In this Help Net Security, Erica Banks, VP and a leader in Booz Allen’s civilian services business, discusses the Federal Cybersecurity Strategy’s role in safeguarding national assets.
Banks outlines key areas for improvement, including funding, talent retention, and leveraging AI for enhanced cyber defense.
Ongoing nation-state threats and attacks to critical infrastructure are highlighting the urgency for the implementation of a holistic national cyber strategy – one that goes beyond compliance and urges companies to put resources to the rhetoric. With the National Cyber Strategy Implementation Plan pushing for a more aggressive approach to cyber preparedness and constant attacks increasing the pressure for accountability, companies and the U.S. government need to be strategically allocating roles, responsibilities, and resources to outpace evolving threats.
We need an increase in operational collaboration across the federal government with a focus on synchronizing offense and defense. The government must find ways to capture insights from offensive cyber operations, anonymize them, and share them with defenders to accelerate defensive improvements.
Federal agencies need more funding to shore up cyber defense. Irregular and unpredictable funding jeopardize sustained investment and shift focus from proactive risk management to reactive, piecemeal efforts that are not addressing true threats. A multi-year plan should include resourcing strategies for CISA and FCEB agencies to enable consistent and sustainable investments.
To create tomorrow’s cybersecurity solutions, the U.S. must harness the national cyber tech and innovation base. Use of OTAs to pilot innovative approaches prior to scaling to cover FCEB provides the government with access to non-traditional vendors with a streamlined procurement process that expedites access to technology to combat emerging threats.
Accountability is one of the driving forces behind change. Metric-based goals that balance innovation with compliance will provide the necessary guidance and allow the federal government to monitor progress.
CISA and FCEB agencies have unprecedented, near real time insight into the federal enterprise as a result of the investments made in recent years. This operational visibility has been transformative in increasing efficiency of compliance reporting.
Not only do we need to hire and upskill the right talent, but we also need to diversify the cyber talent pipeline and scale today’s cyber talent to grapple with evolving threats using new technology and non-labor-based solutions. As an industry we also need to embrace non-linear, non-traditional entry points into a cyber career such as skills-based or aptitude-based assessments and reskilling programs.
When thinking about talent retention, individuals in the cybersecurity profession are uniquely susceptible to burnout and cognitive overload due to the nature of the field. To accommodate the needs of this critical workforce and fill the 771,000 cyber positions open today, organizations must make easing cognitive overload a top priority by providing direction and guidance that clearly defines roles and top priorities. Security teams also often burn out as a result of too many tools, too much data, and an excess of information. Getting security professionals’ feedback and cutting out extraneous tools or finding the right combination of resources can help solve these challenges.
On its own, human driven cyber defense is too slow to keep up with technologically advanced adversaries. AI enabled cyber defense tools augment resource constrained staff to proactively detect adversarial attacks. Effective use of AI enables enterprises to keep pace with adversaries and create efficiencies to counter talent shortages that lead to retention challenges.
Different organizations will have varying risk management maturity levels in different areas. For example, CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. When in doubt, performing an initial assessment can help an organization gauge maturity in a particular area, and plan targeted improvements.
Planning frameworks must produce better alignment of resources against risk assessments to target limited resources against prioritized gaps. Risk assessments should include near real-time visibility that CISA has provided into their enterprise to generate actionable and contextualized risk recommendations.
We must also evaluate resiliency. If we assume breach and loss of availability, what plans are in place to restore functionality? Agencies need to identify their mission critical systems and plan how prioritized restoration will occur.
Critical infrastructure protection: As attacks from the past year have demonstrated, adversaries are targeting the operational technology and industrial control systems within the nation’s critical infrastructure. Failure to protect these assets can result in a widely felt and visible impact upon civilians, and this makes defending critical infrastructure a key priority for federal cybersecurity now and moving forward.
Zero trust implementation: Federal civilian agencies are required to implement some level of zero trust by the end of fiscal year 2024, and the DOD has its own zero trust targets for 2027. Given the diverse range of missions these federal agencies support, it is essential that they are protected against disruptive cyber threats, and zero trust principles — assume a breach; never trust, always verify; allow only least-privileged access – can provide protection in real time.
AI-backed cybersecurity: Foreign adversaries are ramping up their use of AI and have already shown how it can be used to influence domestic unrest in the U.S. and other countries. To keep up with the innovation of foreign nations, the U.S. must be committed to the use and implementation of AI technology that is robust against high-paced technological enhancements and advanced adversarial capabilities. AI can play an important role in threat detection and prevention, overhauling traditional reactive cybersecurity tactics and improving resilience in essential services like power grids and financial systems.