An ambitious cybersecurity strategy is just a starting point
- By Sean Frazier
- Mar 19, 2021
Last week, President Biden signed a sweeping $1.9 trillion Covid-19 relief bill into effect, setting aside a much-needed $1 billion for the Technology Modernization Fund (TMF) and millions more for cybersecurity.
While a fraction of the $9 billion initially proposed, this funding comes at a crucial time: The sweeping SolarWinds attack highlighted the vulnerabilities of federal IT, and the more recent but equally alarming Hafniun attack reiterates the immediate need to adopt new technology. Biden's administration inherited an IT ecosystem seemingly stuck in the 1990s, but this funding offers an opportunity to usher federal agencies fully into the 21st century.
Beyond this legislation, the Biden administration has consistently reiterated plans to revamp the U.S.'s lackluster cybersecurity posture, an existential threat perhaps second to only climate change. In her first briefing and numerous ones since, Press Secretary Jen Psaki emphasized the administration's focus on cybersecurity. At Biden's direction, an investigation into SolarWinds is underway. Early on, Biden named top cybersecurity veterans to leading administration positions.
With this funding and the help of top experts, Biden can make tangible progress toward modernization. Modernization and advancing security is an endless endeavor, however, and much work remains to be done. Building on this momentum, here's how Biden can move federal IT forward.
With new strategies, Biden is laying much-needed groundwork.
Biden's efforts are a departure from the past administration's approach. Many cybersecurity experts find comfort in the shift, as 70% of experts agree that President Donald Trump "took the nation in the wrong direction on cybersecurity" by failing to fend off cyber adversaries and hindering progress within federal agencies.
Trump's cybersecurity legacy is marred by negligence and recklessness, as his administration largely ignored the most significant cyber threats of the day, like the nation-state actors behind SolarWinds. When the hack hit at least nine federal agencies and hundreds more companies, his administration took little action. Exploiting vectors that have been around for years, the breach exposed critical weaknesses across our federal infrastructure. SolarWinds is far from the only breach threatening the public sector, but it earns a spot next to 2010's Operation Aurora and 2017's NotPetya as one of the most notable cyberattacks on the country.
Trump's administration deserves credit for creating CISA in 2018, and the agency played a crucial role in preserving the integrity of the 2020 presidential election. Trump made a political statement by firing the agency's first director, only highlighting the agency's role in safeguarding the nation from internal and external threats. Biden hired industry veterans in his term's early days, building on what CISA already accomplished. Modernization not only takes top talent, but collaboration among agencies and the private sector. To foster this, CISA must regularly share new information and hold meetings at the executive level, including agency and industry leaders. Right now, collaboration is ad hoc; building systems to standardize communication will be critical.
Many modernization efforts under Trump never materialized. When the COVID-19 pandemic prompted a rapid shift to remote work, the public sector was largely unprepared. Agencies bolted Zoom and other collaboration tools to the top of existing tech stacks, risking infrastructure chaos and increasing target surface for bad actors. The public sector did what it had to do, but it reinforces the need for processes that enable better, built-in security. Financial markets have regulatory bodies, and cybersecurity—another critical infrastructure—needs the same. Public-sector IT is built on legacy, and the new administration's early moves are a green light for the sector's overdue modernization journey.
Where do we go from here?
More funding enables federal agencies to review technology in place, helping them understand whether it's enough to serve as a base layer or if they must revamp the infrastructure entirely. More likely than not, it will be the latter. The SolarWinds breach illustrates how cybercriminals, especially those acting in other countries, often target very basic vulnerabilities and learn to infiltrate them in more sophisticated, collaborative ways.
To better protect against growing threats like these, federal agencies must adopt a Zero Trust mindset. If the new administration is serious about fortifying the nation's cybersecurity, they can't take half measures. Agencies' tech stacks will naturally become an amalgam of cloud, on-prem and hybrid, requiring agencies to think about all assets no matter their location. The NSA and the DOD are "all in" on Zero Trust; the NSA recently released guidelines to help agencies embrace a Zero Trust mindset. At the very least, agencies must deploy simple but impactful solutions, like multi-factor authentication and patching, to protect our most basic vulnerabilities.
The Hafnium attack reveals vulnerabilities similar to SolarWinds, highlighting why cloud adoption should accompany Zero Trust. Nation-state attackers went after an on-prem mail and calendar software, exploiting a vulnerability that's existed for a decade. This type of attack could be prevented by using cloud systems; cloud enables agility, and its shared responsibility security model allows content policies to patch servers while personnel focuses on data and asset protection. Recently, only 6% of respondents in federal positions reported using all-cloud solutions and systems. Another 29% use mostly cloud solutions, and an alarming 10% don't use any at all. With all cloud systems, users can easily update security measures and automatically patch vulnerabilities across a vast network of servers. If agencies stick with on-prem, forgetting to update just a single server can compromise the entire network, which Hafnium proved.
The Biden administration sends a clear, necessary message: We must leverage the best technology and innovations to tackle problems that threaten us all. A modern, secure IT infrastructure is within reach, and providing agencies with the proper resources to gauge our full capabilities and limitations is mission-critical. We can make tangible progress by leveraging the right technologies, fostering cross-sector collaboration, and adopting the right security mindsets—so long as we remember that modernization is not a one-time task, but rather an ever-evolving ideal to continually work toward.
Sean Frazier is federal CSO at Okta.