Federal agencies should reduce complexity to fight back against cybersecurity threats, government and private sector participants said during a panel at FCW’s Cybersecurity Summit.
“The adversary works in the world of the stack, and that complexity is where they thrive,” said Ron Ross, senior computer scientist and information security researcher in the computer security division at the National Institute of Standards and Technology (NIST).
The growing complexity around cybersecurity tools and evolving technology can leave agencies vulnerable. The growth of devices has outpaced developments in cybersecurity.
“The systems that we built are not that great, and there’s a lot of vulnerabilities,” Ross added. “That leaves the industry with a lot of tools, and not that those things are bad, but it doesn’t substitute for building stronger systems from the start.”
The complexity also extends to the experience for users.
“Training is more important than ever,” said Matthew McFadden, director of cyber practice at General Dynamics Information Technology. “You’re only as good as your weakest user.”
Ross also noted that the rise of personal devices presented a threat for systems. The growing number of threats for mobile devices leads agencies to enforce a strict device policy, or turn a blind eye. “Even with our best tools like AI and machine learning, our adversary has got those too,” he said. “You can’t hunt your way out of these problems. You have to build stronger, penetration-resistant systems.”
Panelists agreed that reducing complexity can help make the path to a secure system clearer.
“Minimizing the level of complexity, as well as the rationalization of applications, is something that you should look at,” said Francisco Salguero, deputy CIO for the United States Department of Agriculture (USDA).
Salguero also pointed to the importance of enterprise architecture and standard operating procedures. “At the enterprise USDA level, we’re looking at holistically, what we can do to minimize the number of tools through processes.”
“You have to try and do things that are basic. I’ve always referred to the blocking and tackling of cybersecurity.” Ross added to Salguero’s emphasis on tackling complexity in the architecture. Ross also noted that NIST’s new risk management framework, which will come out later this year, will attempt to address some of the complexity of addressing different government initiatives.
McFadden highlighted the importance of a prioritization strategy to answer the questions, “how are you using your foundational tools to detect? Once you detect it, can you make remediation actions?”
A renewed outlook on security can also help combat other challenges.
Ross noted that NIST would be adding privacy to cybersecurity frameworks, and expected revised guidelines on assessment procedures, risk assessments, and risk management frameworks. “Anything that you relate to security is now going to be privacy activated.”
Salguero noted that working through the CIO instead of business units would also help to keep agencies in compliance. “Definitely build a partnership so that we’re talking to businesses in conjunction with IT.”
Ross summarized his view of the necessary changes to increase security.
“These aren’t technology decisions. These are leadership decisions, culture decisions, societal decisions. We want to solve the problem, but we can’t seem to get there.”