Government in the Crosshairs: Recommendations for Federal Cybersecurity

Katherine Charlet recently authored a primer on securing federal networks, “Understanding Federal Cybersecurity,” published by the Belfer Center for Science and International Affairs.

WHY THE ISSUE IS IMPORTANT

Federal networks are attractive targets for foreign intelligence services and other malicious actors in cyberspace. Networks serving over a hundred agencies and millions of employees enable government missions and operations, handle sensitive internal communications, and store personal data on millions of Americans. The level of threat faced by federal government networks has few parallels.

Intrusions into federal networks by actors like Russia, China, and Iran are deeply concerning because of the potential to disrupt significant functions upon which society relies. Federal information systems enable immigration, global financial transactions, and law enforcement. They hold massive amounts of private data on U.S. citizens.

As concerning as recent breaches have been, the United States is nonetheless lucky that so far, such breaches have mostly resulted in stolen information or nuisance-level attacks. But it is not a stretch to imagine far more concerning outcomes, such as the disruption of an agency’s ability to conduct core functions for the U.S. public or manipulation of data that undermines confidence in government services or in public information.

PRIORITY ACTIONS

1. Congress must appropriate meaningful funds to IT modernization in FY 2019. The passage of the Modernizing Government Act was an important foundation for addressing the government’s legacy information technology problem. While it’s a good pilot step, the $100 million appropriated for FY 2018 is a drop in the bucket of what is needed; former president Barack Obama’s administration’s rough calculation was $3.1 billion. A larger-scale, up-front investment—one that can reinvest savings from use of modern approaches—would keep momentum going on much-needed modernization efforts.
2. All agencies should maintain momentum on baseline initiatives like adopting shared services and commercial technology. Steady progress makes a difference. All agencies should continue pushing to strengthen recent initiatives such as the adoption of shared services and commercial technology; consolidation of commodity information technology functions; efforts to hold agencies accountable on basic hygiene; and progression of the DHS’s capabilities to detect threats and vulnerabilities in agency networks.
3. The White House should increasingly evolve agency risk assessments to focus less on systems and assets and more on missions and functions. Federal agencies have focused on identifying and protecting high-value assets. This is useful, but it misses the fact that disrupting networks or systems that aren’t individually considered high-value could still disrupt an agency from performing a key function. The National Security Council (NSC) and Office of Management and Budget (OMB) should direct each agency to first identify its core missions and functions, second identify the network infrastructure that supports those functions, and finally develop risk mitigation measures to ensure continuation of the core function even if that infrastructure were subject to cyber attack.
4. The NSC should drive an interagency process to establish benchmarks for securing federal functions from cyber attack. Certain functions may be so critical that an extremely high bar is set to prevent even the most sophisticated adversaries from disrupting them. Other functions may be impossible to fully secure from adversaries like Russia and China; this would then call for tailored strategies to deter those countries from disrupting those functions. Setting a threat-based benchmark can help manage risk, and limited resources, more strategically. (See the report by the Defense Science Board Task Force on Cyber Deterrence for a similar approach.)
5. The Department of Homeland Security (DHS) should develop a plan to best leverage its authority to issue Binding Operational Directives. In 2014, Congress gave the DHS the authority to direct federal executive branch agencies to take specific steps to safeguard federal information and information systems. This is a powerful tool for setting a common approach to cybersecurity across agencies, but the DHS has so far been circumspect—it has only used its authority six times. This restraint adds significance to each individual use, but the DHS should develop a strategic plan for when, and to what end, they can best use this authority.
6. Agency heads must demand better risk-based decisionmaking tools. Agencies with engaged department heads or deputies are much more likely to use resources strategically, force mission or business owners to attend to cybersecurity, and empower chief information officers to take steps needed to protect systems and enforce standards. But leaders are busy people, and not IT experts. They should demand better tools to visualize and make good risk management decisions. The Cybersecurity Scorecard at the Department of Defense (DoD) and the DHS’s Dashboard are potential models.
7. Agencies and Congress should expand special hiring authorities for cyberspace expertise, but should also focus on retention. Getting and keeping the right talent can have an outsized impact on protecting government networks. Congress has provided both the DoD and DHS with more flexible authorities for hiring skilled cybersecurity personnel. These kinds of authorities would be valuable for other agencies, and could be targeted if necessary toward those positions focused on securing critical government functions.
8. The General Services Administration should identify and promote procurement policies and staffing to better incorporate cybersecurity considerations. There aren’t enough acquisition professionals or program management professionals with experience in software product development, which means that acquisition decisions can provide inadequate weight to cybersecurity.
9. The DHS and the Office of Science and Technology Policy should develop a strategy for automation in federal cybersecurity. Automated network defense applications have the potential to give defenders a greater advantage over attacks in cyberspace. The government should look five to ten years into the future to characterize how these trends could be leveraged to secure federal networks. One way of doing this is by examining the progress made against the Federal Cybersecurity Research and Development Strategic Plan.

CONCLUSION

There are no silver bullets for federal cybersecurity. The system will retain its inherent complexity, necessitating close coordination and partnership. Federal cybersecurity will be an enduring mission, always evolving and changing to stay ahead of the threat. In other words, there is no finish line—only continual improvement, adaptation, and cooperation to secure the federal government and those it serves.

For more information about the challenges of securing federal networks see Kate Charlet’s report, “Understanding Federal Cybersecurity,” published by the Belfer Center for Science and International Affairs.