Cybersecurity has never been more important for every level of our government.
The hacking attempts at major federal agencies have raised the profile of nefarious actors who use their highly advanced cyber skills to exploit both security and the vulnerabilities created by human error. Just last month, the Department of Defense confirmed that computer systems controlled by the Defense Information Systems Agency had been hacked, exposing the personal data of about 200,000 people.
Additionally, the Department of Justice recently charged four members of the Chinese military for their roles in the 2017 Equifax breach that exposed the information of 145 million Americans. The hackers were accused of exploiting software vulnerability to gain access to Equifax’s computers. They are charged with obtaining log-in credentials that they used to navigate databases and review records.
This was merely the latest in a long line of attacks on valuable personal information—some successful, some thwarted. Due to the high levels of information that the government collects and secures, the cyber stakes are raised even higher for the public sector compared to the commercial sector.
While cybersecurity has evolved, it has not kept pace with cyber threats that have become increasingly sophisticated. The top threats predicted for 2020 include weaponized email attachments and links, ransomware, microbreaches, and browser-based password hijackers.
All of these threats are heightened for governmental agencies, as they exist as a constant target. While 2019 figures have yet to be released, the Office of Management and Budget reported that there were more than 30,000 cyber incidents against federal agencies in 2018. That equates to nearly 100 every day.
To address these threats, Federal CIO Suzette Kent has made it clear that she believes cybersecurity must be a “high priority” and for it to be “embedded” throughout every aspect of technology. Her 2020 IT agenda contains a litany of items focused on cyber, including:
- Federal identity and access management.
- Cyber risk management, in partnership with the Homeland Security Department.
- Increased information sharing, in partnership with Homeland Security.
- Initiatives like Federal Cyber Reskilling Academy for an increase in the literacy of the entire government on cyber practices.
- Automated continuous monitoring.
The focus now for agencies is to turn Kent’s agenda into reality. This begins with the understanding that cybersecurity is inherent in everything government does. It is not just an isolated part of a few systems or the military.
One agency that has already begun to address it is the DOD, which created the Cybersecurity Maturity Model Certification to assess and enhance the cybersecurity posture of the defense industrial base. This new certification is intended to serve as a verification mechanism to ensure the appropriate cybersecurity practices and processes are in place. It also ensures basic cyber hygiene and protects controlled unclassified information that resides on its industry partner networks. While the DOD requires more than 300,000 contractors and subcontractors to be CMMC certified, federal civilian agencies are likely to soon follow suit.
Every technology project that an agency undertakes from here on out, must hold cyber as a foundational aspect. This begins with an internal culture that understands the need for it to be discussed and embedded from the onset of any project, arguably as the top priority.
The government’s reliance on legacy technology adds an extra layer of difficulty. But it’s not impossible to tackle. Cyber threats are always evolving; thus, the government must continuously evolve its own technology to meet these new challenges.
Allison Patrick is senior vice president of MAXIMUS Federal.