Creative thinking is one solution for Federal agencies that defend against cyberattacks, according to Amit Yoran, chairman and CEO of Tenable.
Yoran, who has 25 years of cybersecurity experience and served at the department of Homeland Security before moving to the private sector, said today’s technological environment boasts a plethora of challenges, from Internet of Things devices to malicious cyber warriors. Yoran, who spoke at Tenable’s GovProtect Conference June 21, said that there will be 9.1 billion IoT devices in enterprise facilities within the next two years.
“Whether it’s 9.1 billion or half that, IoT devices will likely outnumber managed endpoints. I know what things look like at 2 a.m. when you find out there’s been a breach,” Yoran said. “I firmly believe creativity is our single greatest leverage point in cybersecurity. I encourage you to think of the world of vulnerability management differently.”
Nation-states, such as those operating within North Korea, Russia, and Iran, are among the Federal government’s primary cyber adversaries. The recent WannaCry attack that disabled thousands of systems in more than 100 countries was likely the result of a nation-state’s efforts.
Attacks from nation-states are difficult to manage for a number of reasons. Identifying who incites these attacks is often difficult, and the international legal framework does not always align from one country to another.
“No wonder nation-states are having a field day in cybersecurity. This is the bloody mess that is IT modernization. This is where it’s going. And it’s your job to protect it,” Yoran said. “Know your network. Know what systems are out there.”
A mind-set shift across Federal agencies will lead to improved cybersecurity strategies, according to Yoran. He said many agencies resist routine check-ups and test cycles because they are simply more comfortable with the old way of doing things. For example, many agencies retain physical servers, even though the Federal Information Technology Acquisition Reform Act scores them on their ability to consolidate data centers.
“It feels good to own a system and have it in your environment. I would suggest that’s a false sense of security,” Yoran said. “The minute we think we’re purple unicorns, that’s the minute we’re exposed to adversaries of even modest skill.”
Some Federal agencies have created programs to help other agencies adopt better cybersecurity practices. DHS’s U.S. Computer Emergency Readiness Team, which Yoran helped found, distributes information on cyber threats to executive branch agencies. DHS also offers the Continuous Diagnostics and Mitigation program, which provides agencies with tools to identify and address cyber threats.
Yoran said sluggishness is the most dangerous quality agencies can display when embracing new technology and programs such as US-CERT and CDM.
“Modernization and participation in some of these programs is an opportunity to be more agile,” Yoran said.
Companies tend to attract talent more often than Federal agencies because the private sector offers more lucrative salaries than the public sector. Moreover, the Federal government is often portrayed as the losing team when it comes to cybersecurity because of recent attacks, such as the 2015 Office of Personnel Management breach that exposed the personal information of millions of people.
Yoran said the requirement for talent in the Federal space was “insatiable,” and agencies need to retain the bright people they have through increased training.
“We have to make security sexy. There are so many interesting things happening in security. If we can broaden our ranks, it drives to creativity with diverse thinking,” Yoran said. “It’s incredibly important to the nation that the government trains the security talent it gets, and that talent makes its way into the private sector. The work we do as a community matters. It’s incredibly important. It matters to the world. It matters to your family.”