For Federal IT managers, compliance is a primary motivator. Regulatory compliance, DNS compliance, EDNS compliance, all of it.
FISMA and agency guidelines provide a clear roadmap for cybersecurity, with the performance of Federal IT managers constantly measured against those standards. Publicly reported compliance scores, GAO and IG reports, and frequent Congressional inquiries about the state of cybersecurity ensure that most Federal IT security personnel are squarely focused on meeting the established criteria.
Necessary Security Standards
Federal cybersecurity standards exist for a reason – the threat to government systems is significant and the consequences of a breach are potentially disastrous. The many layers of compliance and reporting are there to ensure that the Federal government is protecting sensitive public data from the many malicious actors who seek to exploit it.
Yet the danger of any standard is that it serves as a ceiling rather than as a rallying point. When performance is measured merely by the letter of the law, there is little incentive to move beyond compliance and into a more active, agile security posture.
Of all the many areas where the Federal government monitors compliance, cybersecurity is one of the most difficult to pin down. Threats to technology systems evolve so quickly that even the experts can’t keep up. The conventional wisdom on cybersecurity has turned from “try to filter out malware before it gets in” to “accept that you’re going to be breached, and prepare your mitigation strategy”. In a rapidly changing battlefield like this, the static target of compliance isn’t nearly enough.
The Cybersecurity Value of DNS
Take Domain Name System (DNS) for example. Many compliance-oriented government agencies treat DNS simply as IT infrastructure, failing to fully realize the cybersecurity value of the data it generates. These agencies use IP address spreadsheets to manually manage their DNS infrastructure and have limited ability to actively monitor the high volume traffic that comes in from their DNS servers - which often is the first indicator of the presence of malware and cyberattacks. After all, 91% of malware attacks leverage DNS.
Transitioning from DNS management to an active DNS-based defense is a prime example of how Federal IT managers can move from a reactive, compliance-based approach to a more dynamic, security-focused posture.
Agile Cybersecurity Awareness
Today’s standard for Federal IT security has to be more nuanced than a simple compliance scheme. FISMA was a great way to get agencies thinking about the level of effort required to achieve true security, and its metrics still play a vital function in maintaining accountability. Yet creating a culture of cybersecurity awareness and building active defense systems requires a more agile approach – one which can adapt to an equally agile threat.
How then can agencies recalibrate their measure of success? If IT security standards are no longer adequate, then how can we know if the actions of Federal IT security personnel are appropriate?
In an era where no one factor can definitively establish security, perhaps the best standard is situational awareness. The ability to identify threats quickly allows IT managers to respond proportionately, minimizing or annulling any consequences. Situational awareness doesn’t require secure perimeters or airtight boundaries between “us” and “them”. It merely requires the ability to derive accurate, real-time intelligence from what’s happening on the network and respond accordingly.
Situational awareness as a concept is necessarily squishy – it doesn’t provide any hard and fast rules for compliance. But that’s kind of the point. Security requires constant vigilance, which means that the task is never complete. It’s like painting an aircraft carrier: the fact that you think you’re finished means that it’s time to start again.