Google Cloud | The Road to a Secure Future

In recent years, government agencies have had a lot to contend with when it comes to cybersecurity. COVID-19, for one, forced agencies to act quickly to ensure their constituents could access necessary information and services. Meanwhile, the shift to remote work introduced a whole new set of security challenges: According to one survey 43% of individuals working from home admitted to making a mistake that had security repercussions and 47% say they’ve clicked on a phishing email at work.

These unprecedented cyber incidents — among others — have forced the federal government to take action. In May 2021, the Biden Administration released the Executive Order on Improving the Nation’s Cybersecurity, which provided a path forward for agencies to enhance their cybersecurity posture and get ahead of threats.

A year later, the security landscape is still evolving. Today, as the Russia-Ukraine conflict escalates and other global events take shape, it’s imperative for agencies to prioritize their cyber readiness.

But where exactly do they start? According to Daniel Prieto, head of Security Strategy for Global Public Sector at Google Cloud, agencies should begin by doing a deep dive into the modern security landscape, which is composed of three main pillars:

The term “zero trust” has become somewhat of a buzzword in the world of security. Defined as an approach that eliminates implicit trust by validating anything and anyone that attempts to access a network. While this is not a new concept, Prieto notes there’s more that government CISOs can learn about zero trust.

“I’ve heard too many public sector leaders say….zero trust is nothing more than a philosophy, or that there’s nothing new in zero trust, all the things it says, we already do. And I don’t agree with those characterizations,” he says. “To me, zero trust is an outcomes-oriented framework that asks the tough question as to whether you have organized, coordinated and integrated all the different types of security, layers and security tools, identity encryption, multi-factor authentication, good visibility into traffic flows.”

“I’ve heard too many public sector leaders say….zero trust is nothing more than a philosophy, or that there’s nothing new in zero trust, but I don’t agree with those characterizations,” he says. “To me, zero trust is an outcomes-oriented framework that asks the tough question as to whether you have organized, coordinated and integrated all the different types of security, layers and security tools, identity encryption, multi-factor authentication, good visibility into traffic flows.”

Historically, Prieto says, these various methods have been implemented successfully on their own. Now, they need to work together.

“Zero trust isn't telling you that you need any particular ingredients, but it's telling you that you need to make a particular meal,” he says, meaning that zero trust isn’t made up of any particular tools or components, but that agency security teams can work with whatever tools they like to meet zero trust requirements.

By taking these steps, agencies can start to counter the ease with which adversaries gain access to critical government systems.

So what best practices should security leaders employ when it comes to introducing zero trust to their organization? First, be sure to secure buy-in from management.

“This is not just a technology exercise,” says Prieto. “It is a thorough and ongoing culture change and process change.”

He also says agencies should be intentional with how they introduce and implement zero trust.

To address this unsettling reality, sections seven and eight of Biden’s executive order provide recommendations to help agencies detect threats faster—and mitigate them accordingly.

“We know from recent incidents, like the SolarWinds attack, that there is an abiding concern that even after they think they've cleaned up their environment, the bad guys are still there,” Prieto states.

Speed, therefore, is of the utmost importance. But that’s a tall order, especially because these threat actors are becoming increasingly advanced in their tactics. Once a malicious actor has penetrated the system, they can move around freely in that environment. That makes it easier for them to find aspects of the network to disrupt.

The time it takes for adversaries to penetrate a system, move laterally and eventually infect a host, is known in the security industry as “breakout time.” As actors become more sophisticated, breakout time decreases in minutes. In fact, according to a CrowdStrike report, breakout time for cybercrime decreased by a whopping 67% between 2020 and 2021. Moreover, time is ticking when it comes to threat detection—and increasing the speed at which agencies detect threats will require a transformational change in how they manage and analyze data.

“Even in the best scenario, we're still an order of magnitude off in terms of operating at the adversary’s speed,” Prieto notes. “Typically, most large organizations have a hundred or more security tools operating, and they don't coordinate or orchestrate well across those tools, so they have fragmented visibility. They also have mountains of data and they don't have the ability to store the data cost-effectively.”

Solving this challenge will require a proactive approach. Agencies can no longer afford to wait until the next cyber-event to happen; they must take measures now to speed up the detection process. Luckily, there are solutions available to help agencies address these monumental challenges.

With Google Chronicle, agencies can easily retain, analyze, and search through the mountains of security and network telemetry they generate. Add to this the revolutionary capabilities of Big Query—Google Cloud’s serverless, multi-cloud data warehouse — and organizations can begin to see a picture of their historical data and current security landscape, all in real time.

If zero trust protects internal users and threat detection helps detect adversary activity faster, web asset protection improves security between constituents and their government.

“COVID-19 unemployment benefits sites, health benefits sites, student loan applications . . . These are all public facing web presences. And in the past, information hosted on these sites has been compromised. Malicious actors have taken advantage of these things to steal data or money, or just to disrupt for disruption's sake,” Prieto explains.

Biden’s cybersecurity executive order doesn’t address web asset protection specifically. However, a subsequent Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government requires agencies to put the citizen experience front and center. That means creating digital spaces where constituents can rest assured knowing their information is secure.

ReCAPTCHA, for example, is one way to help agencies stop fraud and data theft in their tracks by countering bot activity on government websites. Additionally, Prieto recommends adding an API management tool to track how people outside an organization access information.

“This creates a metal layer between the sensitive data that’s stored at the government agencies and how it’s presented to the customer,” he says. “That API provides an extra layer of security.”

By taking advantage of the various cybersecurity tools and solutions built to help government agencies combat an ever-evolving threat landscape, they can now get ahead of their adversaries. The threat landscape won’t stop growing in complexity, but with the right people, processes, and technology, agencies can set themselves up for cyber success.