GovCon Expert Chuck Brooks, a highly esteemed leader to the cybersecurity and government contracting (GovCon) sectors as well as an influential member of Executive Mosaic’s GovCon Expert program, has released his latest article with the program.
Previously, Brooks discussed the details in understanding cybersecurity in our sector, its massive capabilities, the best practices to get the most out of the technical concept and the awareness of cyber’s potential to find success.
For this article, GovCon Expert Brooks has summarized the most significant trends in cyber that are impacting the federal landscape and government this year. Some of the trends he mentions include cybersecurity innovation, training, the impact of emerging technologies, the cyber-threat landscape, the defense of our nation’s critical infrastructure, supply chains and other aspects.
You can read Chuck Brooks’ latest GovCon Expert article below:
Top Cybersecurity Trends Impacting GovCon
By Chuck Brooks
Cybersecurity is a national security imperative that encompasses people, processes, and shared knowledge and strategies. Below is a short list with summaries of trends impacting government in 2021. It is not a fully exhaustive list of all the challenges but calls out some the key categories and topics for further exploration.
Cybersecurity Innovation; Training & Investments
Cybersecurity has become a strategic priority and has been accompanied by a restructuring of government roles and assets. For example, at the Department of Defense (DOD), the US Cyber Command, The Army Future Command, and the military branches and services are all investing in acquisition of new technologies and training of cybersecurity components. In the civilian sector, the Department of Homeland Security (DHS) is leading the cybersecurity effort for protecting government domains and created CISA to focus on primarily cybersecurity threats to the critical infrastructure.
A major reason for this upgraded government focus on cybersecurity has been the rapid changes in the information technology landscape. In the past few years, the capabilities and connectivity of cyber devices and communications has grown exponentially. So have the cyber intrusions and threats from malware and hackers, requiring a restructuring of priorities and missions. The cyber threat includes various criminal enterprises and adversarial nation-states.
In 2022, most government agencies, and especially DOD and DHS will see increased funding and for operations and programs in 2022. Below is a chart of government Cybersecurity spending in 2020 and 2021. In 2021 the cyber defense budget amounts to over $18.779 billion. All federal government agencies have a responsibility to protect data. US government to spend over $18 billion on cybersecurity – Atlas VPN
For a more detailed discussion of on government technology and training investments, please see: GovCon Expert Chuck Brooks: New Government Technology Initiatives To Stir Innovation GovCon Expert Chuck Brooks: New Government Technology Initiatives To Stir Innovation – GovCon Wire
Development and Procurement of Emerging Technologies
Emerging technologies are intertwined with cybersecurity Innovation, training & investments. We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. These advancements will be profound and impact our security, economy, and our way of life. The government is promoting the assimilation of these emerging technologies for many areas, and especially for cybersecurity.
The White House National Strategy for Critical and Emerging Technologies is a strategy document is designed to serve as a framework and promote the national security innovation base and protect U.S. technology advantage. The strategy, developed by the National Security Council, promotes best practices and models to prototype and assimilate emerging science & technologies and welcomes guidance from industry, think tanks, and academia. (whitehouse.gov)
Recent investments by DARPA and other government innovation agencies/labs in these innovation areas reflect the challenge being posed by China in their investment hypersonic, AI, quantum, super-computing, and other strategic technologies. Artificial and Machine learning are key areas of DOD investment.
Defense Advanced Research Project Agency (DARPA) announced a multi-year investment of more than $2 billion in new and existing programs in artificial intelligence called the “AI Next campaign. AI and ML are technology enablers but also can be used by adversaries for more lethal attacks and as potential cyber weapons. AI and ML can be further developed as tools to identify, prevent, and respond to network attacks.
The government contracting (GovCon) community looking to capitalize on the emerging technologies impacting the sector in the following categories, artificial intelligence, machine learning, digital transformation, 5G, internet of things (IoT), quantum and high-performance computing, cloud and edge computing, augmented reality, big data, virtualization, smart cities, wearables, 3D printing and material science.
For government, automation, combined with artificial intelligence, is an emerging and future cybersecurity pathway. To better protect the federal cyberspace, the Department of Homeland Security has deployed an automated cyber-surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification and detection of malicious activity called EINSTEIN. This model is continually being upgraded and has the potential to be expanded and utilized both in the public and private sectors.
*For a detailed description of the impact of emerging technologies in government, please see my article: GovCon Expert Chuck Brooks: A Guide for Emerging Technologies Impacting Government in 2021 and Beyond GovCon Expert Chuck Brooks: A Guide for Emerging Technologies Impacting Government in 2021 and Beyond – GovCon Wire
The Expanding Cyber-Threat Landscape
The cyber-attack surface has significantly worsened over the past year because the growth of connectivity. Covid 19 and remote work have contributed exponentially to this expansion via home offices. The advent of emerging and fused technologies 5G, IoT and Supply Chain security pose significant challenges.
