Agencies try to predict the future of cybersecurity

With the advent of cloud and mobile technology forcing a paradigm shift in IT, leaders in cybersecurity are finding themselves in the position of fortune-tellers, hovering over crystal balls trying to guess what the next big thing is going to be and how to prepare for it.

“The future is what everyone’s trying to guess, across the government and across industry,” Lee Kelly, information security specialist and special assistant to the senior information security officer at the Environmental Protection Agency, told the Federal Drive with Tom Temin. “We’re focusing on the data. Where is the data going, how is it being transmitted, how is it being stored? And if you can follow the data … and secure it from endpoint to endpoint, and that’s the future we’re looking for at EPA.”

Kelly said his two biggest concerns at EPA are bandwidth and storage. He said that certain programs in the EPA are generating gigabytes — close to terabytes for some — of data each day. With the numbers on data usage at both industry and agency trending steadily upward, Kelly’s concern is that the data has somewhere to go and a way to get there securely.

“We’re looking at trying to locate and positively identify where the data is at, as it flows back and forth, and then where should it be,” he said.

Advertisement

The EPA is anticipating moving to a bring-your-own-device model soon, so Kelly said ensuring the security of the devices and the agency’s networks is another of his major concerns.

“All these devices will need to be authorized before they can jump onto the networks,” he said. “That will be a chore in and of itself.”

The EPA has a suite of cybersecurity policies in place already that Kelly said are flexible and able to adapt as new requirements present themselves. The same goes for EPA’s review cycle.

One place the EPA does need to invest, in Kelly’s opinion, is in human capital. First, it needs to hire more people with education or cybersecurity certificates up front. Second, it needs to invest in a good training program to keep these worker up to date with new techniques.

Kelly said that he thinks digital certificates, encryption and authentication protocols are going to play a significant role in what’s to come.

“They’re still evolving, in a lot of cases, especially with the Internet of Things, because you’ve got many, many multiple devices trying to connect, and then what protocols are you using, what communications are you trying to utilize and everything else,” he said. “So we’re keeping our eyes on that, with what’s already legacy playing an important role.”

Sue Gordon, deputy director of the National Geospatial Intelligence Agency, has different concerns and views of the future, as NGA has to deal with both classified intelligence and unclassified data as they make the move to the cloud.

“Like any mature organization, we need to move off of the technology stack that dominated 10 to 15 years ago, to what I consider a modern stack, which is where the data’s free and you’ve got cloud services where you can put applications on top of it,” Gordon said. “ It’s a much more efficient and effective way in order to both serve data and build applications. And we are aggressively making that move. … NGA is committed to being on the cloud in two years, off of our infrastructure and onto shared infrastructure, as much as we can be.”

She said the intelligence community as a whole is making the move to cloud architecture, whether open or behind a firewall. This presents a challenge in securing not just networks, but the data itself. However, it also provides opportunity for innovation.

“I think the imperative for us is to advance information security because we don’t have the advantage of what I’ll call a moat, where I’m not going to participate in the open,” she said. “I must participate in the open, and I must protect our data, so I believe that information security advance will come as part of this movement that we are making. … This move to open infrastructure is also going to be the catalyst for advancing information security.”