Cybersecurity: A Moving Target
Over the past few months, it has been virtually impossible to avoid news of state-sponsored cyberattacks on federal agencies. While the attacks started last spring, they were not discovered until December of 2020. During that time, highly sophisticated hackers infiltrated the networks of both public and private organizations through a software update—something that had rarely, if ever, been seen before.
While these state-sponsored cyberattacks were shocking to some, they should not have come as a surprise. Nation-state actors have successfully conducted cyber warfare for years, seeking to interfere with government, steal personal and financial information, and conduct espionage. While no two have been the same, all of these attacks have one thing in common—they infiltrate federal systems by finding weaknesses and exploiting them.
Agencies are doing what they can to prevent these attacks from occurring, but more must be done. Cybersecurity defenses must change to adapt to new tactics and technologies, and agencies must draw the line on zero trust.
“These hackers are very good at what they do—they are unpredictable and creative. The reason it took so long to uncover the SolarWinds attack is because the hackers found a piece of software everybody was using and trusted, and then hacked how the software pushes out its updates. That’s something we had never really seem before,” said Matt Richbourg, a solutions architect and security expert at CDW•G.
Meeting hackers on their own terms requires being more intelligent and creative than your adversaries. That means that in addition to cybersecurity table stakes—network monitoring, access control, identity authentication, firewalls, endpoint protection, email protection and web protection tools—agencies must fully monitor all resources at all times. That requires both an adaptive approach to security and an iron-clad zero trust architecture.
Adaptive security is an approach to cybersecurity that allows agencies to pivot as needed to protect resources. With a focus on ongoing monitoring, the approach continually analyzes behaviors, events and risks to both protect against and adapt to threats before they can cause damage. Typically, it includes both analytics and machine learning to identify, prioritize and filter events.
In today’s elevated world of cyberthreats, zero trust is no longer negotiable. While the term tends to be overused and anomalous, Richbourg says it should be taken very seriously. The idea is to lock down every point of access to the network to the extent possible, using tools that incorporate multi-factor authentication, identity management, privileged access management and network monitoring. Every transaction must be verified before access is granted to both users and devices.
"When an outsider or an adversary gets into your system, they really only look like an adversary for a short period time, because they pretty quickly are able to pivot to leverage real credentials in some way, shape or form, and suddenly your outsider looks like an insider,” explained Federal Chief Information Security Officer Grant Schneider at an event last year. “So the fact that you built an environment where you're trusting all of your insiders is really not going to help you and not going to allow you the capabilities that you need."
For most agencies, moving toward an adaptive security model and full zero trust will require some changes. When considering new technology, make sure to rely on products that have already been certified as secure by the federal government. One way to do that is by ensuring that it complies with either Commercial Solutions for Classified (CSfC) or the Cybersecurity Maturity Model Certification (CMMC). CSfC is an NSA designation certifying that commercial products for use in layered solutions protect classified National Security Systems data. The CMMC framework consists of five certification levels, each successively more stringent. Government vendors and contractors achieve different levels of CMMC based on how well their cybersecurity infrastructures comply with protecting sensitive government information.