In the digital era, every US business has to deal with cybersecurity threats across expanding attack surfaces like computer networks, cloud computing and Internet of Things (IoT) technology. It’s only natural that they would look to the government’s role in cybersecurity, which continues to evolve.
Two official government documents including the National Cyber Strategy and The State and Local Government Cybersecurity Act provide snapshots in time of that evolution. The former is the official government strategy laying out the problems and what they should do. The latter is proposed bipartisan legislation advocating information sharing between national security entities and state and local governments. But a clearer view of the government’s role in cybersecurity may require seeing how public and private sector challenges intersect.
The Intersecting Challenges of Government Cybersecurity
Protecting networks, systems, functions, and data is a massive challenge. That’s especially true in an era where networks, the cloud, and IoT among other public and private sector attack surfaces are connected in countless ways. Recent legislation like the IoT Cybersecurity Improvement Act of 2019 shows a proposed way of defining the government cybersecurity role in creating national IoT product security standards for government purchases.
The proposed legislation uses the National Institute of Standards and Technology (NIST) guidelines to establish a minimum security standard for IoT products purchased by the government entities from manufacturers and vendors. While the NIST Cybersecurity Framework is voluntary for manufacturers, it is a major step forward in supporting product security standards for the federal government as well as the private sector.
To understand the challenges of the government’s role in cybersecurity, you must look at the problem on a strictly government entity security level and a public/private sector security level. This internal and external view reveals several challenges including:
Numerous separate government entities dealing with cybersecurity strategies
Countless federal and state entities and facilities that are dealing with different internal cybersecurity infrastructure problems in different ways
Dealing with internal public sector cybersecurity challenges requires dealing with the same roadblocks that impact and influence the private sector. This means tackling two broad issues:
The shared security problems of legacy IT system infrastructure and technology.
The inherent security design vulnerabilities within OEM technology that require all-encompassing, yet specific regulatory standards.
There are four solutions that must be applied to deal with these primary challenges of cybersecurity in government and the private sector:
A unified or centralized government approach to cybersecurity
All-encompassing regulatory standards for IT system and product security measures built into the products
Additional IT support to bring networks and technology in line across government facilities
Address the underlying challenge of a lack of skilled cybersecurity personnel across the public and private sector
These four approaches will not only address the primary challenges for cybersecurity today, but they also point the way to the government’s future role in cybersecurity.
The Future Role of Government in Cybersecurity
Many security experts believe that the future of how the government deals with cybersecurity lies in a more unified approach across government entities. This is being explored the Cyberspace Solarium Commission (CSC) as reported by Federal News Network. The bipartisan commission will focus on ways to develop a unifying cybersecurity strategy for the near-future.
Protecting networks, systems, functions, and data is a massive challenge in an era where networks, the cloud and IoT among other government attack surfaces are all connected. For example, the government is simultaneously a cloud and IoT end user, infrastructure provider and regulator which poses challenges in defining an effective strategy.
As the Internet of Things (IoT) expands into every aspect of business and commerce, it’s vulnerability as a major attack vector for cybercrime will only grow larger. That’s one reason why the proposed IoT Cybersecurity Improvement Act of 2019 will be vital to establishing minimum standards for manufacturer and vendor IoT security features.
The proposed legislation, which focuses on using tNIST to improve manufacturer and vendor IoT product security will also go a long way to helping establish those standards across all manufacturers. If adopted, the result will have a tremendous impact on the increased cybersecurity of IoT devices and platforms in the private sector.
Government entities may appear to be a monolith, but the reality on the ground is somewhat different. Addressing the legacy IT infrastructure with its security vulnerabilities and the overall shortage of skilled cybersecurity and IT experts will require:
Current IT system and cybersecurity vulnerability assessment
IT system updates and cybersecurity vulnerability remediation
Addressing all these problems across the public and private sector will require identifying innovative ways to meet the skilled security and IT expert shortfall.
Meeting the Skilled Security Personnel Gap
With the increasing cybersecurity threats, government agencies and private sector companies have struggled to find skilled IT and cybersecurity expertise. Estimates show that we could see more than 3.5 million unfilled security positions worldwide by 2021 according to the Cybersecurity Jobs Report discussed by CybersecurityVentures.com.
Addressing this skilled security personnel gap will require even greater support from third-party IT service providers with a strong track record in government cybersecurity expertise. This will address the future of government cybersecurity by fulfilling federal, state and local needs for expertise in:
DevOps and cloud strategy consulting
Continuous diagnostics mitigation
As the technology in the digital age continues to evolve, cyberthreats will continue to keep pace. The government’s role in cybersecurity must set the pace for addressing these threats across their own public entities as well as the private sector.