CYBERSECURITY
THE NECESSITY OF CYBER INNOVATION
ederal agencies are being offered a wealth of ideas and advice for shoring up cyber defenses.
he White House and Congress are both looking for new ideas to address long-standing cybersecurity concerns in
the federal government, and some old ideas are drawing renewed interest. The new administration put its stamp
on the issue with a May 11 executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” This long-awaited order seeks to bolster cyber efforts by both mandating enterprise risk management and mitigation practices and reiterating the need for modernization of agency IT infrastructures.
FT
SPONSORED CONTENT
The executive order has become part of a broader conversation about how agencies can raise the bar on cybersecurity. Modernization is a central part of that, because legacy systems are increasingly costly and difficult to protect—but that’s only part of the solution.
STRENGTHENING CYBER DEFENSES
Here is a roundup of some of the latest ideas being championed by federal IT officials, cyber experts, and congressional leaders.
THE CYBERSECURITY FRAMEWORK:
TIME TO STUDY UP
The Cybersecurity Framework—technically called the Framework for Improving Critical Infrastructure
Cybersecurity—is not new. It was released by the National Institute of Standards and Technology (NIST) in 2014. It is, however, getting renewed attention thanks to the recent executive order.
The executive order directs agencies to implement the framework—and to detail their plans for doing so—as part of one of the first mandated reports. The framework was originally developed to help organizations take a risk-management-based approach to managing critical infrastructure. However, NIST officials have said all along that the framework dovetails nicely with its other security and privacy risk-management guidelines.
With that in mind, NIST recently released draft implementation guidance, which outlines different ways in which the framework can strengthen cybersecurity efforts—such as managing cybersecurity requirements, integrating and aligning cybersecurity and acquisition processes, and evaluating cybersecurity from an organizational perspective.
MULTIFACTOR AUTHENTICATION:
JUST A MATTER OF TIME
Cyber experts have been saying for years that when it comes to protecting sensitive systems or data, agencies should not rely on the old-school computer password—at least not by itself. “It’s hard to find a major cyberattack over the last five years where identity—generally a compromised password—did not provide the vector of attack,”
according to a February 2017 report from the Chertoff Group titled, “Strong Authentication in Cyberspace.”
The problem is hackers have numerous tools they can use to compromise a password without anyone knowing. Multifactor authentication makes it tougher, requiring a user to provide a second form of identification, such as a fingerprint, a smart card, or some other token they must have in hand.
The DoD made the leap years ago, with its adoption of the Common Access Card. A growing number of civilian agencies are taking an interest as well, including the Social Security Administration, the Office of Personnel Management, and the Library of Congress.
S-10
Cover: Shutterstock.com