Agencies have been steadily increasing their use of digital platforms like social media, forums and blogs, code-sharing sites and others since well before the first government Facebook pages in the 2000s. The pandemic dramatically increased the need for agencies to move more governmental functions to social and digital channels, and fast. Today, it’s exciting to see the new Administration’s ongoing commitment to improving the Customer Experience, and how broadly agencies are engaging with their constituencies across new and more dynamic digital channels. As adoption has expanded, government cybersecurity specifically targeting those digital channels must expand as well.
As organizations actively use social media, external websites and other digital channels to engage with the public, they increase their vulnerability to problems such as unauthorized disclosure of confidential information, the dissemination of false and misleading information, impersonations and account takeovers. With new vulnerabilities come new challenges in determining authority, strategy and compliance considerations.
The good news is that these developments have pushed the federal government to define how agencies can best establish, fund and maintain a practical approach to protecting themselves from external digital threats.
While the benefits are obvious, there is also a downside to this rapid transformation to a hyper-connected world. For one, using many more externally-hosted services has significantly increased government cybersecurity risks. The traditional question of “where the security perimeter now lies” might be tackled better if we begin asking “is there a perimeter at all?.” If the security perimeter faded away with this digital evolution, where should security teams be operating next? Thinking outside the security perimeter is a given; how we do this effectively is the real question now.
Kevin Reardon, Chief Operating Officer at ZeroFox, led a panel discussion on “Combating Threats Outside your Agency’s Digital Perimeter: Empowering Responsibility and Authority” with Steven Hernandez, CISO and Director of Information Assurance Services at the US Department of Education, and James Saunders, former CISO of the Small Business Administration (Saunders is now Senior Advisor to the Acting CIO for Cybersecurity at the US Office of Personnel Management). The discussion underscored some interesting points; if you missed it, I highly recommend watching on-demand to learn more. Three main points I’d like to highlight touched on intrinsic authority to respond to a cyberattack, the latest guidance from the National Institute of Standards and Technology (NIST) and what a comprehensive security program might look like today.
When It Comes to Government Cybersecurity, Who Has Authority?
As more engagements take place on platforms outside the agency perimeter, it’s essential to understand an agency’s intrinsic authority to respond to attacks such as social media impersonation. We often hear CISOs say they either don’t have the responsibility to look outside their perimeter, or that they are aware of threats outside their perimeter but don’t have the authority to act on them. During the panel, Hernandez and Saunders highlighted that federal agencies have both the responsibility and the power to take action, where there are external threats to their reputation or threats to the integrity of their interactions with their customers. In many cases, as with an attack taking place on social media, legal authority isn’t required in order to request a takedown. Agencies can work directly with the networks themselves to resolve because the impersonator is acting in clear violation of the social network’s own Terms of Service. The panel agreed that this should be regarded as “proactive assertive defense” instead of “offensive action.”
Reardon opened the panel describing this conundrum: “As a lifelong security practitioner, one thing that I’ve learned in talking with CISOs and counterparts around the world is that many people don’t necessarily [understand or feel comfortable taking on] the responsibility to look outside the perimeter at their risk – even though they may be aware of these threats outside of the perimeter. Many times, they don’t feel that they have the authority to appropriately act on them. The purpose of our [discussion today] is to highlight the fact that many organizations and federal agencies not only have the capability but also have the authority to take action and [address] these external threats that are affecting their reputation or [the integrity] of their interactions with their end-users and customers.”
Both Saunders and Hernandez outlined how they first began to tackle this challenge within their unique environments. Hernandez noted, “There [was] a foundational premise that the law must say we can [but] where does it say we can’t? If there’s nothing out here saying we can’t, we’ve already checked our appropriations, [we are maintaining] our fiduciary responsibility for the taxpayer dollar, [and are] squarely within the authorities of our appropriations, then frankly we ought to be doing this.” He described this realization as a “watershed moment” in which the team could confidently move forward knowing “we can absolutely do this.”
Saunders cited his time with the SBA, where his team began to notice the number of threats outside the perimeter increasing at a drastic rate after the passage of the CARES Act and the Paycheck Protection Program. Impersonations of the agency in social media were becoming a major issue, as fraudsters tried to cash in on the public’s interest in the new funding for small businesses. Seeing a clear need for change, Saunders quickly found value in pairing the SBA Cyber Threat Intelligence Team with the agency’s Public Affairs Office. They had a shared goal to ensure targets would not mistake a fraudulent social media account or website as an authentic SBA account.
Rapid response was essential because of the exploding scale of the threat. In FY 2020, the SBA took down roughly 600 social media impersonations, but before Saunders left in March 2021, they were on track to take down 2,000 a year. Not surprisingly, then, Saunders also cited “automation as a necessity given the volumes.”
Hernandez said his agency also had to evolve quickly during the pandemic. Teams focused on dark web threat hunting were already in place; however, these teams had to expand to address attacks from public open channels as well, including social media. He stated that “for the most part, it [was] almost always a watering hole type of attack that oftentimes takes place in forms that are well outside of the Department’s control. The open web, social media, even platforms like Signal [and] Slack are becoming places where these conversations are taking place. Our hub teams have had to expand beyond just the dark web, now into some of the more common places to understand how our attackers are operating and thinking.”
