As we continue to learn more about the future impact of the Cybersecurity Executive Order, today’s agencies must start adopting a proactive approach to cybersecurity. More specifically, government organizations should think about cyber warfare the way the Department of Defense thinks about traditional warfare. Given the number of threats facing our systems today, agencies must start prioritizing “intelligence at the edge” — whenever possible, fight the battle as far away from your front door as you can.
By using big data and machine learning to combat bad actors as far from your own internal system as possible, agencies can dramatically improve their cyber resilience.
If agencies don’t already have security protocols implemented “at the edge,” there are a few steps they can take to mitigate risk and fight off cyber attacks before they get too close.
Advocate for funding
The executive order to fortify federal government cybersecurity measures and guard critical infrastructure from attacks required heads of federal agencies to use the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity to evaluate and manage outstanding cyber risks. While the executive order emphasizes the federal government’s seriousness toward combating cyber security issues, funding is a necessary factor in taking these steps to increase capabilities.
As agencies start implementing the NIST framework, and in doing so identifying the gaps in their own security protocols, IT leadership must be vocal about the critical necessity of edge protection. The administration’s recently release annual budget proposal does make it clear that cybersecurity is critical for agencies, which should come as good news fighting the cyber war. Under the proposed budget, total cybersecurity funding would increase to $14.98 billion in fiscal 2019, representing an increase of more than $500 million. With the steady increase in malicious bot activity — and with new rules like DHS’s “Binding Operational Directive” that requires certain web and email security requirements — agency leadership needs to advocate for this additional funding. The presidential budget rarely gets approved as is, so those with this technical experience must ensure that their leadership understands the gravity of the situation.
Agencies must also make ongoing education a priority among leadership and employees on current software capabilities, platforms and solutions, as well as internal best practices. Rather than an annual security training, organizations should regularly update employees with the most recent security vulnerabilities and train them on how to manage different situations. Just as you would invest in other assets of business, institutional cyber knowledge must be cultivated as well.
By starting with a formal plan created by IT teams that is regularly updated, you set a standard for employees to better understand cyber risk and best practices.
Like the private sector does, conduct occasional live training exercises, such as phishing tests where a fake phishing email is sent to employees companywide, with responses monitored. Measure how many people click on the email, breaking down data and tailor training to areas of concern.
These tests shouldn’t result in “catching” anyone who isn’t following protocol; instead, they should serve as education exercises that will guide your cyber security plan. As cyber threats continue to become more sophisticated, this ongoing education will ensure your workforce is always interacting with technology safely. And the tests are paying off in improving employee’s cybersecurity savvy. DHS revealed in a 2016 report that fewer employees are falling victim to phishing scams. As noted by Former federal Chief Information Security Officer Greg Touhill, “Continuous professional education is a must for cyber professionals as it is in other professional fields. My friends in the medical and accounting professions are proud of the fact that they are required to maintain continuous professional education in order to maintain their board-certified credentials. We cyber professionals ought to embrace the same commitment to continuous professional education.”
Bots are a part of life for any organization doing business online, with many agencies estimating that 40 percent of their online traffic is generated by bots. This profusion of bot activity is even more relevant for government agencies as more services move online and constituents expect equally exceptional service from public sector websites as they do from private. With more than 2.54 billion visits from September 2017 through November 2017, federal websites must be prepared to effectively and securely serve a growing number of visitors—one of the best ways to do so is to handle bot traffic, as much as possible, at the edge.
Bots become problematic when they are employed by malicious actors, and it’s clear that blocking these bots doesn’t work. In fact, blocking triggers the bot to mutate, and therein lies the challenge. Bots are here to stay, so they should be approached more as a permanent challenge rather than an occasional problem to be solved. The bottom line: refrain from blocking bots as much as possible and instead employ solutions that are capable of analyzing and managing bots at the edge. Doing so will give your system more time and flexibility to ensure the correct, non-malicious users are reaching your site.
As federal agencies review the state of their computer security, organizations should consider cyber warfare a tactic that begins at the very edge of their systems. By advocating for edge protection funding, cultivating ongoing institutional cyber knowledge and increasing bot mitigation, agencies up their chances for beating the cyber warfare battle.
Tom Ruff is the vice president of public sector for Akamai.