With advancements in new technologies, the amount of data federal agencies are able to collect is larger than ever before. These mass amounts of data, though indispensable to government operations, are also a target for adversaries who aim to compromise U.S. systems and exploit the nation’s data to gain an information advantage.
According to experts in the field, a shift in the way federal organizations think about risk management is critical to ensuring that the U.S. is equipped to deal with the increasing number of cyber threats targeting its information systems.
During a panel discussion at GovCon Wire’s Information Security and Innovation Forum, Beau Houser, chief information security officer of the Census Bureau, said that moving away from a primarily compliance-based approach to risk management and adopting a threat-centered viewpoint is the key to building a comprehensive line of defense for federal data.
“The compliance approach does not include much consideration of the actual threats, which means the threat actors, what they are doing out in the world and why they are doing it. You do not really deal with that when you are looking at control and working through the implementation of that control,” he said.
James Scobey, chief information security officer for the Securities and Exchange Commission, said that unlike the traditional focus on compliance, the threat-based approach requires continuous monitoring of information systems to ensure that they are not compromised in today’s environment of constant cyber threats.
In the past, said Scobey, there was a level of assurance that a control will remain compliant with an agency’s standards for a long period of time. Now, the rate of change has increased, and this method is no longer effective for protecting sensitive information.
Scobey noted the “checkbox mentality” of the compliance approach, which is built around the idea that data lives in one controlled system. With today’s large-scale data processing, it no longer works that way.
Paul Blahusch, director of cybersecurity and chief information security officer for the Department of Labor, emphasized that U.S. adversaries are not concerned with the completion of a checklist, but with finding and exploiting vulnerabilities.
“We should be focusing on the weaknesses our adversaries are going to be exploiting. Having a piece of paper has never prevented an adversary from compromising a system,” said Blahusch.
To ensure the necessary level of security, the data itself must also be protected, Scobey said.
“Securing systems is still important, but the fluidity of data and its ability to exist in multiple places and be accessed in multiple modalities under multiple systems means that controls must be applied to the data itself,” he explained.
Houser added that the encryption of data is an important pillar of threat-based risk management. If encrypted data is stolen, he said, the encryption is strong enough to prevent a breach for decades.
Another aspect of the threat-focused line of thought is visibility, which Scobey said is not complete on the compliance side of security.
“As security professionals, there is a realization that prevention always fails at some point. A well-funded and motivated attacker is going to find ways to get through your defenses,” he said.
A solution to this problem, said Scobey, is to push visibility into “every crack, crevice and inch of the system” so operators can identify and mitigate the threat.
“We have to have visibility. If you cannot see it, you cannot protect it,” Houser stressed.
The traditional compliance-based approach to risk management, Blahusch said, is still a fundamental element of information security. But in the modern information security realm, he added, compliance must be intertwined with threat-based risk management to fully address today’s security challenges.
“We are in a place where that is not enough anymore – where we also have to think about where data lives, how it transits between systems and what the controls are,” said Blahusch.
