Government cybersecurity is at a critical junction. Faced with the rising threat of cyberattacks against physical supply chains and critical infrastructure, government agencies and organizations are looking for ways to safeguard their networks while still providing citizens with the service and access they expect from a modern organization. We saw this in 2021, with a number of high-profile breaches against organizations that comprise America’s critical fuel, food, and utility supply chains. Were the brazen, highly damaging attacks that we witnessed in 2021 a temporary problem? Have the organizations that comprise our critical supply chains and infrastructure taken steps to protect themselves in the coming year? And what will the cybersecurity threat landscape look like in 2022?
We recently sat down with Quest Software’s Federal Technology Director, Chris Roberts, to find out. Below are Roberts’ insights into the trends impacting the government cybersecurity space in 2022 and his four cybersecurity tenets that can help government agencies better prepare for the future.
GovCyberHub (GCH): What will be the largest cybersecurity challenges that government agencies will face in the coming year? Where will that challenge come from?
Chris Roberts: Honestly, the challenge is not one of threat or capability, but it’s more something that we haven’t paid a lot of attention to and those are fatigue and apathy. These two have always been the enemy in any environment that is trying to secure itself, one where vigilance is a constant requirement. Understandably, that level of watchfulness will make anyone fatigued and apathetic, especially when nothing happens because of how effective a system is at preventing a cyberattack.
“There will continue to be a near-constant barrage of attacks from states, or their proxies aimed at inflicting harm on critical infrastructure.” – Chris Roberts
But that’s the issue, threats are always presenting themselves in both old and new ways. As our networks evolve and change, they introduce new vulnerabilities that we might not be aware of initially. Those new vulnerabilities can often only be identified if constant and meaningful vigilance is maintained. That will continue to remain the front line of defense and will likely remain the main challenge moving forward.
Barring any significant breakthrough international treaty that encompasses the entire world, there will continue to be a near-constant barrage of attacks from states, or their proxies aimed at inflicting harm on critical infrastructure.
You don’t have to look far for examples of how this can damage a country, look at the Colonial Pipeline hack, which had real, tangible impacts on how this country operated. This attack succeeded because they approached an attack surface and pinged, scanned, and ultimately punched their way into the soft spots, collected what information they could, and then did it again until they got access.
GCH: It sounds like there are threats all coming from all around, and that a successful attack can be incredibly impactful. So, what can we do to keep these breaches from happening?
Chris Roberts: Stopping attacks that are both sophisticated and near-constant does sound like a daunting task, The good news is, that fatigue doesn’t affect automated vigilance. In fact, using automated InfoSec practices, especially using solutions, systems, and devices that can decide, learn, mitigate, and advise the talented InfoSec community, can make things a lot better.
“InfoSec practices are a great place to start. They are one of the best ways to overcome fatigue and apathy which presents the biggest challenge to government cybersecurity” – Chris Roberts
Now, let me be clear; there is no magical way for a single resource to have one of those ‘Matrix-like’ views of the network. Instead, it requires a whole suite of solutions that can manage security, access, and process across all layers and segments intelligently. Embracing that can augment how government cybersecurity teams can succeed in safeguarding their networks. ‘
So, what does that mean for companies like Quest, our partners, even our competitors? Well, it means that we all must continually evolve the way we deliver integrated solutions to better address these known challenges that face the federal government. Here at Quest, we have worked to integrate our solutions with major security vendors like Microsoft and their Azure platform, and with Splunk to ensure that agency clients can achieve their desired security outcomes.
However, there is no silver bullet. I believe that InfoSec practices are a great place to start. They are one of the best ways to overcome fatigue and apathy, which as I said, presents the biggest challenge to government cybersecurity, at least in my opinion.
GCH: What should be the largest cybersecurity priority for government agencies in 2022? Where should government and military IT personnel focus their attention? Where should cybersecurity leaders be focusing their budget dollars?
Chris Roberts: Well, isn’t that the million-dollar question! It’s a chicken and an egg situation across the federal government when we work with them on their priorities. I guess the simplest way to approach the question of priorities is to focus on the evolution of the disintegrating security perimeter.
IT architecture now flows across on and off-premises thanks to hybrid environments. As such, government cybersecurity efforts must be able to morph, and change based on where the perimeter is at that moment.
With the increasing role of VPNs and remote solutions, and especially the use of personal devices to access networks, the edge of the perimeter is much farther out than it was even a year ago. You need to evolve your perspective and think about exactly where those things are and who is using them. That really needs to be priority one.
Priority two is to focus on the continual elimination of technical debt. Within the US government networks and systems, there is a lot of backward-compatible devices. While backward capability is a blessing, as in we can utilize a more diverse array of systems to meet demand, it is also a curse.
Backward compatible devices are likely to be one of those soft spots I referred to earlier. That is because they likely don’t have the most robust cybersecurity architecture. They are also just older, and by that, I mean that sometimes those older hardware chips have vulnerabilities that can’t be patched or addressed.
Those two priorities, modernizing IT architecture and reducing technical debt, I’d say those are the areas that I’d direct funds to get systems set up for the future.
GCH: What can, and should policymakers do to help agencies in this increasingly difficult fight against malicious actors in 2022? Can additional funding, guidance, or mandates help better position and prepare agencies to meet cyberthreats?
Chris Roberts: Throughout 2021, and prior, we have had multiple executive orders from the White House, from Homeland Security, from CISA, even architectural guidance from NIST; there was a lot of guidance. What we found, however, is that all the guidance was effective when it was coupled with agencies being able to make rapid changes with minimal red tape. This allows agencies to readily respond to evolving information security threats.
“At the end of the day, it all comes back to the same best practices that have underpinned government cybersecurity for years, and that is to rely on good information security practices.” – Chris Roberts
If there is anything we can do from a security standpoint, especially from an InfoSec standpoint, I believe that my four tenets are incredibly relevant. When I work with my clients, I encourage them to consider whether they know what data they have, what nodes are in operation in the network, what APIs are connecting to them, and who is accessing and using their network. If the answer is “we don’t know” to any of those, then that is the area to work on.
While there is always a place for more guidance, ultimately it is the agencies that know what they do and don’t need to bolster their security.
At the end of the day, it all comes back to the same best practices that have underpinned government cybersecurity for years, and that is to rely on good information security practices. It is tried and true for a reason, and if used with modern solutions from people like us here at Quest, well I believe that is the best way to improve networks and keep them safe for years to come.
To learn more about how Quest is working to bolster Government Cybersecurity in 2022, click here.