EMERGING CYBERSECURITY
 agencies are considering. Created as a digital ledger for recording cryptocurrency transactions, blockchain “addresses the fundamental flaws of security by taking away the human factor from the equation, which is usually the weakest link,” a Forbes article states.
In addition, the Intelligence Advanced Research Projects Activity is developing a multiphase project that will reduce the exploitation of legacy and cloud-based vulnerabilities by focusing on users’
roles rather than their identities. Each role in the Virtuous User Environment will have its own set of protective measures separate from the user’s other roles.
Empowering agencies to strengthen security
Agencies have long known that cybersecurity cannot rely on technology alone. Since 2010, the Government Accountability Office has issued about 3,000 recommendations to federal agencies on ways to improve information security programs and controls. (As of July, about 1,000 still needed to be implemented.) They include calls for an expanded cyber workforce through better recruitment and training and the use of metrics to evaluate the effectiveness of programs such as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.
It is also becoming apparent that compliance with government policies is not enough. Agencies must adopt a more complex, strategic approach to cybersecurity. The public sector far outnumbers other sectors in the number of cyber incidents — nearly 23,000, according to Verizon’s 2018 Data Breach Investigations Report. That’s compared to just over 1,000 for the second most-affected sector.
Procurement is another area that needs to evolve. The typically lengthy process agencies must follow does not work in the fast-paced cybersecurity world. A proposed rule published in the Federal Register in June seeks to amend the Federal Acquisition Regulation to expand special emergency procurement authorities for buying supplies or services that help agencies defend against or recover from cyberattacks.
Many agencies would like to speed procurement in general.
Last year, the Defense Information Systems Agency received “other transaction authority” so it can operate outside standard procurement procedures, and the General Services Administration is studying how blockchain could help automate the FASt Lane process for IT Schedule 70 contracts.
The need for agencies to strengthen cybersecurity is not new. In fact, GAO first designated information security as a governmentwide high-risk area in 1997. In its July 2018 “High-Risk Series” report, GAO identified four major challenges and 10 critical actions to address them. The first challenge is establishing a comprehensive cybersecurity strategy and performing effective oversight.
There are efforts underway to update cybersecurity policies. Legislation introduced in July, for example, would make CDM a law and empower DHS to modernize the program. When such efforts are combined with government and industry innovations, agencies will have a solid yet adaptable foundation on which to grow their cybersecurity approaches in a continually changing environment.
    NEW SECURITY CHALLENGES
BY THE NUMBERS
4,200 websites, including some run by the U.S. government, were hijacked in February to secretly mine cryptocurrency via visitors' computers
and smartphones.
34 percent of cyber incidents in the public sector originate within the agency.
71 of 96 federal
agencies lack fundamental cybersecurity policies or have significant gaps in their cybersecurity programs.
31 percent of the cyber incidents reported to the U.S. Computer Emergency Readiness Team used a threat vector categorized as “other,” which includes avenues of attack that are as yet unidentified.
50 percent of global web traffic was encrypted as
of October 2017, up 12 points from the year before.
 4.2K
  71
50%
34%
  31%
 SPONSORED CONTENT | S-39
 Sources: Cisco, Government Accountability Office, Newsweek, Office of Management and Budget, Verizon