Because adversaries like China and Russia increasingly have their hands in the information communication technology arena – whether directly or through subsidiaries – one of the keys to improving cybersecurity in an expanding threat landscape involves strong risk management, in addition to prevention, Federal experts said this week.
Fred Ruonavar, J5 Chief of the Defense Information Systems Agency (DISA) Mission Assurance & Critical Infrastructure Protection Division, explained that it’s increasingly important for agencies to understand who’s involved in developing the products that they use.
“We are taking a deeper look at that capability through the lifecycle development, and then who’s actually behind that lifecycle development of that product,” Ruonavar said at a hybrid event organized by FCW on Aug. 24. “We are taking a closer look at that development process of capabilities, so that in the procurement process we can flag any bad actors before we procure it and put it in our systems.”
He explained, however, that it’s not enough to check only once during the procurement process, rather, it must be a continuous process. “Just because you did one check today doesn’t mean tomorrow some portion of that business has been procured by a different entity,” he said.
Victoria Pillitteri, the Federal Information Security Management Act Lead at the National Institute of Standards and Technology (NIST), concurred with Ruonavar’s comment, adding that cybersecurity is a journey, rather than a destination, and the goal is to stay one step ahead of your adversaries.
“You’re only as good as your weakest link, and making sure you know what you’ve got and who your partners are is crucial,” Pillitteri said.
In addition, Pillitteri explained that risk management practices must be in place, because it’s no longer about if – but rather about when – an attack will happen.
“I think as part of developing a strong risk management program and having the governance, policy, and procedures in place you’ll be prepared, because it’s not about if but about when, and are you ready to respond and recover in a timely and appropriate fashion,” she said.
But how do agencies with so many applications protect them all? For example, the Department of Defense (DoD) uses over 18,000 different apps. According to Ruonavar, the simple answer is that you can’t protect everything.
“You need to understand that there are applications and software in your agency that are more important than others,” he said.
Therefore, agencies must start by looking at those systems and prioritizing their security importance. For example, command and control at the DoD must be always on and available so that leaders can make decisions. Those items that must be the most secure, and most available all the time, are the items that need to have the most attention and security.
“You still apply security process to everything else,” Ruonavar said. “But you put your rigor in those most critical systems, that’s how we do it within DISA and that’s how we work within the department.”
Pillitteri explained that while that practice may work for DISA and the DoD, cybersecurity is not a one-size-fits-all process. Security, she explained, is driven by context. Risk management practices taken on by agencies rely on the context of an organization, its systems, an agency’s “crown jewel” assets, and how much they need to be protected.