Barbara Fast was among those on a CGI mobile securty panel at the Ronald Reagan Building in Washington, D.C. on February 16, 2012.
COMMENTARY: Cybersecurity in the mobile age is everyone’s responsibility, requiring strong partnership among businesses, governments and citizens. We are living in an information age that has changed the way we conduct business and share information.
For government and industry, technology has allowed a level of interconnectedness that we have never experienced before.
The ability to connect with anyone at any time and quickly access the data we need is a great convenience that has made it easier for us to conduct business and military operations, improve services and stay in touch with our customers.
But living in a digital world is like living in a bad neighborhood. It doesn’t mean you shouldn’t leave your house, but you have to take some precautions. Just as you wouldn’t open your door to just anyone, you don’t want to invite an unfamiliar application or attachment into your network, and you want to make sure you have the security necessary to protect your data.
This article originally appeared in the latest edition of CGI Initiative for Collaborative Government‘s Leadership journal. For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, follow us on Twitter @AOLgov.
A couple of decades ago, there were very few people involved in cybersecurity, but now it’s everybody’s responsibility – from the person who wants to bank online to any organization or nation conducting business online.
As we learn from our experts in this journal, the mobile environment has added a whole new dimension to what it means to secure our enterprise. It’s not quite the Wild West, but we are still on the frontier when it comes to securing mobile devices and determining how they connect reliably to an overall network. There is a cyber ecosystem that must be managed, and mobile devices are just a part of the bigger picture.
A Way of Life
From veterans who download their health records via the Veterans Affairs Department’s website to soldiers who use smart phones on the battlefield, more individuals, businesses and government organizations are using mobile devices as part of their daily routines and creating a global interconnectedness. Just as doing business on the Internet became the norm, operating in a mobile environment is not a choice any more but a way of life.
Why has this happened? Today’s technology is more robust, bandwidth has increased, software advances have made it easy to download an application to a mobile device, and there is much better interconnectedness – from a mobile device to the cloud to the enterprise. That combination of technology and human development has allowed us to take advantage of connecting from anywhere and freed us from the desktop.
That’s why it’s important to treat cybersecurity as an ecosystem and recognize that all the parts are interdependent on one another. Organizations must rely on a multilayered set of solutions to protect the most valuable resource we have: the data that resides on our networks. This includes sound supply chain production and procurement practices. We can’t expect to secure anything 100 percent, but we can mitigate the risk of being attacked, and if we are attacked, we can mitigate the risk of being compromised and more quickly react and restore service.
We have to make sure we know where the knowledge points are, where the valuables reside that need protection and how to develop a defensive posture to protect them. When it comes to securing mobile devices, the connections must have integrity.
How Much Security is Enough?
The million-dollar question is: How much security is enough? If we had the answer to that, we would buy only what we need. But there are a lot of unknowns, and the situation is not static. Furthermore, the tolerance for risk differs from organization to organization and even from department to department. The key is risk management and deciding what you should spend your money protecting. I come from a military background, so I start with the commander’s information requirements and look for high-value capabilities that would cause an organization to fail if they weren’t available. It’s the same basic principle for commercial and private risk management considerations.
Prioritizing security is a challenge because it is difficult to measure how well your investment is doing. How do you know what you’ve been able to prevent? The sign that no intrusions have occurred is obviously a good thing, but how do you measure that? More and more organizations are incorporating a new technology into their game plans. For example, cloud computing makes accessing mobile applications easier, but it has to be secured just like the rest of the environment. Whether it’s a public, private or hybrid cloud, it is part of the cybersecurity ecosystem.
For AT&T Chief Security Officer Edward Amoroso, the future of security lies in virtualization, which means moving identity management and threat detection to the cloud. In that scenario, Amoroso said, “I just tell the ISP, ‘Here’s my policy: I want you to filter the viruses from my e-mail, I want you to filter spam, and I’d like these services to be allowed and these services to not be allowed. I don’t want my employees on Facebook, for example.’ The Internet Service Provider can very easily do that for wired and wireless service. Organizations must rely on a multilayered set of solutions to protect the most valuable resource we have: the data that resides on our networks.”
There are other security considerations as well. Increasingly, cybersecurity has become an international concern as digital communications and business transactions transit the globe. Many countries have leapfrogged from having little to no infrastructure to modern digital and wireless technologies.
Just ask Chris Painter, who is responsible for implementing the U.S. International Strategy for Cyberspace as cyber coordinator at the State Department. When the strategy was released in May, Painter sent a cable to State Department posts worldwide asking them to talk to their host governments and identify the officials who were tracking cyber issues in those countries so they could “be our eyes on the ground” and find opportunities to work together. That won’t be easy, however. Although data can be sent around the globe in nanoseconds, our ability to act and react is still functioning in the 20th century. The mobile environment doesn’t recognize sovereign boundaries, and today we still lack international laws to enable us to act against bad actors.
A Challenge We Must Accept
Although more work needs to be done, it’s reassuring to know that there is more government-to-government and government-to-industry collaboration today than there has been in the past, and we have made progress on advancing cybersecurity issues with our allies. Having appropriate laws in place, as well as national and global standards, will help. And there are bonafide privacy concerns that must be factored into solutions.
There is also a huge education component to securing networks. Better awareness, from Congress to institutions and individuals, will help create the conditions and framework for a comprehensive approach. People need to understand that they have to play a role in security. And that they are the first line of defenders. There will be some tough lessons along the way, but it’s a challenge we must accept.
When it comes to enforcement, it’s better to use more carrot than stick because people respond better to incentives. Consider the Defense Department.
Teri Takai, DOD’s CIO, said that by adopting a pragmatic leadership stance and offering a carrot instead of brandishing a stick she hopes to convince the military branches that moving to a common identity management infrastructure is in their best interest.
“One of the tricky things about information technology implementation, unlike some weapons systems, is that it’s as much about customer experience and the way people feel about their technologies as it is about the technology,” Takai said. “Otherwise, these migrations would be pretty easy.”
You Now Have Your Data. Be Careful.
With cybersecurity, it’s important to strike the right balance and make it easier for end users to operate securely without expecting them to do too much, especially with mobile computing. Some organizations, particularly in the military, are struggling with whether to allow people to download applications to mobile devices or access Facebook on their operational network. Those are the kinds of struggles that mobile technology brings to bear. Some security solutions will simplify things for users, but personal responsibility is essential.
That is evident at the VA, where CTO Peter Levin said one of the biggest concerns about a Web-based function that allows patients to download their health information was more human than technical. Once downloaded, the information was much more susceptible to being lost, stolen or otherwise compromised. Levin said he posted a warning to veterans “with big bold letters on the website: ‘You now have your data. Be careful.’”
Ultimately, cybersecurity is everyone’s responsibility. Whether you are a government agency, military service or global business, we share more similarities than differences when it comes to cybersecurity. We are all operating on the same network, so the problems are bound to be similar and some of the solutions are similar, too. It’s how they are applied that will be different. As the articles in this journal illustrate, you can’t underestimate the power of strong partnerships and leadership when it comes to cybersecurity.
Barbara Fast is vice president and senior advisor on cybersecurity at CGI and a CGI Initiative for Collaborative Government Fellow.