecting supply chains. “Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea. Attacks by such entities are often especially sophisticated and difficult to detect.”
A newer and important element of the Government’s approach to mitigating supply chain risk and systems security will be the implementation of the Cybersecurity Maturity Model Certification program (CMMC). Conceived in 2018, the CMMC is designed to ensure that sensitive Department of Defense (DoD) data is safe within the vendor software supply chain.
The CMMC model is intended to build upon existing cybersecurity frameworks and requirements (i.e., NIST 800-171) and is organized into five incremental levels of cybersecurity processes that range from basic to advanced cybersecurity hygiene. This makes sense as lack of cybersecurity hygiene that includes strong passwords, awareness of phishing attacks, encryption, and backup of files is often not adhered to properly by vendors in the supply chain.
Insider threats have also been a problem, whether they are deliberate or negligent acts. They can also be a part of the vendor supply chain. Government agencies have mission-critical information at risk and need to stay ahead of the threats.
The most popular cybersecurity technologies to deter insider threats have been Data Loss Prevention (DLP), encryption, identity and access management solutions, log management and SIEM platforms.
Agencies are also looking at behavioral identifiers bolstered by machine learning and artificial intelligence to detect and mitigate insider threats. It is an area that needs more attention in government as well as industry as data is continually being breached as a result of human activities.
Better supply chain protection, called to attention by the SolarWinds breach, and Insider threat protection are just two elements (but very important ones) of cybersecurity that should be on the government priority wish list. The government cybersecurity wish list needs to be a long one in tools and capabilities and will require continual augmentation.
Congress in its oversight role is already proactive. For example, in The Fiscal Year 2021 National Defense Authorization Act (NDAA) there are 76 plus cyber provisions related to improving our national cybersecurity posture.
There are dozens of additional tools, policies, and programs that can be enhanced and expanded as we confront more threats in 2021. As the after-action impact of the breach is analyzed for lessons learned, one clear finding will be that better cybersecurity is an imperative and urgently needed.