The Defense Department continues to struggle to keep secret data from being leaked by employees or contractors or posted online by anonymous hackers.  A recent report by the DoD Office of Inspector General lists Increasing Cyber Security and Cyber Capabilities as a top-10 challenge for 2018. What security lessons can the DoD and other Government agencies take from private industry to help address this challenge?

A 2016 joint hearing before members of the US House of Representatives, Cyber security: What the Federal Government can Learn from the Private Sector, included testimony from several leaders in the private-sector security technology space. They offered the following advice to improve Government cyber security.

John Wood, CEO of Telos Corporation, recommended:

  • Establishing and enforcing cybersecurity policies and procedures.
  • Including effective password management practices.
  • Requiring regular security awareness training.
  • Implementing timely updates and patches to manage vulnerabilities.
  • Making cost-benefit choices about which systems to defend and how to defend them based on the likelihood of an asset being attacked, the value of the asset being attacked, the cost of defending the asset, and the cost of losing the asset.

Identifying critical data is a critical step for all agencies.  Private-sector breaches have illustrated the breadth of data available and targeted by hackers. The Department of Defense might be top-of-mind in terms of assets to protect, but all agencies have ‘crown jewels’ that require  protection. For example, the 2014 breach at the US Office of Personnel Management (OPM), impacted personnel records and security-clearance files of at least 22 million people. Data such as mental health history, criminal records, financial data, and fingerprints were included in these files. Officials have said that this kind of detail makes it likely that foreign governments will try to use the data to identify US operatives, particularly those in intelligence roles.

Dr. Martin Casado, Senior VP at VMware, stressed that a sole focus on perimeter-centric defense is no longer effective, stating:

“Perimeter-centric cyber security policies, mandates, and techniques are necessary, but insufficient and ineffective in protecting U.S. government cyber assets alone.”

Ken Schneider, VP at Symantec, reiterated the need for a cyber-aware workforce, enabled by initial and refresher training and simulated security drills. In addition, he recommended use of the National Institute of Standards and Technology’s (NIST) Cyber security Framework – itself the result of a successful collaborative public-private effort – as a tool that can be equally useful to Federal agencies to build out a cyber security program or to assess an existing one.

Larry Clinton, CEO of the Internet Security Alliance, strongly advocated for an increase in Government spending. The statistics he cited regarding the difference between private sector and government spending are dramatic: Private-sector spending on cyber security has nearly doubled in the last several years to $120 billion annually, while federal non-defense spending on cyber security this year will be between $6 and $7 billion. Private-sector spending on cyber security will increase 24 percent next year. Federal government spending is increasing about 11 percent.

He noted that the lack of spending has impact on the Government’s ability to compete with the private sector for scarce cyber security professionals, and cites this as a “tendency to focus more on buying technical solutions than on people to operate that technology.”

Finally, those in both the private-sector and Government are increasingly stressing the need for ongoing information sharing. Check out our previous blog post where we highlighted the importance of harnessing the wisdom of the crowd and collaborating.

Insider Threats in Federal Government: The Data and the Response
How Government Agencies Can Shift from Reactive to Proactive Insider Threat Defense
New Details Emerge on Insider Breach at NSA
NSA Data Leak: More Exposure of Classified Data
Insider Threat Detection