Facing the Cybersecurity Threat Head On

In October, ghosts and goblins come to life as decorations on front lawns and as candy-seeking children knocking on our doors. But stepping away from the frivolity of Halloween, October has also become a time for us to reflect on the real threats we face year-round when it comes to our data, identity privacy and online security.

National Cybersecurity Awareness Month (NCSAM), spearheaded by the Department of Homeland Security (DHS), is a "collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online." This year's theme is Own IT. Secure IT. Protect IT. Programs around the country will address topics including citizen privacy, securing consumer devices, and eCommerce security.

More than IT professionals talking to one another, NCSAM aims to reach out to the public to emphasize personal accountability and educate people about the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. The NCSAM website has some handy guides that can be shared to educate people on these actionable steps.

Continue reading

Department Spotlight: The Department of Energy

The mission of the Department of Energy (DOE) is "to ensure America's security and prosperity by addressing its energy, environmental, and nuclear challenges through transformative science and technology solutions." Technology plays a huge role in both the research surrounding and protection of energy resources.

The DOE may lead the government in their use of supercomputer technology. In fact, supercomputering is one of the key focus areas in the agency's budget. This spring the DOE issued a contract that will allow them to build the world's most powerful computer with a performance greater than 1.5 exaflops. Supercomputers, like the one being built, provide researchers with the needed speed and scale to conduct scientific modeling and simulations as well as utilize AI and analytics for activities as diverse as manufacturing and public health.

Of course, the security of the data running through these supercomputers, as well as the national power grid itself is of paramount focus for the DOE. To support these growing needs, the DOE is looking to blockchain as a way to secure energy delivery and more.

We've pulled together a list of upcoming events that will help the DOE, as well as the companies that serve it, better understand the technologies that can ensure our energy supply remains secure and efficient.

Continue reading

CDM Hits Phase Three: Determining What is Happening on the Network

The Continuous Diagnostics and Mitigation (CDM) program, led by the Department of Homeland Security, was designed to fortify the cybersecurity of government networks and systems with capabilities and tools that identify risks on an ongoing basis, prioritize these risks based on potential impacts, and enable personnel to mitigate the most significant problems first. The program was rolled out in phases with phases one and two pretty much complete across government.

Now that agencies know what and who is on their network, they need to move onto phase three - what is happening on the network. This involves installing and managing the network and perimeter security measures. Given that the perimeter now includes mobile devices, securing those devices and the way they access the network is critical to meeting CDM goals. Currently,agencies are mapping out mobile connections at the agency level, and the networks with which agencies are regularly interacting.

Continue reading

Time to Get Serious About Federal Government Cybersecurity

From time to time GovEvents will come across information we feel our members and audience would benefit from. Here's something we wanted to share:

It is generally accepted that, as the National Institute for Standards and Technology points out, cybersecurity threats exploit the increased complexity and connectivity of our critical infrastructure systems and can potentially place the nation's security, economy, and public safety and health at risk. Like financial and reputational risk, cybersecurity risk affects the bottom line of both companies and nation-states. It can drive up costs and impact revenue. It can harm the ability to innovate and to gain and maintain customers, as well as make it difficult to meet the needs of citizens.

To address these risks, President Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," on Feb. 12, 2013. According to the Department of Homeland Security, this executive order directed the executive branch to do five things: develop a technology-neutral voluntary cybersecurity framework; promote and incentivize the adoption of cybersecurity practices; increase the volume, timeliness, and quality of cyber threat information sharing; incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure; and explore the use of existing regulation to promote cybersecurity.

Almost exactly one year later, a cyber intrusion began at the United States Office of Personal Management. This intrusion went undetected for 13 months. As the Wall Street Journal, U.S. News & World Report and other media reports noted, this intrusion was described by Federal officials as among the largest breaches of government data in the history of the United States. Information targeted in the breach included personally identifiable information, such as Social Security numbers, as well as names, dates, places of birth, and addresses. The hack even involved the theft of detailed security clearance-related background information, including more than 5.6 million sets of fingerprints.

Clearly, EO 13636 was insufficient to prevent a major cybersecurity event.

Less than a month ago, President Trump signed a new executive order, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," designed to protect American innovation and values. This new executive order, which reflects considerable analysis, opens with four findings: that the executive branch has for too long accepted antiquated and difficult-to-defend IT; that effective risk management involves more than just protecting IT and data currently in place; that known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies; and that effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.

The executive order goes on to explicitly hold agency heads accountable to the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. It also mandates the use of the rigorous and recently revised Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology that EO 13636 deemed voluntary.

Will this new executive order make a difference? The answer may rest in the implementation and enforcement of the order. With parallel progress in both pattern recognition algorithms and microelectronic technology, machine learning and artificial intelligence can likely already bridge the gap between the enormous volume of government intelligence data and people capable of analyzing it, as Jason Matheny, Director of the Intelligence Advance Research Project Agency, has forecast. IBM's Watson, for example, can understand all forms of data, interact naturally with people, and learn and reason at scale. Accordingly, the compromise of even sensitive but unclassified information when analyzed by sophisticated means could enable perpetrators to "connect the dots" and jeopardize national security.

In this environment, will "mistakes" or negligence leading to compromised information be tolerated or will they be dealt with severely? Will agency heads be held accountable or will they get a pass? Will "antiquated and difficult-to-defend IT" be tolerated or will rigorous processes and modern applications, like layered security, limitations within network security, encryption of data at rest and in motion, and policy engines used in conjunction with access restriction and auditing software be mandated, implemented, and audited?

The answers will be revealed over the next weeks and months.

The challenge is clear--a well-thought-out and rigorous policy for Federal government cybersecurity is in place, now it must be implemented and enforced. Time is not on our side; the next hack or the next serious incident due to the negligence of a government employee or contractor could happen tomorrow or the next day. It is time to get serious about Federal government cybersecurity.

View original post on MeriTalk

AFCEA International Cyber Symposium Comes To Baltimore Convention Center

Originally posted on PR Newswire

"Defining Full Spectrum Global Cyberspace Operations"

FAIRFAX, VA--AFCEA International will bring its cyber symposium to theáBaltimore Convention CenteráJune 25-27. The overall theme of this cyber conference and exposition focuses on engaging the key players, including the U.S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The conference offers numerous training opportunities and Continuing Education Units (CEUs)/CMUs.

Continue reading