What government needs to do to speed up cyber defenses

By Lloyd McCoy, DOD manager

Two cyber breaches at the Office of Personnel Management in 2015 prompted the federal government to move quickly to award $500 million worth of government-wide BPAs for identity monitoring and data breach response and protection services.

It begs the question of where that money was before the problem.

More problems like this are increasingly likely as we all rely on more IT infrastructures that may not be up to the challenge of increased use. Down the road, better coordination between tech vendors and buyers before the acquisition process will be able to stem the cyber tide. But what do we do in the meantime with what we have now?

Defense in depth—a moat to defend the castle

While tech vendors continue working on making their products and components less susceptible to attack, a practical approach to security now means looking at “defense in depth” solutions.

Defense in depth, used in some private sector networks, looks to manage risk with a broad range of defense strategies. That way, if one layer of defense fails, bad agents still need to get through another layer and then another.

By making it harder for adversaries to access your system, these bad actors may choose easier targets.

The need for better procurement processes

Tech companies are going to need to treat security as a fundamental feature in their products from day one. That means putting security up front in product development, which means a sound plan and security features designed into products from the start.

At the same time, the government purchasing authorities need to bring their security needs front and center.

Here some necessary steps for government to take:

• Build IT security into contracts and develop standards for what secure computing must look like. Chief information security officers needs to be actively involved in this process and contractors must be responsible for maintaining whichever system government organizations settle on.
• Agencies should seriously leverage existing industry standards. Make sure the certifications and standards that providers are already using are adequate to the level the government needs.
• Agencies need to start buying Infrastructure-as-a-Service. Agencies need to be clear on their needs and keep in mind that federal cloud offerings are months behind the commercial cloud in terms of offerings.
• Government organizations need to make sure their preferred provider offers orchestration tools for deleting and building apps. Apps need to easily scale up or down.
• Government needs to go with providers that offer identity and access management tools for lifecycle management. They also need to be able to extend on-premise IAM tools to the off-premise cloud data center environment.

Stopping attacks and unauthorized access to network platforms demands a coordinated enterprise approach to mission assurance and cyber defense. A strong defense alone will not mitigate risk.

For more guidance on cybersecurity trends and insight, reach out to immixGroup’s Market Intelligence organization.

This column originally appeared on IDG’s Government Infosec blog.