Threat actors, especially state-sponsored, and criminal enterprises are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating) enabling machine learning, deep learning, artificial intelligence, and other analytic tools. Solar Winds was more than a wakeup call for those realities.
The General Accounting Office (GAO) list below represents a partial set of typical threats:
Terrorists and other non-state actors seeking to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.
Criminal groups, attacking systems, using spam, phishing, and spyware/malware, identity theft, online fraud, and computer extortion for monetary gain.
Business intelligence operators, including criminal organizations, conducting voluntary and on-demand industrial espionage. Individuals and groups “grazing” the cyber world in search of victims, for a combination of thrill, monetary and “training” purposes.
Bot-network operators, using networks, or botnets, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. Disgruntled insiders, poorly trained employees, incompetent contractors – all creating opportunities for outsiders to penetrate networks.
National intelligence and psychological operations organizations, using cyber tools for information gathering, regime destabilization and as another arm furthering strategic goals.
Spammers using the above methods to distribute unsolicited e-mail with hidden or false information to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service).
National and/or commercial organization specializing in deploying spyware or malware against organizations or individuals, for political and commercial purposes.
A cornerstone of cybersecurity is utilizing Public Private Partnerships (PPP) based upon shared research & development, prototyping, and risk management frameworks. A high level of public-private collaboration is required to address the challenges associated with growing and more sophisticated cyber-threats. The U.S. government is actively seeking private-sector tech help for reducing threat vectors, and for enterprise tools to expand the effectiveness of mitigation and analysis of threats.
In fact, the new White House cyber director, former National Security Agency Deputy Director Chris Inglis said one of his top priorities would be to establish a collaborative environment for the private sector and federal agencies to share cyber threats and intelligence. The Cybersecurity 202: Biden’s pick for White House cyber director wants to see better relationship building with the private sector – The Washington Post
PPPs are also being optimized for acquisition of cybersecurity technologies via new rapid acquisition vehicles. This includes Defense Innovation Contracts, Other Transaction Authority (OTA). This is based on the recognition that there are more and potentially better performing industry COTS products and applications that can be integrated faster into programs and requirements.
PPP have become essential for many government agencies, borrowing from the adage – it takes two to tango. These relationships create a vehicle for cooperation that can help reduce costs, build expertise, innovation and provide business continuity and resilience. Strengthening the public/private partnership through open collaboration, best practices, and shared research and development will help accelerate the innovation needed to meet cybersecurity challenges.
*Please see: Public and Private Sector Partnerships Addressing COVID-19 Are A Model for Cybersecurity Public and Private Sector Partnerships Addressing COVID-19 Are A Model for Cybersecurity – CyberTheory
Protecting U.S. critical infrastructure, Supply Chains and Internet of Things.
DHS’s Cybersecurity & Infrastructure Security Agency (CISA) describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”
CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors, and deliver training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.”
Over 80% of the critical infrastructure, including defense, oil and gas, electric power grids, healthcare, utilities, communications, transportation, education, banking & finance, are owned by the private sector and regulated by the public sector.
The protection of the energy sector is a cybersecurity imperative for the Department of Energy (DOE) and the Biden Administration’s recent announcement of the 100-day plan mitigate vulnerabilities and risks to The Grid highlighted its importance for critical infrastructure protection looking forward. The grid itself is a critical infrastructure comprising a network of more than 7,650 power plants, which are integrated via 450,000 miles of high-voltage transmission lines.
Estimates are that the grid includes 70,000 transformer power substations and thousands of power generating units. The grid is mostly dependent on legacy technologies: 70 percent of transmission lines are at least 25 years old and approaching the end of their lifecycle. Will Vulnerable U.S. Electric Grid Get a New Protection Mandate? – BRINK – News and Insights on Global Risk (brinknews.com)
In government, securing critical infrastructure and the supply chain has been an evolving priority. In recent months, the White House, the Department of Homeland Security (DHS), and the Department of Defense (DOD) all have enacted initiatives (and sought assistance) on supply chain security. Supply chains are often composed of a variety of parties linked to networks.
Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain.
This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
The Internet of Things (IoT)
The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. According to the McKinsey Global Institute, 127 new devices connect to the internet every second.
Having visibility and being able to protect the connected devices of IoT is quite a challenge. The United States Government Accountability Office issued an assessment of the status and security issues surrounding the Internet of Things. The GAO identified the following type of attacks as primary threats to IoT: Denial of Service, Malware, Passive Wiretapping, Structured query language injection, Wardriving, and Zero-day exploits.