Guidance from NIST
One of the questions asked of the panel was whether the panelists had relied on policy guidance from documents like NIST SP 800-53, Rev 5. Rev 5 assigns agencies the responsibility to protect themselves from reputational damage. As a whole, these revised security standards apply new and updated controls to manage both digital risk protection and threat intelligence. For those wishing to see a control-by-control breakdown, ZeroFox has authored a whitepaper that analyzes the applicability of 800-53 Rev 5 to emerging issues of digital threats.
[When] we look at the cybersecurity framework you have identify, protect, detect, respond and recover. For us, the boom is at the detect. Anything we can do to move that boom further to the right or make it smaller is money well spent.Steven Hernandez, ciso and director of information assurance services at the us department of education
Saunders acknowledged the new language in Rev 5 that addresses digital threats more clearly, but also noted that practitioners tend to interpret 800-53 as focusing on internal assets. Hernandez went on to note that referencing the NIST Cybersecurity Framework was helpful.
Specifically, Hernandez offered insights on where to begin this process and align efforts throughout the organization: “If we’re truly identifying risk, it’s at the mission level, meaning if something is going to impact our mission and our ability to deliver the mission, that needs to be addressed as part of risk management. Then, when we move into “protect,” [we are looking at how] to address those issues. If you’re looking for ways to start having that discussion, in my organization, we talk about “left of boom.” [When] we look at the cybersecurity framework you have identify, protect, detect, respond and recover. For us, the boom is at the detect. Anything we can do to move that boom further to the right or make it smaller is money well spent. That all happens to the left of boom: the identification and the protection. Those are the types of technologies, capabilities and approaches that we’re talking about today. There is a square play to tie this back to NIST and how NIST thinks about risk. It’s just a cybersecurity framework a little more than the risk management framework.”
Implementing a Comprehensive Government Cybersecurity Program
Once an agency begins seeing risks from external threats, the next step is to implement a program to continuously monitor and respond to impersonations, attacks and information disclosure on social media channels, public websites, dark web sources, code sharing platforms, email and other public-facing platforms. An excellent place to start is by focusing on three core constructs Reardon identified during the conversation: confidentiality, integrity and availability, stating, “Sometimes offense is a really good defense.”
Hernandez agreed, going back to necessity: “We want to make sure that we are instilling trust and confidence in the public so that when they come to the US Department of Education for any of our services, they [know] they’re going to get those services. If we can’t do that, then we’re going to have a chilling effect. People are going to think twice about [putting their information into a] FAFSA form…”
The enemy of fear, uncertainty and doubt is solid architecture. The enemy of complexity is really around automation and technology. In the cybersecurity discussion, it’s very much the same with complexity. We have to approach it form a technology perspective. We have to [pinpoint] where can we automate and where can we bring in cross-disciplinary functionsSteve hernandez, ciso and director of information assurance services at the us department of education
Reardon referenced meeting the late Howard Schmidt in 2012, who offered a very straightforward yet profound piece of advice when addressing such challenges: “Complexity is the enemy of security.” Reardon explained just how much this piece of advice motivated him to take “the hinges out of process” and address the issues head-on, whether or not it is outside the perimeter where there are massive amounts of complexity. Hernandez recalled similar conversations with Schmidt on complexity. Taking this idea a step further, he summarized by stating: “The enemy of fear, uncertainty and doubt is solid architecture. The enemy of complexity is really around automation and technology. In the cybersecurity discussion, it’s very much the same with complexity. We have to approach it from a technology perspective. We have to [pinpoint] where can we automate and where can we bring in cross-disciplinary functions.”
Saunders followed up by stating, “I’ve learned over the years that cybersecurity teams get really good at what they’re good at. You’ve got your SOPs, built your automations, you know exactly how you’re going to [implement], [but then you have to] continue to innovate. Make sure you keep that spirit of: why are we doing it this way? How can I change this? How can I get better? What threat spaces are we not considering that we need to take care of? These simple questions open up a whole new opportunity for [organization’s] to expand [the] cybersecurity mission to help ensure that [the overarching] mission for your particular agency is moving in the direction that you want it to move in.”
Agencies today have the daunting task of ensuring they stay up to date identifying and addressing the security threats arising from these important new media and platforms. Fortunately, there are great models to reference across the federal government; practitioners have been given more authority and precedents to take needed action; and many teams throughout the enterprise are willing to collaborate to find more lasting solutions.
Make sure you keep that spirit of: why are we doing it this way? How can I change this? How can I get better? What threat spaces are we not considering that we need to take care of? These simple questions open up a whole new opportunity for [organization’s] to expand [the] cybersecurity mission to help ensure that [the overarching] mission for your particular agency is moving in the direction that you want it to move in.”James Saunders, senior advisor to the acting cio for cybersecurity at the u.s. office of personnel management
Join the Discussion
The ZeroFox team continues to produce informative resources and engaging events to help security teams and organizations as a whole navigate unknown territory as the landscape continues to evolve. If you missed our panel discussion on “Combating Threats Outside your Agency’s Digital Perimeter: Empowering Responsibility and Authority,” be sure to watch on-demand to learn more.