Over the last year, cyber security has been propelled into the public eye through numerous events at the national and international levels. More than a billion Yahoo users had their private data stolen. Distributed Denial of Service (DDoS) attacks paralyzed 1,200 websites by leveraging unsecured Internet of Things (IoT) devices. The Democratic National Committee was the victim of a breach that resulted in the theft of nearly 20,000 confidential emails.
These high-profile incidents have caused CEOs, chief information officers, chief security officers and IT administrators to ask some tough questions while formulating their cybersecurity strategies in 2017. What existing threats will become more entrenched, and where will new ones appear? How will the government’s policy response affect their businesses? Ahead are some answers to these questions intended to help identify vulnerabilities, discover relevant actors and assess services and strategies.
Persisting Threats to Governments and Businesses
Cyber-attacks will continue to be front and center as the scope and severity of threats against governments, corporations and individuals continue to grow and evolve.
From a government standpoint, threats by nation-state actors will continue to be a major concern. Instead of making the issue a political debate, the U.S. government needs to handle incidents in the most objective manner possible. Figuring out who is behind a hack is extremely complicated and time consuming, and, as important as that is from a geopolitical perspective, does very little to improve actual defenses—and defense needs to be a high priority following an attack. Agency leaders and cybersecurity experts must be free to investigate and report their findings using tested methods to “detect, identify and protect.” Cyber experts need this freedom to do their jobs without political interference.
Insider threat will continue to be a primary cybersecurity concern for government and industry alike. The recent announcement of the arrest of another NSA contractor for the theft of top-secret files is just one more reminder that this concern is real and ever-present. Most organizations focus primarily on external cyber threats, but it is insiders turned malicious who can do the most damage; they have privileged access to critical assets, intellectual property, restricted areas and essential systems. It’s clear that more needs to be done to anticipate and stymie these types of threats. Companies large and small alike are at risk and they should apply measures that limit access to critical data, as well as programs to record both failed and successful attempts to access such information. This helps to expose inappropriate behaviors and to identify behavior trends.
Securing Data and Systems in the Cloud
With the heavy adoption of cloud-based services to reduce costs and improve efficiency, cloud security will continue to be paramount in 2017. Although many agree that the cloud can be a reasonably secure place to process and store business information, organizations will be challenged to quickly assess and evidence security through continuous security controls monitoring and reporting. Such controls monitoring is not just necessary for cloud deployments by is also necessary for hybrid environments where both on-premises and cloud-based services are used to support IT operations.
In 2017, as companies continue to migrate their IT workloads to the cloud they must be mindful of the potential regulatory burden depending on their specific industry. They must also strive to reduce the time and effort associated with these compliance requirements in order to reap the benefits offered by cloud services as quickly as possible. Beyond satisfying regulators, this continuous control monitoring process should serve to provide a level of comfort to organizations that reasonable security standards are being applied to their cloud deployments. Having a formalized process also allows the organization to demonstrate a standard of due care if ever required.
Government Policy and the Supply Chain
Government agencies and businesses can implement excellent internal security systems with all of the right policies in place, but until they subject all of their third-party partners to the same level of scrutiny, customers will be at risk. One of the most notable and anticipated changes to take effect in 2017 will be a new security requirement for all government contractors. In effect, this new requirement is intended to help secure the Federal Government supply chain by enforcing a standard set of information security controls.
This new regulation identified by the National Institute for Standards and Technology (NIST) in publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, is in effect now and full compliance is required by December 2017. 800-171 will be enforced through the Federal Government acquisition process, effectively making compliance a condition of contract eligibility. Contractors who handle and process Controlled Unclassified Information (CUI) will be contractually required to attest that they and their subcontractors are compliant with 800-171. The objective is to increase the security of the Federal Government supply chain (i.e., contractors and subcontractors) by imposing security requirements and standards that ensure all supply chain participants are operating in a well-defined secure manner.
2017 will be a transitional year because implementing NIST 800-171 will most certainly come with challenges. Take military aircraft, for example: such a sensitive and complex product with so many different parts that are obtained from so many different sources is an example of a very large supply chain. It’s also an example of a supply that is very important to secure. Ensuring compliance for each participant in just this specific supply chain could be challenging. However, this is but one example of the extensive Federal Government supply chain. This example helps put into perspective the complexity, extensiveness, and importance of the 800-171 initiative.
For companies doing business with the Federal government, the initial financial burden of complying with NIST 800-171 will, unfortunately, be a cost of doing business in this new world where information and cybersecurity are of paramount importance. Over the next few years, 800-171 will likely evolve and will become the established protocol throughout the government contracting community and possibly beyond, further strengthening the Federal Government vendor supply chain. Prioritizing compliance with cybersecurity standards will set those companies apart as protecting client data becomes increasingly important and a business differentiator.
NIST 800-171 only applies to companies working on government contracts, but other companies may come to recognize the value of these regulations and may voluntarily adopt them to improve security posture and demonstrate a standard of due care. Further, if 800-171 proves to be successful in helping the Federal Government improve the security of its supply chain (e.g., demonstrably fewer data breaches), insurance companies might also look at this as a way to manage cyber risk. If so, controls like those found in 800-171 might drive cyber insurance underwriting and eligibility.
Shifting Cyber Insurance to Protect Businesses
Insurance companies are expected to overhaul their cybersecurity underwriting practices to better understand risks, aggregate risks, and begin to establish actuarial data for cyber liability insurance. The Target Corporation breach in 2014, for example, was devastating. But imagine the financial impact had there been multiple, similar breaches that occurred simultaneously, covered by a single insurer.
Three years after the Target breach we find ourselves in a new era of heightened cybersecurity awareness, yet there still isn’t a great deal of actuarial data to help insurance carriers understand cyber risk for the purpose of underwriting and the impact of aggregate cyber risk on their portfolios of coverage liability.
Thus, there will be an ongoing effort in 2017 for insurance companies to improve cyber data analytics and revise cyber underwriting guidelines for clients, which will ultimately drive client companies to update their own cybersecurity standards.
Cooperation Will Enable Security Successes
On the road ahead, one thing is clear: cooperation between government and industry will be essential. President Trump was a vocal candidate when it came to discussing the need for a stronger and more aggressive cybersecurity posture, although he delayed signing an expected executive cyber order his first month in office.
Leading members of Congress, such as Sens. Mark Warner (D-VA) and John McCain (R-AZ), and Reps. Will Hurd (R-TX), Gerry Connolly (D-VA) and Barbara Comstock (R-VA) are regarded as bullish on strict cybersecurity legislation. The hope is cooperation from both sides of the aisle, as well as strong support from incoming leadership, means the United States can look forward to a more robust government cybersecurity strategy in 2017.
Understanding and addressing the ever-changing landscape of cybersecurity is essential to both national security and business success, and it will continue to dominate news cycles in 2017 and in years to come. From internal and external threats, to changing markets, to a government unified in its concern for cybersecurity, keeping a close watch on evolving and emerging threats will be critical to success in dealing with 2017’s biggest cyber security challenges.
About the Author: Rick Tracy is Chief Security Officer and Senior Vice President at Telos Corporation. He joined the company in October 1986 and has held a number of management positions. He pioneered the development of innovative and highly scalable enterprise risk management technologies that have become industry-leading solutions within the federal government and the financial services verticals. Mr. Tracy is the co-inventor of Xacta IA Manager and is the principal inventor listed on five patents in the areas of automated risk and compliance management and continuous monitoring. He assumed the role of chief security officer in 2004. Twitter: @rick_tracy.