Protecting the Supply Chain. Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements. Of special concern is Third Party risk. Conducting vulnerability assessments and filling operational gaps with cybersecurity tools are avenues being employed to ensure integrity. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management and SIEM platforms.
A recent AFCEA International Cyber Committee of “Key Cyber Issues and Recommendations: Away Forward” highlights key gap areas of US Security Concern: These include insecure web interface, insufficient authentication and authorization, lack of transport encryption, insecure cloud Interface, insecure mobile interface, Insecure software, hardware, and firmware.
The Internet of Things is a growing focus of supply chain security. “By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. According to The McKinsey Global Institute, 127 new devices connect to the internet every second.
The movement of government agencies and business data to the cloud and hybrid clouds is trending. Forecasters are estimating that 92% of data processing workloads will be in cloud data. How and where data is secured, has become a key concern among security administrators and that is why operating in clouds and hybrid clouds has become increasingly attractive.
The government and industry are building larger data repositories and sharing data centers to keep up with storage and analytic needs. Consider that there are 2.5 quintillion bytes of data created each day and that the world’s production of data doubles every two years.
The ability to securely store, prioritize, analyze and share (and scale) that data is fundamental to operations and commerce. Because of those functional requirements, storing data in the cloud or hybrid clouds is more than prudent. For successful migration to the cloud, employing data protection technologies such as encryption, authentication, and backing up sensitive data will remain a requirement for government programs.
The research firm Gartner foresees double-digit growth in government use of public cloud services, with spending forecast to grow on average 17.1% per year through 2021. Across all industries, companies spend an average of 20.4% of their IT budgets on cloud. Understanding Cloud Adoption in Government – Smarter With Gartner
*Please see: GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors – GovCon Wire
New Regulatory Initiatives
A newer and important element of the Government’s approach to cybersecurity is the implementation of the Cybersecurity Maturity Model Certification program (CMMC). Conceived in 2018, the CMMC is designed to ensure that sensitive Department of Defense (DoD) data is safe within the vendor software supply chain.
The CMMC model is intended to build upon existing cybersecurity frameworks and requirements (i.e., NIST 800-171) and is organized into five incremental levels of cybersecurity processes that range from basic to advanced cybersecurity hygiene. This makes sense as lack of cybersecurity hygiene that includes strong passwords, awareness of phishing attacks, encryption, and backup of files is often not adhered to properly by vendors in the supply chain.
Other cybersecurity regulatory initiatives are also still in in the government’s focus including,
DFARS (the) Defense Federal Acquisition Regulation Supplement, FISMA stands (the) Federal Information Security Management Act, and NIST 800-53 which is a requirement for Government-owned networks.
*Please see: GovCon Expert Chuck Brooks: Better Cybersecurity on 2021 Urgent Wish List for U.S. Government GovCon Expert Chuck Brooks: Better Cybersecurity on 2021 Urgent Wish List for U.S. Government – GovCon Wire
Cybersecurity Worker Shortage
Qualified cybersecurity worker shortage continues to pose major challenges for both the public and private sectors. Both the public and private sectors are facing challenges from a dearth of cybersecurity talent. A report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021.
A White House document, “Strengthening the Federal Cybersecurity Workforce” highlights a framework necessary to best recruit, train, and maintain a skilled Federal cybersecurity workforce. Those elements included:
1) Expanding the Cybersecurity Workforce through Education and Training
2) Recruiting the Nation’s Best Cyber Talent for Federal Service
3) Retaining and Develop Highly Skilled Talent
4) Identifying Cybersecurity Workforce needs.
Those categories are being enabled via the National Institute for Standards and Technology (NIST) expanded the role and activities of the National Initiative for Cybersecurity Education (NICE). The mission of NICE is to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development.
Despite efforts so far, the government continues to have a major shortage of cybersecurity workers. More needs to be done to attract women to the cybersecurity mission and more programs are needed to reskill veterans to help fill gaps. It would also be prudent if a serious effort were made by industry, academia, Congress, and federal and state governments to cultivate the next generation of cybersecurity technicians and data analysts from many economically depressed areas, including investment and training Native Americans who have a long tradition of serving national security in government.
*Please see: Chuck Brooks: Innovation is Strengthening the Federal Cybersecurity Workforce Chuck Brooks: Innovation is Strengthening the Federal Cybersecurity Workforce – GovCon Wire
These trends are indicative that cybersecurity is no longer on the back burner of GovCon priorities. Cybersecurity is unanimously viewed by all agencies as a major challenge to the nation’s economic and security welfare. It will require continued investments in people, processes and new technologies, enhanced public/private sector cooperation, and most of all coordinated risk management strategies to meet the growing cyber-threats.