It has been a little over a year since the Office of Personnel Management announced that it had been breached. Since that time, the federal government has taken an array of steps to improve its cybersecurity posture and avoid another major breach. The Cipher Brief spoke to John Davis, Vice President and Federal Chief Security Officer for Palo Alto Networks, about what advances the federal government has made in this area. According to Davis, progress has been made, but whether or not that progress continues depends on Congress – and the next administration.
The Cipher Brief: How has federal cybersecurity policy changed since the OPM hack? What progress has been made in terms of improving security?
John Davis: In June 2015, in the wake of the OPM data breach, the Federal Chief Information Officer launched a “30 Day Cybersecurity Sprint” and directed Federal agencies to immediately take a number of steps to further protect Federal information assets and improve the resilience of Federal networks. Specifically, the Sprint tasked Agencies to patch critical vulnerabilities, tighten policies and practices for privileged users, accelerate implementation of multi-factor authentication, and immediately deploy DHS-provided indicators of malicious cyber activity.
The Sprint also tasked an interagency team with operationalizing a set of action plans and strategies to further address critical cybersecurity priorities and recommend an overall Federal strategy. On October 31, 2015, the Office of Management and Budget (OMB) released the Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Government.
Finally, on February 9, 2016, the White House released the Cyber National Action Plan (CNAP)— a collection of short and long-term initiatives focused on modernizing federal information technology, building a cybersecurity workforce, and empowering citizens with new tools to take control of their personal digital security. Commendably, many CNAP initiatives drew heavily on recommendations and best practices from private industry, including the creation of a Federal CISO position.
Collectively, these Executive actions established a promising foundation for enhancing our collective national cybersecurity but will ultimately depend heavily upon Congress and the next Administration’s ability and willingness to implement.
TCB: What can the government do to maintain a robust cybersecurity posture?
JD: Cybersecurity is an inherently distributed and complex problem with no single “silver bullet” solutions, and it takes a team approach across both public and private organizations to achieve progress against a growing array of cyber threats. We should approach this question in a comprehensive way and with a shared lexicon.
Under the direction of President Barack Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) commendably led a process that brought together public and private sector experts to establish this collaborative baseline of cybersecurity priorities and best practices. The resulting Cybersecurity Framework featured five core functions governing how organizations can manage and reduce their cyber risk: Identify, Protect, Detect, Respond, and Recover. While all five functions enhance security, focus on effective Identification and Protection in particular are critical to actually preventing attacks, limiting an organization’s need to focus on the ways in which they must detect, respond, and recover after a compromise has already occurred.
Innovative approaches can be one of the key principles to achieving breach prevention, establishing security as the default, and gaining back leverage against our adversaries. Prevention is about significantly decreasing the likelihood and increasing the cost required for an attacker to perform a successful attack. We should not assume that attacks are going away or that all attacks can be stopped. However, we should assume, and be very diligent in ensuring, that the cost of a successful attack can be dramatically increased to the point where the occurrence of a successful attacks declines. This is the outcome we should strive for. We can't eliminate all risk, but we can reduce and compartmentalize the risk to something acceptable and understood.
TCB: The DNC (Democratic National Committee) recently announced that its networks had been breached by hackers linked to Russia’s government. To what extent are state-sponsored actors still a threat?
JD: Threats from both nation state and non-nation state actors and organizations (and increasingly from a hybrid mixture of both) continue to grow in scope, scale, and sophistication. Regardless of whether we are talking about general hacktivism, criminal activity, espionage, terrorism, or military cyber activity, the cyber threat landscape in general should cause us to take this problem seriously, no matter if you’re a private or public sector organization, or even an individual citizen. This is about restoring trust in our digital age that comes into question with each successive cyber breach and attack. These increasingly frequent and sophisticated cyber incidents are leading many to question whether the technological foundation on which we are building our future of smart homes, self-driving cars, and the new global, digital economy may have deeper structural flaws.
TCB: What is being done to keep government, and government-affiliated, networks safe from this type of sophisticated attack?
JD: Defeating cyber breaches and attacks requires a platform approach that natively integrates next generation firewall technology, cloud-based or on-premises threat intelligence, and advanced endpoint protection. Natively integrating these capabilities into a platform approach helps deliver highly automated preventive measures against cyber threats, ensures superior security compared to legacy point technologies that don’t communicate with each other effectively or efficiently, and reduces network complexity to save time, money, equipment, bandwidth and, mostly importantly, the amount of people needed to perform the vital security functions.
TCB: Can the government adapt fast enough to keep up with the changing nature of the cyber-threat?
JD: The platform approach fed by information sharing partnerships is the best way to help keep government, and government-affiliated, networks safe from breaches and attacks at the speed and scale necessary to be successful.
Leveraging automation and cloud based capabilities in a natively integrated platform approach, and feeding that approach with a broad, self-learning, self-healing ecosystem of information sharing partnerships, enables any organization to essentially do what cyber threats have been doing to us for some time now. This makes it much more difficult for any cyber threat to be successful, because now they have to be right at each point along the threat lifecycle, while defenders only have to be right at one point along that lifecycle, using automation to identify the threat and stop it.
TCB: How do you anticipate that the government’s approach to cybersecurity will continue to change moving forward?
JD: No matter whether you’re talking about people, processes, or technology, there’s one thing that’s a pretty sure bet in looking at the future: things are going to change—probably dramatically and very, very fast.
The future technology space is also uncertain. Technologies that are currently breaking new ground or just over the horizon will shape our world in ways that we cannot possibly imagine. These technologies include big data analytics, quantum computing, artificial intelligence, virtual reality, a truly global internet, digital money, and nanoscale computing. Defending that space seems daunting to many, but it does not have to be. Keeping in mind the network security principles described above will help us navigate whatever challenges may surface in the future.
