Malicious attacks have become both more frequent and more complex, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue nearly as many cybersecurity emergency directives during the first half of fiscal year 2021 as it did during the prior five years combined, according to Matt Hartman, CISA’s deputy assistant director of cybersecurity.
Hartman spoke Wednesday during a virtual conference convened by the Advanced Technology Academic Research Center (ATARC), a nonprofit that aims to foster public, private and academic collaboration over challenges posed by emerging technologies.
State-level cybersecurity professionals said during the conference they are focused on getting more complete pictures of their systems and where vulnerabilities lie and are looking at advanced technology tools and financial resources that can bring their defenses to the next level.
MAKING FUNDING MATTER
Funding is a persistent stumbling block for state and local agencies, which may struggle to come up with the money to implement desired security updates.
The federal government is anticipated to open up new streams of support, however, with U.S. Reps. Yvette Clarke and Ritchie Torres pushing to add $500 million worth of state and local cybersecurity grants into the American Jobs Plan in one recent example.
Not all funding programs are created equal and administrators must remember that there’s a chasm of difference between budgeting for grants and budgeting for grants that states can actually use. The impacts of any financial infusions depend heavily on how many stipulations are attached, said Washington state CISO Vinod Brahmapuram.
States are all in different stages of cybersecurity upgrades and many may be in the middle of enacting multi-year technology maturation plans. When funding is only made available for tightly defined use cases, state leaders can struggle to figure out how to make use of the money in the context of their current efforts, Brahmapuram said.
“If the state is not allowed to use the funding opportunities to support the trajectory they are on right now, it’s almost [to a] point that you don’t know how to incorporate that funding at all,” he explained.
Problems can also emerge when federal funding is only made available to states if they put up matching contributions — something Brahmapuram said can have the effect of pricing out agencies.
CHOOSING SECURITY STANDARDS
Following optional cybersecurity standards can give agencies better guidance as they look to improve defenses, but they may not be one-size-fits-all, said Illinois CISO Adam Ford. While Illinois has found it helpful to adopt the National Institute of Standards and Technologies’ (NIST) cybersecurity framework at the state level, Ford said he recommends localities follow a different set of guidance for their risk assessments.
The state is focused on making cybersecurity as simple and accessible for localities as possible, Ford said — and that means boiling down recommendations to just a few steps. That’s led the state to encourage localities to follow the Center for Internet Security’s (CIS) controls, which comprise just 18 points.
ARTIFICIAL INTELLIGENCE
For many agencies looking to ramp up security, the first step is to get better visibility into what their current weaknesses, blind spots and attack surfaces are, Ford said.
Several panelists said that artificial intelligence (AI) and machine learning in particular can be powerful tools for helping agencies keep clear visibility into what’s happening over their systems and where threats may be emerging.
Mark Dehus, senior manager of information security at Lumen Technologies, discussed of the value of using machine learning to monitor potentially vulnerable parts of a system — such as computers that need to be kept safe from malicious takeover.
Intelligent automation systems can observe vast amounts of entities and activities occurring over a system to check for known kinds of attacks, and the tools can work to sift out just those potential threats that are serious enough to require human attention, then alert staff to these cases. This can be essential to trimming personnel’s threat detection workloads down to manageable sizes, Dehus said.
Using automation to filter potential threats leaves specialists free to focus on what really demands their time — such as unusual events that may be new kinds of attacks, said Shane Barney, CISO of United States Citizenship and Immigration Services (USCIS).
Efforts like these may be able to help defenders more quickly detect and respond to new threats.
CLOUD TRANSITIONS
Many agencies have been transiting to the cloud — and as they do so, they will need to put developers front and center in their IT security teams, said Barney, who reflected on hard-earned lessons from USCIS’s transition to becoming almost entirely cloud-based over the past decade.
“If you’re in cloud, if your infrastructure is code, your security is code, too,” Barney said. “You’re kind of swapping out traditional security analysts for development teams.”
Cloud-based organizations must have security staff who deeply understand code and can recognize when something is amiss.
The rapid pace of development cycles makes it all the more important for agencies to have security teams who can understand the potential risks associated with each new software release so they can better get ahead of threats, Barney said.