Cybersecurity: Shifting from Concept to Culture
By Doug McGovern, CIO and Director of IT Services, National Geospatial-Intelligence Agency
♦ 750,000 malware attacks in 2014
♦ PII and PHI are stolen from federal and commercial enterprises
♦ Millions of dollars and identities are stolen every year.
♦ Drones, phones, cars, medical devices, home appliances and security systems are hacked daily.
♦ Malware and preconfigured botnets are sold at staggeringly low costs on the darknet through what is essentially the Amazon marketplace for cyber-crime.
“Cybersecurity is like air and water, it’s not optional”
On the surface, these points could easily be mistaken for the trailer to next summer’s Hollywood blockbuster. Unfortunately, in the aftermath of the U.S. Office of Personnel Management, Target Corp., Sony, and eBay data breaches—to name a few—these points represent the all-too-real reality of today’s cyber threat to the federal government, its workforce and its mission.
Research on cyber-attacks over the last eight years shows that cybercriminals are agile and opportunistic, as evidenced by targeted phishing attacks that take place immediately following breaking news and public announcements about data breaches.
After every data breach in the past several years—from OPM to eBay—the cyber defense community identified spear phishing campaigns that fooled individuals to click malicious links by masquerading as legitimate data breach notification messages.
A recent Verizon 2015 data breach investigations report highlighted 23 percent of the recipients of spear-phishing emails opened the messages, and 11 percent opened the attachment containing malware. The report went on to predict that the number of proliferated IT devices will reach 5 billion by 2020.
Additionally, a 2015 global survey conducted by ISACA, formerly known as the Information Systems Audit and Control Association, among its more than 100,000 members across more than 180 countries found that 86 percent believed we have a critical shortage of skilled cybersecurity professionals. While, 83 percent of those surveyed believed cyber-attacks are among the top three threats we currently face, only 53 percent planned to increase cybersecurity awareness training in 2015.
Given these staggering statistics, how do we in the intelligence and defense communities protect our data?
The truth is that the majority of these cyber intrusions can be avoided if we protect our digital environment with the same urgency and care that we protect our physical environments.
However, that protection does not equate into building bigger walls or gates in order to protect our operations. We need to leave behind the moat-and-drawbridge approach to enterprise network and information security, and, instead, work to ingrain cybersecurity into our everyday practices and routines.
Technology and standards help, but they are tools and guidelines to assist—not replace—consistent pragmatism, common sense (what we call good cyber hygiene), and a clear and carefully considered balance between security and risk acceptance.
The Future of Cybersecurity
For the intelligence community and NGA, the need to conduct and support national security operations in an increasingly open and transparent online environment remains key to the success of our U.S. national security mission.
As NGA continues to adopt cloud-based strategies and move into a more open environment, our level of risk to cyber-attacks increases, and the OPM breach serves as a reminder that we face adversaries who have a vested interest in stealing and exploiting vital government information.
To mitigate this threat to the GEOINT mission, we at NGA are working to indoctrinate sound cybersecurity at the root of our agency’s culture and daily operations to ensure our GEOINT data and products remain trustworthy and uncompromised.
There’s a principle we’ve recently adopted: ‘Cybersecurity is like air and water, it’s not optional’.
This principle means that cybersecurity is everyone’s responsibility.
For NGA, the majority of our traditional cybersecurity expertise resides in our Chief Information Officer and IT Services Directorate, but impactful cybersecurity requires engagement from everyone at NGA—from the imagery analyst to the staff officer to our senior leadership, with cybersecurity experts continuously partnering with the workforce to mitigate risk and ensure the safety of GEOINT information.
While no perfectly secure technology or standard exists to help us mitigate the cyber threat, we have small—but impactful—ways that our collective culture will help us keep the threat at bay.
To do so requires those outside of the cybersecurity workforce to incorporate cybersecurity by design and understand the risks to the GEOINT mission if these best practices are not put into our daily habits.
In short, the future of cybersecurity is about a transition from concept to culture.
So we are making it a priority to increase our workforce’s understanding—which goes beyond awareness—of the Internet’s exponentially increasing impact on our operational space and what each member of our workforce can do to operate in this space safely and securely while meeting mission requirements.
Our cyber defenders, security control assessors and system administrators work with all levels of NGA’s personnel—from leadership to mission operations—to identify the root cause of vulnerabilities while also working daily to sustain system and policy compliance across enterprise systems and conduct penetration testing to help identify impactful vulnerabilities for mitigation or removal.
We teach our personnel to routinely encrypt all data—even if sending to a counterpart at another agency on our most secure networks—so adversaries cannot distinguish between our most sensitive operational data and our routine reports. We use PKI, HTTPS and secure shell to transit material and data; we place added protections in the Cloud.
This concept rests on the foundation that the role of cybersecurity is built in from the beginning of a system, program, or operation and not bolted on afterwards as an afterthought.
This is the future of cybersecurity.
In the end, the threat stands ready to use all means possible to deny, destroy, degrade or disrupt our mission operations.
It is imperative that we all remain vigilant, especially given our push to a more open and integrated operations space. It is about the protection of our whole data, not just a single intelligence discipline.
At the end of the day, cybersecurity is everyone’s responsibility, and at NGA, we are working to make that vision the reality.