Spending the federal cybersecurity budget: what's next?
A lot of new money is in the pipeline to help the federal government confront cybersecurity problems -- but what's the best way to allocate those resources?
In 2020, cyberattacks against the U.S. government organizations cost $18.88 billion in recovery costs and downtime. In an effort to drive down this cost and improve our cybersecurity posture, this year the federal government has announced a number of initiatives, from the infrastructure bill to the Joint Cyber Defense Collaborative and White House Cybersecurity Summit.
Yet, even as Congress begins to release billions of new cyber budget dollars, today's adversaries continue to adapt, changing the threat landscape once again. Constantly innovating, increasing their skillset and speed, the adversary's innovation is matched only by their determination and funding.
So, where should government invest first?
Legacy systems: According to the recent Senate Committee on Homeland Security and Government Affairs report, "Federal Cybersecurity: America's Data Still at Risk," seven of the eight agencies studied used legacy systems or applications that are no longer supported by the vendor with security updates. I can attest that a large number of federal agencies have incurred a huge amount of technical debt, struggling to meet patching deadlines while maintaining accessibility. Legacy systems are a prime target for today's cybercriminals. Since that won't change for some time, let's fully protect them now -- bugs and outdated versions included -- while we work to change our paradigm.
Information sharing: Federal agencies have valuable threat information but are often unable to share with other agencies because of limited permissions and other protocols. Highly pertinent information can age out quickly, becoming less valuable to friendlies over time. In addition to sharing information more quickly among themselves, federal agencies need a safe and secure way to quickly share critical information with state and local counterparts, who are increasingly coming under attack by determined adversaries.
Staffing: The federal government has stated a need to hire hundreds of thousands more cyber security professionals. It should also focus on improving the government brand, aspiring to the same level of innovation and excitement offered by the private sector. Many outmoded and archaic processes -- both people and technology-based -- still exist. We can drive innovation by eliminating friction in core processes, automating full protection and focusing on deterministic measures to end supply-chain poisoning and ransomware.
Innovation: The threat landscape continues to shift, as proved by a host of headline-worthy breaches over the past months in both the private and public sector. Taking a deterministic viewpoint in our approach to protection has become imperative. Probabilistic measures such as heuristic analysis -- looking in the rear-view mirror to try to predict the future -- are clearly failing us.
Private-public collaboration: Today's cybersecurity threats can't be solved by the federal government or Big Tech alone. Neither can our collective approach to the crisis be incremental. We will never get there by being a little bit faster, a little bit stronger, a little bit smarter than the last shiny cyber object. This problem requires a whole new approach and way of thinking.
We need a moonshot. Absolute interdiction.
Deterministic, automated protection is possible, so let's fully protect our software, bugs and all, and resolve this crisis once and for all.