Sad to say, but this is a good time to be in the business of cybercrime.
We have put almost everything out there in cyberspace – personal data, intellectual property, even access to the controls of critical infrastructure. And we have been woefully deficient in defending it.
Commercial and government networks share a problem: bad cyber hygiene. We put off patching applications and operating systems even when their authors tell us there is a vulnerability. We click on malware-infested emails because they look harmless. And we keep connecting cars, cameras, TVs, and toasters to the Internet, every one of them giving attackers another way to infiltrate.
The government in particular, recognizing cybercrime as a direct threat to our nation, wants new ways to protect its networks and a holistic approach to cybersecurity. There are no easy answers in cybersecurity, but there are some very clear ways to get better at it.
Criminals love pretending to be someone else. They send emails from our friends and family to fool us into installing their malicious software. They steal our usernames and passwords.
We can make this much harder simply by managing our identities better.
One easy and enormously effective method is multifactor authentication, or requiring a person signing on to a system to confirm their identity in several ways.
The best authentication combines three things: Something you know, like a password; something you have, like a token with a special code; and something you are — a biometric, such as a fingerprint. Any one of these things might be easy to steal or replicate. Two is much harder. Three is harder still.
Two-factor authentication is a widely accepted cybersecurity standard, but at some government organizations, it’s still optional. Making it mandatory across the board is a simple fix that will make it much harder for hackers to steal credentials and access sensitive data.
Every day, government employees receive emails infected with malicious code, and attackers have gotten really good at making those messages look legit. Identity management data can serve as an additional check for inbound email as a way for employees to confirm the new message in their inbox is genuine.
As with all things in cybersecurity, technology is only part of the fix. Training is also key — specifically, teaching people on a network to know a phishing attack when they see one.
We need to be smart about recognizing identities and criminal patterns. Technology will help us verify and minimize impact, but it’s up to the users of the network to know a risk when they see it.
Identity management becomes even more effective when you segment your networks into slices, each with a different security standard determined by the level of risk. This limits unnecessary contact with highly sensitive segments, and by limiting the number of users and devices, we can reduce the noise and focus on finding the true threats. Also, when a threat breaks through, we have a much better chance of containing it.
On government networks, by the way, that noise is deafening. The Department of Defense alone has 1.5 million seats on its network. Software-defined networking can make those massive networks more resilient through greater segmentation, better identity management and authorization — and through permitting lean protocols designed for specific work, rather than general-purpose TCP/IP, with fewer opportunities for misuse.
Scale is a problem. The bigger the network the greater the attack surface and the more vulnerable a network is to a breach. One way to manage it is blockchain — a digital ledger of transactions on a network. Every record of every transaction binds to the history of transactions that came before it. Everyone on the network can see that history — but no one person can change it. Altering the ledger takes a consensus of people on the network. The security is built in to give us verifiable data.
Smarter automated firewalls
There’s nothing inherently wrong with the Internet of Things. But there’s something very wrong about a Wi-Fi enabled thermostat trying to access the personnel files down in HR. With new devices coming online every day, and devices continuously moving around our networks, IT staff are hard-pressed to maintain order, control, and segmentation of the network.
Historically, we have tried to block access to what we know is bad. But that’s impossible. We need to know what is good and appropriate on our networks and enable that. Smarter automated firewalls that can tell what’s on the network (such as a thermostat) and assign rules appropriate to that device or application would lighten the workload on human cyberanalysts, allowing them to pay more mind to what really matters.
No matter what the government does to shore up its network security, it must keep pace with innovation — both in the technology they’re trying to protect and the threats that seek to exploit it. Hackers have nearly boundless freedom to innovate. They’re always finding new angles, new ways to break in. For government agencies to address cyberthreats at scale, they need agile acquisition. Long acquisition cycles mean using yesterday’s technology to counter tomorrow’s threats.
The world now moves at the speed of cyber. To defend it, we have to look five years into the future. Some of our adversaries are already there.
Learn more at Raytheon.com/cyber.