InfoSec Spending: Playing CatchupCan Shrewd Spending Help Government Defenses?
The federal government last year spent $13 billion on cybersecurity, and President Obama proposes spending $14 billion next year. Will the extra money make a difference? Perhaps. But it feels as if we'll never be fully secure regardless of how much money we spend.
Homeland Security Assistant Secretary Andy Ozment gives two reasons for the need for increased spending. First, government agencies must modernize their IT to systems so they can be more easily secured. That's the problem facing the Office of Personnel Management, with its antiquated, legacy system that got hacked, exposing the personal information of millions of federal employees and retirees. "We're catching up on many years of underinvestment," Ozment told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies on June 25.
It is time to develop secure enclaves to protect key government information, data and networks.
The second reason: The bad guys will remain a step or two (or perhaps more) ahead of us in developing new ways to thwart security safeguards. "As we improve our defenses, they will improve their offense, so we'll have to continue to invest to maintain pace with an adversary who is also investing," Ozment said.
But how should that money be spent?
The Defense-in-Depth Strategy
A popular approach pursued by governments and businesses is the defense-in-depth strategy, which simply means do everything - hopefully smartly - to secure IT, including adopting basic cyber hygiene (patching, for instance) securing the perimeter, implementing two-factor authentication, encrypting data and continuously monitoring for vulnerabilities.
"While recent government-wide initiatives hold promise for bolstering the federal cybersecurity posture, it is important to note that no single technology or set of practices is sufficient to protect against all these threats," Gregory Wilshusen, Government Accountability Office information security issues director, told the subcommittee. "A defense-in-depth strategy is required that includes well-trained personnel, effective and consistently applied processes and appropriately implemented technologies."
The problem with the defense-in-depth strategy is that virtually no organization can afford - or has the talent on staff - to do it all. Risk assessments help to determine where best to spend limited dollars, but there's no guarantee that IT would be fully protected.
Besides, spending money even on valuable security tools does not ensure that an organization will implement them properly. "It will require effective management in addition to resources to accomplish this," Wilshusen said.
Creating Secure Enclaves
As government agencies contemplate how to spend their budgets on IT security, some out-of-the-box approaches should be mulled. One idea is to re-architect the Internet, or at least the part of the Internet a government agency can control. "As recent breaches have demonstrated over the past several years - with the OPM breach as an exclamation point - it is time to develop secure enclaves to protect key government information, data and networks," said David Gerstein, a former DHS deputy undersecretary for science and technology who conducts research for the think tank The Rand Corp.
As Gerstein pointed out at the hearing, the same Internet that stores grandma's cookies recipes also links to control systems that run nuclear power plants. He said the time has arrived for the federal government to develop a national cybersecurity strategy for segmenting "the Internet such that you develop secure enclaves that have a greater degree of security."
It's a similar idea to the one former CIA CISO Robert Bigman proffers in a forthcoming blog we'll post. He proposes that organizations should isolate access to the Internet through a VLAN VDI (virtual local area network virtual desktop infrastructure) connection from their internal network clients to a protected, internal "demilitarized zone" domain.
Curtailing Data Exfiltration Risk
"All Internet connections terminate in the DMZ domain and data can only be moved into the organization's internal network via a one-way physical diode," Bigman explains. "This configuration almost completely eliminates the data exfiltration risk. Furthermore, instead of having to monitor and secure every endpoint in the organization, this configuration reduces the risk to securing and monitoring only the DMZ domain."
Creating enclaves or DMZs are worthy ideas to ponder, and might help mitigate OPM-style breaches. But in reality they're just another component of the defense-in-depth strategy that will require more cybersecurity spending.