When it comes to cybersecurity, agencies tend to focus too much on defending the perimeter and not enough on protecting assets within the network, according to industry and former government experts.
“One of the quickest places to get return on investment is on the perimeter,” explained Symantec public sector vice president Rob Potter, adding that controlling who can access data within the network is both harder and more effective. “The effort behind data classification and creating load-based requirements and controlling access to data is extremely difficult.”
Retired Gen. Michael Hayden, who has served as the director of both the National Security Agency and the CIA, said that perimeter defense will prevent only about 80 percent of attacks, most of which are distractions rather than true threats.
“They’re getting in, get over it,” said Hayden. “It’s not about prevention…it’s about response, recovery, discovery, resilience.”
“There really is not a perimeter anymore,” said former White House CIO Theresa Payton.
According to Potter, the number of breaches agencies keep experiencing from malicious insiders and accidental exposure within their networks will force agencies to focus on internal prevention measures such as data classification and access management.
“Again and again we always see that an agency has been compromised or a phishing link has been clicked on,” said Potter, adding that some of the best solutions to these compromises lie in educating the workforce in cyber hygiene and developing a comprehensive understanding of the threat environment.
But Potter thinks that the government is beginning to shift toward addressing internal security.
“I think the Department of Justice is doing a good job,” said Potter, praising the department’s diversity of cyber capabilities. “Candidly, I see a lot of organizations that are either doing it or heading down that path.”
However, Potter also cautioned against instituting legislation or policy about internal cybersecurity that puts an undue burden on agencies.
“I think there’s been a lot of effort from the government to drive this,” Potter said. “You have to be careful that you don’t put unfunded mandates in place.”