Comment

Spending the federal cybersecurity budget: what's next?

cybersecurity (vs148/Shutterstock.com) 

In 2020, cyberattacks against the U.S. government organizations cost $18.88 billion in recovery costs and downtime. In an effort to drive down this cost and improve our cybersecurity posture, this year the federal government has announced a number of initiatives, from the infrastructure bill to the Joint Cyber Defense Collaborative and White House Cybersecurity Summit.

Yet, even as Congress begins to release billions of new cyber budget dollars, today's adversaries continue to adapt, changing the threat landscape once again. Constantly innovating, increasing their skillset and speed, the adversary's innovation is matched only by their determination and funding.

So, where should government invest first?

Legacy systems: According to the recent Senate Committee on Homeland Security and Government Affairs report, "Federal Cybersecurity: America's Data Still at Risk," seven of the eight agencies studied used legacy systems or applications that are no longer supported by the vendor with security updates. I can attest that a large number of federal agencies have incurred a huge amount of technical debt, struggling to meet patching deadlines while maintaining accessibility. Legacy systems are a prime target for today's cybercriminals. Since that won't change for some time, let's fully protect them now -- bugs and outdated versions included -- while we work to change our paradigm.

Information sharing: Federal agencies have valuable threat information but are often unable to share with other agencies because of limited permissions and other protocols. Highly pertinent information can age out quickly, becoming less valuable to friendlies over time. In addition to sharing information more quickly among themselves, federal agencies need a safe and secure way to quickly share critical information with state and local counterparts, who are increasingly coming under attack by determined adversaries.

Staffing: The federal government has stated a need to hire hundreds of thousands more cyber security professionals. It should also focus on improving the government brand, aspiring to the same level of innovation and excitement offered by the private sector. Many outmoded and archaic processes -- both people and technology-based -- still exist. We can drive innovation by eliminating friction in core processes, automating full protection and focusing on deterministic measures to end supply-chain poisoning and ransomware.

Innovation: The threat landscape continues to shift, as proved by a host of headline-worthy breaches over the past months in both the private and public sector. Taking a deterministic viewpoint in our approach to protection has become imperative. Probabilistic measures such as heuristic analysis -- looking in the rear-view mirror to try to predict the future -- are clearly failing us.

Private-public collaboration: Today's cybersecurity threats can't be solved by the federal government or Big Tech alone. Neither can our collective approach to the crisis be incremental. We will never get there by being a little bit faster, a little bit stronger, a little bit smarter than the last shiny cyber object. This problem requires a whole new approach and way of thinking.

We need a moonshot. Absolute interdiction.

Deterministic, automated protection is possible, so let's fully protect our software, bugs and all, and resolve this crisis once and for all.

About the Author

Kevin Jones, is VP, public sector at Virsec.

Featured

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected