The Federal Government’s Cybersecurity Marathon: Credit to Tony Scott for Highlighting Authentication as a Key Strategy
As the full scale of the Office of Personnel Management came to light this summer, Federal CIO, Tony Scott, took a bold step and issued orders for federal agencies to take stock of their cyber security policies and plans. Under the guidance of the Department of Homeland Security, the Office of Management and Budget, the National Security Council Cybersecurity Directorate, and the Defense Department, agencies were given 30 days to review their existing cybersecurity stance and report into the Cybersecurity Sprint Team to help establish a 360 degree view of the state of cyber defenses. From there, Scott promised to establish action plans that would lead to a federal civilian cybersecurity strategy.
Just over ninety days out from the announcement of the cybersecurity sprint, CIO Scott has made good on his promises. While he was widely criticized in the media for not leading with the analogy of cybersecurity as a marathon his approach has turned out to be highly effective. To dive into the analogy a bit further, a novice runner doesn’t start out with a marathon as the first goal but builds momentum over time. Let’s face it – 26.2 miles, or achieving the gold-standard in cybersecurity are both daunting goals. And, as we all know, if something seems impossible, a fundamental human response is usually to get mired by the enormity of the task, do nothing as a result, and fail completely.
Smartly, what Scott did was to remove the potential for a ‘do nothing’ response and create achievable sub-goals. To play on the analogy the runner’s first goal is to run every day, then run a 5k, then a 10k, a half marathon, and finally every one of those 26.2 miles. For a federal CIO the benchmarks are – assess the current state of cybersecurity, address the low-hanging fruit, then start increasing stamina for the long haul. And, like a good coach, Scott is there, providing training plans, being a cheerleader for the accomplishments, and drawing attention to areas where improvement is needed.
What’s most remarkable is that within this 90 day period, notable changes have been reported by government employees. In the recent Federal News Radio survey I cited last week, 71 percent of respondents cited the cybersecurity sprint as a key driver to “focus on long-standing cyber challenges.”
Now that the band aids have been applied the pressure is on for Tony Scott to deliver on the federal cybersecurity strategy and keep delivering on it over time, as befits a marathon. One of the functional areas that Scott has called out in recent interviews as both an immediate success and for on-going attention is authentication. Following the sprint the use of two-factor authentication (smart card + password) increased from “42 percent to more than 72 percent during the time period, according to OMB. Two-factor authentication stats were even higher for privileged users — those with expanded access to federal networks — growing from 33 percent to nearly 75 percent.” CIO Scott went on to say: “This is probably one of the most significant things that you can do to enhance cybersecurity no matter where you are,” Scott said of efforts to increase the use of two-factor authentication, adding, “We’re going to stay on that one like crazy.”
I couldn’t agree more with the federal CIO: authentication is a key to protecting data and stymying attacks; but it needs to be more than two layers of authentication in order to provide the level of security that federal agencies need. Primarily, Scott and the Cybersecurity Sprint Team are going want to up the standard from two factor authentication to multi-factor authentication. By this, I mean that as well as a user name/password with a smart card agency CIOs are going to want to look for solutions that cover the other key elements of authentication – a physical attribute and location – because despite best efforts, passwords will be written down and stuck to the back of credentials and credentials will be left in TSA screening bins. And this is just one possibility for loss and the reintroduction of vulnerability despite best intentions.
Moreover, they’ll want to ensure that agencies are choosing solutions that mitigate the common types of cybersecurity events – insider threats and man in the middle attacks – by looking at out of band solutions. Out of band authentication, simply put requires the presence of a secondary channel, such as a cell phone, in order to authenticate, or verify, identity. This wards against impersonation in the case of insider threats and neutralizes the man in the middle. Bad actors, even if they eavesdrop or intercept certain credentials will likely be unable to possess either physical attributes, for example, or location.
After so many breaches and a least a couple of failed attempts to introduce bona fide cybersecurity policies and procedures, it seems that the OPM breach really has changed the way federal agencies now understand their cyber risks. As the holders not only of state secrets, but of personally identifiable information about every citizen, the government’s responsibility might seem overwhelming, but under Tony Scott’s guidance success in the cybersecurity marathon seems entirely possible.