Now that Joe Biden has been officially sworn into office as the next US president, his administration will want to consider their cybersecurity priorities very carefully.
The Biden administration will likely continue to face attacks from state-sponsored and other sophisticated cybercriminal organizations, but will also have to contend with an aging federal IT infrastructure and a shortage of qualified cybersecurity professionals.
For the purpose of this piece, it may be interesting to look at the US government through a slightly different lens. What if it were a large corporation? It faces many of the same challenges as a multinational enterprise and should perhaps consider taking some of the same steps to improve its cybersecurity posture.
But first, a lesson in political science
The good news is that the recently signed National Defense Authorization Act (NDAA) for 2021 incorporates many recommendations from a bipartisan panel, the Cyberspace Solarium Commission, from March 2020. 1 The NDAA included the commission’s recommendation to create a White House National Cyber Director. 2
In addition, the legislation requires that the presidential administration create a national cybersecurity strategy that includes a layered cyber deterrence and emphasizes resilience, public-private collaboration and a defense-forward approach as key elements. 3
Finally, the law strengthens the US Cybersecurity and Infrastructure Security Agency (CISA) in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.4 The CSC report also addresses these issues.
The US could follow the cybersecurity lead of large companies
What would Biden do (WWBD)?
It’s clear the Biden administration is planning to execute the CSC recommendations and follow the legislation enacted by the 116th Congress. The Biden transition team is reviewing the current administration department by department, and looking deeply into cybersecurity capabilities. The 129-member team is made up of volunteers from several US agencies, including the Departments of Homeland Security and Defense and the intelligence community, as well as private sector cybersecurity experts.
Here are just a handful of issues that the US government might consider addressing:
A fairly recent way to look at identity management and access control is the so-called ‘zero-trust’ security posture, which requires all users, even ones inside a company or agency network, to be authenticated, with continuously validated security configurations, before gaining access to applications and data.
Many government workers will continue to work from home, at least part of the time, due to the COVID-19 pandemic. While zero trust itself has already started to become a buzz term, organizations that focus only on perimeter defense are looking for trouble. Building a moat around your castle doesn’t work anymore.
With a zero-trust posture, government agencies will need to deploy better ways to authenticate, and in many cases, give users fewer hoops to jump through to connect to government networks. Good zero-trust processes understand the context of users and IT assets and will challenge users to authenticate more often in higher risk areas.
Securing the IoT
We’ve gotten to the point where almost anything can have an IP address, creating new crossover vulnerabilities. New buildings, for example, can have IP addresses for everything from floor tiles to windows. Today, you can’t trust any object, not even a pane of glass.
In addition, governments, at many levels, are now using IoT as the backbone for smart city initiatives and to manage and track their supply chains. Recent attacks that use IoT devices to create botnets could wreak havoc on these government IoT systems, shutting down networks and bringing smart cities or supply chains to a halt.
Better IoT security is a major issue for the US government. While many old government buildings may not use smart windows, agencies are using IoT in several ways, including devices to monitor equipment and systems, to control access to other devices or facilities, and to track physical assets, such as vehicles.
Cloud computing outages
During former President Barack Obama’s administration, the US government embraced cloud computing in a big way. But over the past few years, we’ve seen many cloud outages, caused by a variety of factors.
As the US government moves forward, it should consider the inevitability of future outages and decide which workloads can tolerate downtime and which workloads need to be kept in house. In other words, what is the new administration’s DRaaS plan?
The old saying, ‘don’t put all of your eggs in one basket’, applies here. Single-source environments for critical technology functions are problematic. Cloud computing offers several major benefits, including the ability to scale up quickly and the ability to pay only for the computing resources used. However, some government agencies operate systems that can’t tolerate any downtime, and in those cases, public cloud services may not be the answer, at least not without backup.
1 United States of America, Cyberspace Solarium Commission, establish by the John S. McCain National Defense Authorization Act for Fiscal Year 2019. (https://www.solarium.gov)
2 William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Sec. 1752. National Cyber Director (page 1950)
3 William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Sec. 1752. National Cyber Director. National Cybersecurity Strategy (page 1952)
4 William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Sec. 1705. Strengthening Federal Networks; CISA CY7 Bersecurity Support to Agencies. (page 1783)