Modern threat actors and the condition of today’s threat landscape are forcing the collective hand of cybersecurity to go on the offensive -- and federal agencies are no exception. As cyber attackers grow increasingly adept at identifying and exploiting infrastructure weaknesses, they will opt for the path of least resistance. Therefore, agencies with a security posture that goes beyond traditional cyber defenses will fall farther down the list of attack targets -- but they will still be targeted.
You’ve likely heard the old adage that you don’t have to outrun the bear, you just have to run faster than the guy next to you. But in the cybersecurity game, there is more than one bear, and they are all driving Humvees. You can’t just run. You need to get ahead and proactively secure your perimeter and lay out road spikes to prevent their advance.
Why Federal Agencies are at a High Risk of Cyber Attacks
According to a survey of federal cybersecurity leaders, 75% of respondents estimated their high value assets have been potentially compromised in the past 12 months. There are several reasons why attackers set their sights on Federal targets. For one, there is no shortage of proprietary data in the government space. Cyber attackers will do just about anything to get their hands on it. Additionally, there’s the street cred factor, where malicious actors wear the taking down of any facet of the government like a badge of honor.
Additionally, Federal cybersecurity has been weakened by the pains of a somewhat sudden security growth spurt that has occurred within the last few years. In fact, according to the 2022 Verizon Data Breach Investigations Report, “nefarious Nation-state actors have rarely, if ever, come out swinging the way they did over the past 12 months." Threat landscapes have expanded at breakneck speed. Every agency must contend with an ever-widening attack surface, as network perimeters grow, team members become more far-flung, and the proliferation of IOT continues. Additionally, technology itself will not be contained, with innovations like the Cloud, 5G, and edge computing pushing the limits of what aging agency infrastructure can do to respond.
Keeping pace with this innovation is an expanding knowledge base and skill set, which prompts leaders to examine current cybersecurity practices and enact new compliance mandates and executive orders based on rising risk levels, threat intelligence, and increasingly sophisticated cyberattacks.
Opening the Offensive Security Door
Executive Order 14028’s Zero Trust requirement is one such mandate that has come on the heels of increased cyber attack activity, which has spiked in the last few years. In a way it forces open the door to proactive or offensive security measures that go beyond reactive tactics because – for Zero Trust to even be considered -- foundational security must be solidly established. This means finding and fixing weaknesses in an agency’s networks and applications that have yet to be discovered and/or exploited.
With so many siloed networks and endpoints running rampant, it takes a multi-layer approach to herd all of the cats. To pave the way for Zero Trust, or even the first few steps toward it, agencies must make truly concerted efforts to proactively identify their vulnerabilities. That means thinking like attackers and anticipating their moves with tactics such as penetration testing and adversary simulation. It is equally important that agencies employ mature methods of managing remediation, so that only the weaknesses that pose a true risk get addressed and no resources are wasted due to incorrect prioritization and busy work.
Doing More With Less
All of the above said, knowing what needs to be done and having the ability to do it are two different things. Government agencies and private sector organizations alike are struggling to find the resources needed to maintain and improve their security posture. Lack of skilled cybersecurity personnel is a world -wide problem, with more than 3.12 million cybersecurity jobs just sitting open. IT teams are forced to find ways to do more with less, or at least to do more with the same. Robust tech stacks can help, but the tools involved must be carefully curated. It is imperative that agencies shop around for tools that provide efficiencies and can streamline processes so teams can scale security without having to grow the team.
Striving for Security Maturity
Advancing security maturity is a phrase that is mentioned quite a bit and perhaps in danger of losing its very important meaning. A mature security model should be sought after because of the exemplary protection it can provide, not because it’s an item to check off a list. Achieving security maturity means you have a well-rounded security program that includes proactive and reactive measures to protect your agency before, during, and after an attack. Unfortunately, the evolution of cybersecurity seems to have run counter to the attack continuum, as many organizations began their strategy with what to do after an attack instead of how to prevent one in the first place. They are fast learning the truth of another old adage – “The best defense is a good offense.” Whether you attribute that to George Washington or Bill Belichick, it rings more truthful every day.