by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 30, 2015
dangerous attacks rather than try- ing to decide which of the seemingly endless alerts to pursue today. The cybersecurity industry has made great strides in those areas in the past few years, and the gov- ernment should be using the most advanced tools for prevention and detection that take advantage of threat intelligence from users all over the world. 2. Fully establish and monitor trust. Even with the most advanced prevention tools, the government needs to assume that sophisticated adversaries will gain access. So alter- native approaches are needed — par- ticularly ones that rely on creating more trust in online interactions. The root of all trust is verified identity, and in the online world, multifactor authentication methods are the key to doing that. A plethora of newly available technologies enable multifactor authentication for both internal (government) and external users. And some of the solutions can integrate with antiquated systems. However, the government needs to step back and rethink how it rapidly implements ubiquitous use of multi- factor identity authentication. Even though the root of trust is identity, there is more to the equa- tion. In the physical world, I trust other people because I have high con- fidence they will act in a manner that I expect. Some of the most damaging data breaches have come from indi- viduals who were properly authenti- cated and authorized to use systems and access data, but their behavior was not in keeping with what was expected. This is commonly called the insider threat problem. There are new technologies and capabilities today that can bring in other contexts to assess someone’s trustworthiness on a regular basis, such as audit logs or behavioral analy- sis systems. Those additional factors, beyond those used to assess authen- ticity, are essential to fully establishing and monitoring trust. 3. Focus on protecting the most sensitive information. The govern- ment needs to target additional pro- tection of an agency’s most sensitive information, whether it is in the form of datasets or documents. Tools and products exist that enable agencies to protect information independent of the likely insecure environment in which they operate. Agencies should focus on their most valuable information. I recognize that there are limitations because of the antiquated systems in which some of that information resides, but by focus- ing efforts on the most sensitive infor- mation, the government could ensure that only trusted parties would have access to an agency’s most sensitive information. That would go a long way toward thwarting additional major and damaging data breaches. It is difficult to implement state-of- the-art IT cybersecurity solutions if you have no way to rapidly evaluate them and then purchase or license them. The Continuous Diagnostics and Mitigation (CDM) program and Einstein could potentially serve as governmentwide vehicles for that process, but it has taken significant time to put them in place. I recommend an approach that enables individual agencies to rap- idly bring in solutions and try them in a test-bed environment. After thorough testing and based on what works best, agencies should be able to roll security solutions into produc- tion. That approach would ideally encompass traditional cybersecurity vendors and new vendors that have little or no government experience. They are an incredible source of technical innovation. The government is not getting the best solutions through the existing acquisition process. Therefore, I rec- ommend that the Office of Federal Procurement Policy work with the General Services Administration and the Department of Homeland Secu- rity to put a more streamlined CDM program in place — one that would enable rapid addition of new capabili- ties as they become available in the commercial market. The data breaches at the Office of Personnel Management are terrible for the government and for the millions of us who could be negatively affected in the future. Viewed through the right lens, however, the episode could be the impetus for much-needed and sus- tained change. And given the need to implement the Federal IT Acquisition Reform Act, the current administra- tion has a golden opportunity to set the correct foundation for success. It is critical to make enough progress in the next 18 months to ensure that leadership commitment to FITARA, FISMA modernization and other need- ed changes in IT security are sustained into the next administration and Congress. n 32 September 30, 2015 FCW.COM CIOPerspective When I look at the current cross-agency priority goals for cybersecurity, I believe the government is still trailing behind current IT security best practices. 0930fcw_031-032.indd 32 9/8/15 1:36 PM
September 15, 2015