As I blogged last month, the increasing quantity and sophistication of cyber attacks requires a comprehensive and coordinated strategy to secure the nation’s critical infrastructure and sensitive data.
Today I had an opportunity to continue the discussion while testifying before a congressional hearing on “Assessing Cybersecurity Activities at the National Institute of Standards and Technology and the Department of Homeland Security,” convened by the House Subcommittee on Technology and Innovation.
As I explained to the committee, the complexity and breadth of national governments, and the wide array of constituents they serve, require a careful and thoughtful approach to managing government-wide cybersecurity.
Most governments function like a conglomeration of businesses, each with different missions, partners, customers, data, assets and risks. The number and diversity of component organizations and systems make centralized management impractical—if not impossible. Each agency or ministry has a unique security paradigm with its own threats, so each must manage its own risk.
I believe a hybrid model to government cybersecurity can create both a “horizontal,” centrally managed security framework and customized, “vertical” solutions that meet the specialized security needs of individual agencies.
Such a combination of horizontal and vertical functions would help ensure that minimum security goals and standards are set, while enabling agencies to manage risks appropriately for their unique operating environments.
To maximize the value of a horizontal cybersecurity function, governments must collect the right data; analyze that data; and use the data to drive action.
To achieve these core objectives, I highlighted several tools I believe are essential:
Security monitoring: In addition to traditional network monitoring from intrusion detection systems, governments could use information provided by IT assets, such as routers, hosts, and proxy servers to evaluate their operational and security status.
Audit: Meaningful audit data improves agencies’ cybersecurity posture because it drives behavior and provides accountability. In addition to comprehensive quarterly or annual reporting, this should include continuous audit, with spot checks and periodic evaluations that can help assess the adequacy of controls and compliance.
Advanced analytics: Monitoring and audit capabilities can create a baseline of data about the real-time health and overall trends in security. Combining this with threat information and advanced technical analyses can create an operational awareness of the “attack surface” of the government.
Agile and collaborative response: Over the past 10 years, there have been several attempts to improve operational coordination between and among key government and private sector stakeholders, but they’ve had limited success. I strongly support creating a more effective model for operational collaboration to move us from the less effective government-led partnerships of the past to a more dynamic and collaborative approach involving cybersecurity leaders from government, industry, and academia.
Innovative security controls: Since computing technologies advance at a rapid pace, organizations creating security policy, standards, and technologies must consider how transformative changes (e.g., wireless, RFID, peer-to-peer networks) create different risks and require different controls to maintain or improve security.
These capabilities are necessary to build an effective government cybersecurity function, but we must also recognize that cyberspace threats are not going to disappear. Technology alone will not create the trust necessary to secure cyberspace and realize the full potential of the Internet. Technological innovation must be aligned with social, political, economic and IT forces to enable change. Microsoft works with partners in the ecosystem to help drive and shape these forces to create a safer, more trusted Internet through our End-to-End Trust vision. Governments must similarly drive forward with clear vision and holistic Information Age strategies to combat these threats to national and economic security, and public safety. As long as threats evolve, so must our efforts to protect against them.