By Gary Barlet, Federal Chief Technology Officer, Illumio
The world will spend nearly $170 billion on cybersecurity in 2022, and nearly $20 billion of that will be spent by the federal government – but ransomware attacks are still on the rise with no indication of slowing down anytime soon. That’s why the 2023-2025 Cybersecurity and Infrastructure Security Agency Strategic Plan is such an important document. It is an acknowledgement that our collective approach to cybersecurity needs to change if we want to stay ahead of evolving threats.
The Shift to a Resilient Mindset
The plan outlines a new path forward, one that is focused largely on bolstering and maintaining resilience in cyberspace. The very first objective (1.1) in the plan is to “enhance the ability of federal systems to withstand cyberattacks and incidents” – ensuring that “FCEB [federal civilian executive branch] agencies are prepared for and able to rapidly recover from cyberattacks and incidents” and that “FCEB agencies maintain mission continuity during and after cyberattacks and incidents.” This is a deliberate shift away from traditional security approaches which focus on preventing attacks and detecting them quickly when they break through the perimeter.
Successful cyberattacks have proven again and again that such prevention-focused tactics no longer work reliably. These traditional security models cannot solve the problems posed by a hyperconnected, digital-first landscape. Ransomware and bad actors are bound to breach the perimeter and evade detection.
CISA’s Strategic Plan acknowledges that we’re now in a new era of cybersecurity – one predicated on breach containment and resilience, focusing on isolating breaches and minimizing their impact to reduce damages and maintain continuous operations. This requires a change in mindset as well as technology. Only by understanding that cyberattacks are inevitable, can we effectively limit the impact. Objective 1.1 shifts agency mindsets from “prevent breach” to “assume breach” – a timely, and crucial transition.
Risk reduction and resilience are increasingly at the forefront of cyber strategies today, helping agencies move from a reactive posture to a proactive one. The process starts with shrinking the attack surface (something more federal agencies are doing with a large-scale shift toward Zero Trust Architecture) and enhancing visibility in order to minimize impact.
Agencies must also have comprehensive visibility in place to inform strategic and effective defense. They should focus on enhancing visibility across networks, cloud workloads, endpoints, and critical infrastructure. Agencies must also have ways to pinpoint and contain risks before they can become a threat to civilian operations or the larger software supply chain. Zero Trust capabilities like Zero Trust Segmentation (i.e., microsegmentation) can help isolate threats and reduce risk in scenarios like these.
The Need for Accountability
CISA’s Strategic Plan does good work in terms of encouraging federal agencies to shift to a resilience-based mindset, one of the biggest changes the government must face to modernize national cyber approaches. However, there are two major problems that the plan does not address: accountability and funding.
Accountability exists by default in the private sector where companies run the risk of losing business or failing due to a cyberattack, but government agencies still face roadblocks. The government is not a profit-making enterprise and does not lose business to competitors. Agency leaders are unlikely to lose their jobs for failing to meet a cybersecurity directive.
CISA’s plan, while it takes a step in the right direction by nodding to streamlined management and cross-agency collaboration processes, lacks the specifics. Notably remiss are goals and strategies for implementing accountability. It does not give specific timeframes for achieving objectives or assign responsibilities to particular job functions.
Unfortunately, history has shown that baking accountability into federal cybersecurity mandates is easier said than done. For example, HSPD-12, issued in 2004, was a step toward encouraging the adoption of multi-factor authentication (MFA) across agencies. But almost two decades later, the federal government is still educating departments about the need for MFA. Why? Because change happens slowly in the federal government.
The Search for Funding
The other major piece missing from CISA’s plan is funding. If agencies cannot hire personnel and adequately finance their goals, they cannot meet them or be held accountable for them. Plans are only actionable if resources like staff and money back them up. Most federal agencies only have the resources to implement a few new projects annually, so getting the funding for a particular project could take years.
Federal agency finances are also affected by factors such as long budgeting cycles, continuing resolutions, and various other economic constraints. Without a clear outline of funding priorities, and additional dollars to help convert these kinds of plans to action, the government will always run with weights on its ankles in the race against cyber attackers.
Even still, CISA’s Strategic Plan is a big step in the right direction. It is the latest to convey that it’s high time for the federal government to shift its approach to national cybersecurity. With threat actors evolving and the attack surface rapidly expanding, we must move from a traditional “prevent breach” approach to a mindset of “assume breach”. But as we look to the future, it’s imperative that we also consider how accountability and resources are tacked onto new objectives like these. It’s only action and accountability that can drive real change and improve our national resilience.
About the Author
Gary Barlet is the Federal Chief Technology Officer at Illumio, where he is responsible for working with government agencies, contractors and the broader ecosystem to build in Zero Trust Segmentation as a strategic component of the government Zero Trust architecture. Previously, Gary served as the Chief Information Officer (CIO) for the Office of the Inspector General, United States Postal Service. He has held key positions on several CIO staffs, including the Chief of Ground Networks for the Air Force CIO and Chief of Networks for the Air National Guard CIO, where he was responsible for information technology policy and providing technical expertise to senior leadership. He is a retired Lieutenant Colonel from the United States Air Force, where he served as a Cyberspace Operations Officer for 20 years.