federal cybersecurity: “how do we get out in front of tomorrow’s challenges?”

3rd AnnualCloud Shoot–Out & CyberSecurity Summit

Daniel GalikCISO, HHS

Security and Privacy for the Digital Government

of the Future

Dan Galik, HHS CISO FedScoop – May 2, 2012

The realities of data protection efforts in today’s world:

Better Security for the Digital Government of the Future

In March of 2012, the President’s Cybersecurity Coordinator identified three key areas for agencies to focus on when considering improvements to their information systems security procurements:

"Federal Departments and Agencies need to focus their cybersecurity activity on a few of the most effective controls. This is why my office, in coordination with many other Federal cybersecurity experts from DHS, DOD, NIST, and OMB, has identified three priority areas for improvement within Federal cybersecurity”

“The purpose in selecting three priority areas for improvement is to focus Federal Department and Agency cybersecurity efforts on implementing the most cost effective and efficient cybersecurity controls for Federal information system security. Federal Departments and Agencies must defend their information systems in a resource-constrained environment, balancing system security and survivability while meeting numerous operational requirements. This requires robust risk management.”


Three near term priority areas for improvement within Federal cybersecurity:

"Trusted Internet Connections (TIC)- Consolidate external telecommunication connections and ensure a set of baseline security capabilities for situational awareness and enhanced monitoring."

"Continuous Monitoring of Federal Information Systems -Transforms the otherwise static security control assessment and authorization process into a dynamic risk mitigation program that provides essential, near real-time security status and remediation, increasing visibility into system operations and helping security personnel make risk-management decisions based on increased situational awareness."

"Strong Authentication– Passwords alone provide little security. Federal smartcard credentials such as PIV (Personnel Identity Verification) and CAC (Common Access Cards) cards provide multi-factor authentication and digital signature and encryption capabilities, authorizing users to access Federal information systems with a higher level of assurance."


As Federal Departments and Agencies March Out in Implementing the Near Term Priorities, Here Are A Few Challenges to Consider for the Future:

How does the security community do a better job of keeping up with the rapid pace of change in technology?

What are the future “game changing” security strategies that may need to ultimately replace some of the current processes and practices that are part of today’s risk management approaches?

Do we need a completely new way of thinking in the security community and a fundamental shift in proactively defining the next generation of security strategies and models?

As we continue to struggle in dealing with hacktivists and the more advanced persistent threats to our systems and data, how does the nation get out front and better prevent the string of successful attacks and compromises?


As Federal Departments and Agencies March Out in Implementing the Near Term Priorities, Here Are A Few Challenges to Consider:

How do we better adapt our current government workplace and office practices and processes to more quickly adapt to the demands of the new generation of very innovative and mobile digital workers?

How do we also get the next generation of digital workers and digital citizens to place a greater emphasis on secure computing, and gain a better appreciation of the advanced threats that we are facing today?

How do we adjust behaviors in the virtual cyber world, to make them better align with how we behave in the physical, human world?


The Federal Government must be ready to securely deliver and receive digital information and services anytime, anywhere and on any device.

– Social media; mobile devices; the consumerization of IT; cloud computing; virtualization; collaboration tools; etc. . .

Security, privacy, and data protection must be effectively applied throughout the entire technology life cycle.

An “Information-Centric” approach helps ensure that wherever the data goes, it must always stay protected.

Moving applications, systems, and data to secured cloud environments

FedRAMP will result in efficiencies and consistency in risk management

Summary of just a few of the points discussed in “Building a Future-Ready Digital Government” (DRAFT)


A few forward thinking ideas for consideration. . . . .

Apply increased security protections to our most critical data and systems; (this is especially true in the immediate future)

– Architect and engineer networks to protect high value assets; (network segmentation)

Proactively pursue the development of new security models as we continue the move to software based, virtualized “invisible” networks that have “no wires”

Press ahead aggressively in the implementation of the “National Strategy for Trusted Identities in Cyberspace”

Consider ways to use security solutions that are focused on data and content centric security with digital rights management

Look at embedding more critical security functions in hardware or chip technology

Increase use of full featured security tools that quickly leverage threat intelligence to enhance advanced detection and monitoring of insider activity


Questions?

Contact info:

Dan Galik, HHS CISO

202-205-5906

[email protected]

The Next Generation of CISOs are Already in Training

federal cybersecurity: “how do we get out in front of tomorrow’s challenges?”

Technology

better security

security personnel

security community

little security

balancing system security

realtime security status

cybersecurity activity

futureas federal departments