As work from anywhere becomes normalized, many government agencies are undergoing digital transformation to improve user experience, drive greater transparency for users, and modernize IT. All of these advancements improve network functionality across the board, but without integrated security architectures, these improvements also expand the attack surface for these vital organizations.
Threat actors have taken advantage of the lack of integration and ramped up their attacks against government organizations. In recent years, nation-state threat attacks have demonstrated the ability to damage or disrupt critical infrastructure and affect civilian services. Federal and state and local governments are prime targets for nation-state attackers due to their involvement with critical infrastructures like water, gas, sewage systems, and more. Personal information and financial data stored in government databases is also of interest to cybercriminals looking to sell information on the dark web. With ransomware and other cyberattacks continuing to rise, agencies must implement more integrated and automated solutions to protect their infrastructure.
In this Q&A, Fortinet Public Sector Field CISO Jim Richberg discusses the attack surface for government agencies and how these organizations can protect against rising threats.
One Year After the Announcement of Biden’s EO, What Are Some Takeaways for Agencies?
Jim: At a high level the EO identifies and focuses on number of important issues that the government needed to address in order to improve cybersecurity. The EO was important and timely given the state of cyber today. It identified Zero Trust, accelerated migration to the cloud, and the integrity of critical software as key components. It directed action by the federal government and its supporting contractors, and will drive progress within the private sector as well.
While the EO had a usually large number of deliverables and aggressive timelines for implementation, in truth many of the short-term deliverables set out in the EO were consistent with things agencies were already working on. And while EO’s can set priorities, they do not bring additional resources—absent Congressional funding, EO’s can only direct agencies to rebalance priorities and reallocating existing funds. But the major programs of the EO have become core to federal cybersecurity and have largely been funded. The EO also raised awareness among the government’s supporting contractor basis on issues ranging from software supply chain transparency to disclosure of significant cyber breaches.
Regardless of progress to date, the federal government still needs to make further progress increasing shared or federated situational awareness and integrated response. We need to do a better job of this within government, within the private sector, especially critical infrastructure owners and operators, and between the public and private sectors. This need has become more acute given the heightened threat environment and the growing interdependence of networks today. Integrating security across agencies or sectors is a combination of creating shared situational awareness and of integrating operations to act on that shared visibility. While in theory this can be automated, in practice generating a common operating picture usually requires ongoing attention and focus by cyber analysts and SOC operators—which places a premium on automating their response activities.
What Does the Threat Landscape Look Like Today?
Jim: Something state and local governments have become more concerned about are growing social engineering attacks and about increased sophisticated (APT) nation-state activities potentially directed against them. The changing dynamic of geopolitical conflict has led many to reflect on their position in the landscape and to wonder if they are likely to be in the crosshairs or to be caught in the crossfire as collateral damage of a conflict occurring on the other side of the world. However, I think the last year has shown ransomware to be the most impact, and threat to state and local governments.
Ransomware has offered threat actors a steady revenue stream that is not as unpredictable as malicious activities such as running botnets or illegal cryptocurrency mining, where relative success various with the actions or law enforcement or technology companies. Rather, ransomware always seems to generate a consistent pay off. Because of the success of this attack trend, we’re starting to see the rise of advanced persistent crime that’s starting to look like advanced persistent threat activity by nation-states. Criminals ‘follow the money’ and based on the steady cash flow from ransomware, many criminal groups becoming more are cohesive and enduring. Because they have organizational persistence, they can hire and retain specialists in areas such as vulnerability research. Many of these groups are becoming faster to weaponize exploits. They’re so specialized they have help desks for the affiliates they rent their ransomware to and for victims who don’t understand how to buy cryptocurrency. It’s not only crime, it’s crime that is becoming faster, more sophisticated, and more clandestine.
What Can State and Local Governments Do to Protect Critical Infrastructure?
Jim: State and local government networks have become more complex as they adopt new IT solutions and build out their networks, so it is increasingly important to simplify the security architecture by achieving integration and consistent policy management across the board. Consolidation of solutions within security and between IT and security is one route to go. For example, look for a security solution that offers firewall, ZTNA, and SD-WAN functionality all in one product rather than buying separate point products for each function. Leveraging consolidation combined with convergence of networking and security can be powerful. Cloud security and SASE can help secure users regardless of location and still provide firewall protections, secure web gateways, ZTNA, and threat detection functions. Multi-factor authentication is also a necessary solution to provide a much more secure way for authorized users to access the network resources they need, especially for government organizations that work with contractors or third parties.
Where “flat” or non-segmented networks and a lack of security integration opens a door for threat actors into one organization, the absence of interoperability of threat data can open the door into multiple organizations or even an entire sector. Attackers often move from one victim to the next and often use the same tactics to gain access to information. But an attack against the power sector can easily move to wastewater or transportation. A more strategic approach to security is needed to get ahead of attackers and sharing threat data needs to be part of that approach. Solutions like applying AI and automation at scale can help turn the attack surface from a liability to a source of intelligence that is shared across organizations. Not only that, but coordination with other agencies can reveal best practices for deploying security solutions and sharing data and insights. It can help you solve your immediate problems and avoid being stuck in Groundhog Day, where you’re going to face the same issues the next day.
What Challenges Do Government Agencies Encounter When Implementing Zero Trust?
Jim: The federal government pioneered the idea of segmented network access and of ‘need to know’ access to data within the national security community decades ago. Leading IT firms began to adopt the approach in the wake of high profile intrusions and theft of intellectual property a decade ago. But the concept of moving beyond assigning security based on whether you were logging on from within or outside of a network perimeter gained traction with last year’s Executive Order 14028, when President Biden told federal organizations to implement zero trust at scale and quickly. Key Executive Branch agencies began creating maturity models and strategies for implementation, including implementing in cloud computing. The move to implement zero trust architecture is a key approach to protecting critical federal systems and data, including personal data of US citizens. Building out a full zero trust framework is tough, but I think even incremental steps can have significant impact. Parts of the zero-trust equation include identity management, access control, and having a powerful and rapid capability (and ‘enforcement engine) to apply these security policies. Virtually every agency is doing some form of static zero trust access, applying different levels of policy to different classes of users (staff vs. contractors vs. visitors) and moving away from ‘flat’ network architectures. Making these capabilities more dynamic—more rapid and granular (moving from a one-time check at time of log on to evaluation for each software application accessed) is dynamic zero trust. It is more effective, but to apply it without creating unacceptable performance bottlenecks requires that an agency have more powerful and advanced capabilities.
Then comes the issue of proving or demonstrating progress. The biggest problem in cybersecurity from my perspective is not people, processes and certainly not technology; it’s metrics. For cybersecurity to fully mature, we need to be able to say, “If I do this, this is the outcome,” and therefore we typically struggle to answer basic questions such as “how much does it cost to fix this problem – or how?” Of course, part of this challenge is that this is at least a two party problem—and there’s usually a threat actor involved who affects how well a security solution will work. But notwithstanding the impact of threat, even when it comes to evaluating the effectiveness of security solutions in isolation, we are often guessing at impact or even at cause and effect. Vendor and technology frameworks such as the NIST Cybersecurity Framework or CISA’s Zero Trust Maturity Model can be helpful because can ensure that government and industry are thinking about these problems and solutions in similar ways and using the same concepts.