The Federal Government is Using 20th-Century Responses to a 21st-Century Problem
Policymakers have been working on implementing continuous monitoring of its human assets with access to top secret information for several years, and the government should do the same for its digital assets.
In 2017, the federal government had its supply chain security wake-up call: Kaspersky antivirus software had been installed on nearly every federal computer, and the company’s owner allegedly had close ties to the Kremlin. The federal government began implementing vendor and supply chain security programs—but the solutions policymakers have come up with are onerous (particularly for small businesses) and fail to meet the challenge of understanding—let alone securing—the risks associated with global software supply chains that power federal technologies.
Learning from the Security Clearance Overhaul
There is a parallel that lawmakers can look to: recent efforts to improve the security clearance process for federal employees and contractors. Policymakers have been working on implementing continuous monitoring of its human assets with access to top secret information for several years, and the government should do the same for its digital assets.
For many years, the security clearance system had a hole that adversaries could drive a truck through: After individuals were granted a security clearance, the government only reviewed their clearances every few years to ensure they remained eligible. There was often a five-year knowledge gap—or more—on a person with access to sensitive national security information. The risks inherent in this system are enormous.
It is easy to imagine an adverse event in someone’s life in that five-year span: a tragedy that results in a substance abuse issue; accumulation of unmanageable debt; a stupid mistake that leads to an arrest. Any of these could make a person susceptible to bribery or blackmail, but the government might not know until it is too late to revoke—or at least review—the person’s security clearance.
Today, the ability to use algorithms to scan the internet efficiently has given the government the ability to see more about a person, more often. We can continuously monitor anyone with a clearance to provide some level of assurance that the person remains eligible to have access to secure information.
Improving Cybersecurity Monitoring
Now imagine the security clearance problem on steroids. That is what the federal government’s vendor and supply chain cybersecurity is facing, with the federal government now spending over $500 billion per year buying goods and services from hundreds of thousands of companies with vast global supply chains.
The new cybersecurity requirements and standards for contractors require exercises like point-in-time assessments, which are only useful until the day after they are produced and not a minute longer. In the world of cybersecurity, the threats change daily—even hourly—and cyber hygiene does, too. Encryption certificates expire, credentials get exposed and patches are often not immediately downloaded.
The government must apply the same continuous monitoring approach it now uses to validate security clearances to supply chain and vendor security. Dynamic security ratings, updated daily, provide day-to-day visibility into the cyber hygiene of the government’s vast global contractor supply chain. This ensures that contractors are taking care to download the latest software patches and keep encryption certificates up to date—an effective barometer for the overall security stance of a contractor.
Real-Time Knowledge Is Critical
Today’s businesses and government agencies can conduct this type of monitoring in-house or look to outside experts capable of bringing in the accuracy, power and potential needed to improve the collective cybersecurity of federal technology assets. The need for this technology is only growing, and while continuous visibility will not end cyberattacks, it will at least assure that the government is not blind to the potential vulnerabilities it faces on a daily basis.
Charlie Moskowitz is the vice president of Policy and Government Affairs at SecurityScorecard with over 15 years of policy and regulatory experience; previously serving as the chief policy counsel for the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee under Sen. Claire McCaskill (D-MO).