As America still reels from the damage created after the giant Office of Personnel Management (OPM) hack, it’s time to wonder what 2017 has in store for American federal cyber security. It’s not even over yet, and 2016 has been a big year not only for major breaches targeting federal agencies, but also for some big strides forward in the way that America’s treating the future of cyber security.
As we look ahead to 2017, what major steps has the government taken to improve their collective federal cyber security posture? What is missing in terms of vulnerability scanning technology and what should be done to educate employees at all levels in terms of security awareness?
From astronomical budgets to a national CISO, here’s what’s new and changing in the field of federal cyber security.
Federal Cyber security: From Network Security to National Security
For the hundreds of American federal agencies, cyber security should be playing a major role in not only their day to day operations, but also in their future budgeting, planning and staff education and training – as one malicious email can, and has, jeopardized the sensitive data of countless civilians.
Often referred to collectively as the “alphabet soup” of agencies, federal agencies collect and store some of the most sensitive and top secret data. This data ranges from top secret defense IP’s in the Department of Defense (DOD), current and former federal employee personal records at the Office of Personnel Management (OPM), the hypersensitive data found in the Department of Homeland Security (DHS) and, according to the 2016 Federal Information Security Modernization Act produced by the Office of Management and Budget (OMB), many of these agencies need to be doing much more to protect their sensitive data.
According to the report, there was a 10 percent increase of incidents between the fiscal years of 2014 and 2015, as cyber security incidents rose to 77,183, up from 69,851 in 2014. Cyber attacks against federal agencies are increasing as hackers and malicious parties continue to gain access to sensitive information systems, Federal networks and data.
Cyber Security National Action Plan (CNAP)
In early February 2016, the White House announced that they were going to take “bold actions to protect Americans in today’s digital world.” Following persistent threats against citizens by hackers and against governments by state actors, it’s clear that America needs for from a cyber security standpoint and the CNAP is the beginning of a long-term solution.
Major focuses of the CNAP include the establishment of the “Commission on Enhancing National Cyber Security” which will “make recommendations on actions that can be taken over the next decade to strengthen cyber security in both the public and private sectors while protecting privacy; maintaining public safety and economic and national security.”
Additionally, the CNAP highlights the efforts needed to modernize government IT while improving its management with a $3.1 billion Information Technology Modernization Fund. The National Cybersecurity Alliance will also be launching a National Cybersecurity Awareness Campaign in order to empower Americans to secure their online accounts through multi-factor authentication in partnerships with some of the biggest names in technology and online payment solutions. Looking towards 2017, the CNAP also includes a plan to invest over $19 billion for cyber security as part of the President’s Fiscal Year budget which is a 35 percent increase from the 2016 budget.
A Federal First: America’s CISO
Included within this $19 Billion USD budget is money that will be allocated to hire and employ the first chief information security officer (CISO) for America whose will be a seasoned cyber chief. Dan Waddell, managing director and director of US government affairs, does note that finding a candidate at the proposed salary, ranging from $123,175.00 to $185,100.00 USD per year will be a challenge. Currently, the job posting is listed as closed.
Following such initiatives as 2015’s “30 Day Cyber Sprint,” 2016 is ramping up in terms of cyber initiatives taken by at a Federal level. While many of the CFO Act Agencies have fallen victim to attacks and breaches, one agency that has taken a commendable step in trying to stay ahead of the hackers is the Department of Defense (DoD).
The DoD hackathon was a beta program that ran from April 18 to May 12 this year, where 1,400 eligible hackers were invited to try and hack various Pentagon websites (dodlive.mil, dvidshub.net, myafn.net and dimoc.mil) as a part of a bug-bounty program. In the end, 250 submitted at least one vulnerability report and 138 were determined to be legitimate, unique and eligible for a bounty, according to the DoD website. This is a great initiative that should be replicated and improved upon by other Federal agencies in order to do some “penetration” tests in a controlled environment, yet one that simulates attacks that may occur in the wild.
What Needs to be Added, and Enhanced, in the Federal Cyber Security War Chest?
Proper Application Security
In the Federal cyber security ecosystem, application security needs to play a larger role in the cyber security portfolio. The most efficient way to scan both home-grown code and any third party components is through a static code analysis solution that is able to integrate into all developer touch points of the software development lifecycle (SDLC).
Creating a secure software development lifecycle (sSDLC) using Checkmarx’s CxSAST will contribute to the safety and the long-term security posture of any organization. In addition to constantly scanning code for all common security and compliance issues, CxSAST also helps educate developers as it shows them where and how, to mitigate any potential vulnerabilities. Checkmarx currently scans 20 coding language and their common frameworks and integrates seamlessly with continuous integration (CI) environments.
Learn more about what it means to implement a secure software development lifecycle here.
Cyber security awareness and education need to be implemented and immediately adopted within the Federal framework. Federal cybersecurity defenses, programs and budgets are only as strong as the employees using them, and when a hacker is able to release the details of tens of thousands of federal employees as a result of gaining access through an employee’s email account, or via phone call, there is a critical need for improvement before more sensitive data is freed on the web.
Video showing easy it can be to spread malware via Google.com
Staff at every Federal level need to be aware of the possible dangers lurking everywhere on the internet and to proceed when caution even while using trusted services, applications and websites, as serious security risks can masquerade as services and applications that we know and trust. Malicious links that could lead to an immediate total takeover of the victim’s computer are becoming even more and more legitimate-looking, as is the case with the Reflected File Download (RFD) attack vector in which a legitimate looking link from a trusted website hosts a malicious executable file. This attack vector is especially serious when put into the context of the Federal ecosystem and even more so since 4 out of 5 people will trust downloads based on their hosting domains, which could be in fact illegitimate.
To read about how Checkmarx can help with ensuring that your code complies with major regulatory requirements and industry standards, click here.