Nimble, Flexible Security

Government regulations evolve to keep pace with cyberthreats.

There’s a growing suspicion within government that security mandates and regulations are getting in the way of efforts to deliver the most effective cybersecurity.

Many of the current security requirements were developed in an era when the cyber landscape was thought to mirror the physical world. In accordance with that mindset, cybersecurity was pursued as a kind of virtual fortress protection. What followed, naturally, was a slew of regulations that required agencies to configure their systems according to a specific set of security standards. To meet those security demands and pass yearly audits certifying their ability to defend against attacks, agencies demonstrated compliance with regulatory requirements.

Eager to preserve their IT budgets, through funds appropriated by Congress, many government organizations resorted to the practice of “box ticking,” doing enough to pass the yearly examinations but, in the eyes of many security experts, not enough to provide effective security for the long run.

The question now is if this kind of static approach to security by government can match current threats. The sophistication of many attacks, from phishing to persistent threats that work through stealth, can evolve and change quickly to evade traditional defenses.

“I think attitudes have started to change, though there’s still a long way to go,” says Alyssa Miller, manager of security management for solutions provider CDW•G. “The role of regulations now is to get agencies to behave the way we want them to behave, and if they don’t do that to come down hard on them. What’s needed is more understanding and cooperation, more of a ‘how can we help you’ attitude.”

One example is the security controls the National Institute of Standards and Technology (NIST) developed over the years. NIST SP 800.53, for example, which defines a set of IT security and privacy controls for agencies to apply, is “very specific and prescriptive, and can be cumbersome and difficult for agencies to accommodate,” Miller says.

A better approach is NIST’s Cybersecurity Framework, a set of standards, guidelines and best practices that agencies can adopt as they see fit, she says. The Cybersecurity Framework gives much more leeway for agencies to choose security solutions and approaches that best fit their particular needs.

“It’s based on intentions and objectives rather than specific controls,” she says. “It allows agencies to apply security across a wider breadth of technologies, and even to new technologies as they emerge. That’s where we’ve seen things start to change the most.”

In the first four months since its April 2018 release, the latest version 1.1 of the CSF was downloaded more than 129,000 times, according to NIST. That compares to around 262,000 downloads for version 1.0 over the four years since its release.

Application of this new mindset will differ across government, Miller says. There is a big difference between military and civilian mission needs, as well as differences among agencies. Cultural acceptance of new cybersecurity practices could be a slow process.

“It has to become more of a ‘this is how we’d like you to go, and how can we work with you to implement that,’” she says. “And that’s a very different approach than in the past.”