Challenges in the Cybersecurity Space
As the year is almost over, it is crucial to reflect on the challenges and advancements in cybersecurity, especially within government, military, and federal agencies in the ever-evolving digital landscape. In an era where information is a prized asset and cyber threats continue to evolve, these sectors face unique challenges that demand innovative solutions, and significant strides were made during the year 2023 to fortify the defenses of these critical institutions against cyber adversaries.
Government entities are dealing with increasingly sophisticated cyber threats, ranging from state-sponsored attacks to financially motivated cybercriminal activities, and the complexity and persistence of these threats require continuous improvements in cybersecurity measures. The interconnected nature of government systems introduces vulnerabilities through third-party vendors and supply chains, that adversaries often exploit weak links in the supply chain to compromise critical infrastructure and sensitive data. Moreover, many government agencies still rely on legacy systems, which may lack the necessary security features to withstand modern cyber threats, so updating these systems while ensuring continuity of operations poses a significant challenge.
The potential for insider threats also remains a concern, as malicious actors within organizations may exploit their access to sensitive information or inadvertently compromise security through negligence. The geopolitical landscape can impact cybersecurity in government and military sectors, as tensions between nations may lead to an increase in cyber-espionage and cyber-attacks, making it imperative to enhance defenses against nation-state threats.
A New National Cybersecurity Strategy
The Biden administration unveiled a comprehensive National Cybersecurity Strategy on March 2, 2023, building on the 2018 plan. The strategy prioritizes collaboration between government and the software industry to implement initiatives from the 2008 Cybersecurity Initiative. It emphasizes five core principles, focusing on critical infrastructure, countering malicious actors, shaping market dynamics, strategic investments, and international collaboration. The strategy introduces a reevaluation of responsibilities in cybersecurity and incentivizes long-term private sector investments. Acknowledging the burden on end users, it establishes a legal framework for holding providers accountable, emphasizing public sector investments for U.S. global leadership in technology and innovation.
That strategy prioritizes defending critical infrastructure by implementing minimum standards, harmonizing regulations, fostering public-private collaboration, and modernizing federal networks. It focuses on disrupting and dismantling threats actors like from China, Russia, Iran, and North Korea, promoting private sector engagement, federal ransomware approaches, and international partnerships. It also aims to reshape market forces for security, emphasizing privacy, secure coding, and integrated cybersecurity in infrastructure, and address the skills shortage by cultivating a resilient cyber workforce through education, private sector partnerships, and R&D. By emphasizing cyber diplomacy, the strategy advocates international law adherence, capacity-building, and securing global supply chains.
Extend Zero Trust Architecture (ZTA) to Mobility
Deploying mobile devices in military and federal agencies demands addressing challenges related to handling sensitive information. Compliance, encryption, access control, and secure data transmission are paramount, and preventing data leakage in case of device loss is a critical concern, and reliable network connectivity, especially in remote locations, requires specific solutions to be deployed. Maintaining visibility over assets, even in limited connectivity situations like on the battlefield, is also essential. Extending Zero Trust Architecture (ZTA) practices to the area of mobility enhances security in classified mobility with a "never trust, always verify" approach, including strict identity verification, access controls, continuous monitoring, encryption, and Mobile Device Management (MDM) solutions.
New Rules Adoption by the US Securities and Exchange Commission (SEC)
In July 2023, the US Securities and Exchange Commission (SEC) initially proposed a new set of rules requiring more detailed reporting from publicly traded companies on their cybersecurity practices and when and what must be reported in the event of a breach. The new rules require that companies who have determined to have been subject to a material breach must report the breach to the SEC within 4 business days along with details of the nature, scope, timing, and impact. The rules will also require organizations to report on their internal cybersecurity practices including policies, risk management, incident response and management oversight.
However, as with any new rule, law, or legislation, this is a double-edge knife, as proven recently with an attack perpetrated by a group of hackers against a US-based financial software company, where that was surprisingly threaten to report the security breach they recently suffered to the authorities, by the very same hackers that perpetrated it (?!), in an attempt to put some extra pressure on them so they comply with their demands.
Government Guidance on Artificial Intelligence (AI)
Released at the end of 2022, ChatGPT wasted no time going viral in early 2023 and immediately caught the public’s attention with its ability to seemingly provide answers to any bit of information requested and offload tasks of its users. Google and Microsoft shortly followed suit, with the latter releasing Bing Chat in February 2023 and the former opening early access to Bard in March 2023. While AI had been a part of the enterprise security conversation, it reached a new pitch as a de facto arms race between technology vendors. Biden’s EO, published in Oct. 2023 was intended to ensure that America can leverage the benefits of AI while preventing bad actors from using the technology to their advantage. AI will have an incredible impact on both enterprise data security and user workflows, however the same advantages enjoyed by enterprise will be available to attackers. Organizations must ensure that their cybersecurity practices are future proofed to attacks.
Zero Trust (ZT) Maturity Model version 2.0
In May 2021, the Biden Administration released US Executive Order 14028 on “Improving the Nation’s Cybersecurity” directing agencies to move towards and implement and Zero Trust Network Architecture. To assist agencies in meeting this requirement, Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released their Zero Trust (ZT) Maturity model version 2.0 to provide a path to meet principles of Zero Trust outlined in the EO. The maturity model describes a 5-pillar approach including Identity, Devices, Networks, Applications and Workloads and Data with Visibility & Analytics, Automation & Orchestration and Governance viewed as the underlying required capabilities under each pillar. The Department of Defense (DoD) released their Zero Trust model in 2022 and confirmed this year that they are on track to meet their implementation goal by FY2027. Just recently, CISA announced that a Federal Civilian Executing Branch agency had been exploited through an unsupported, end of life software tool so there is significant progress still to be made towards ZTA in the public sector. In this example, a tool such as ISEC7 Sphere, our management and monitoring solution, would have been able to alert to the presence of the outdated and vulnerable piece of software on their network, which is a clear deviation from ZTA principles. Moving forward, agencies should continue to implement zero trust principles into their cybersecurity practices.
The Federal government looks to update Federal Acquisition Regulation with standardized cybersecurity requirements.
Contractual requirements for cybersecurity practices with unclassified Federal Information Systems to this point have been up to the agencies’ discretion leading to a lack of clarity, consistency, and competition between contracts. Executive Order 14028 sought to remediate this by directing the Department of Homeland Security (DHS) to review each agency cyber contractual requirements and propose new standardized contractual language. The new Federal Acquisition Regulation (FAR) rule and language was developed with the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) and is available for comment until Dec. 4, 2023, after which the final rule will be released for incorporation for federal contracts.
DHS Publishes New Rule Enhancing Protection of Controlled Unclassified Information
Emphasizing the importance of safeguarding sensitive but unclassified information, the Department of Homeland Security amended the Homeland Security Acquisition regulation to include new clauses regarding how Controlled Unclassified Information (CUI) is protected and breaches are reported by federal contractors. The new rules establish guidelines to ensure proper handling, protection, and disclosure of CUI breaches to DHS for data provided to contractors or for federal information systems operated at the contractors’ site. For federal agencies and contractors, having a clear understanding of what data is considered CUI and the specific protections to apply to it will be critical moving forward. Tools such as ISEC7 Classify, our Document and Data Management System (DDMS) solution, that can clearly mark the presence of CUI and its handling instructions will play a large role in compliance for both federal agencies and contractors with this rule.
The challenges faced by government, military, and federal agencies in terms of cybersecurity have spurred significant advancements, and the proactive measures taken in 2023, including advanced threat detection, supply chain security initiatives, system modernization, zero-trust frameworks, and international collaboration, have collectively strengthened the resilience of these critical sectors. Moving forward, continued vigilance, investment, and collaboration will be essential to staying ahead of the evolving cyber threat landscape and ensuring the security of vital government functions.