My perspective on the outlook for cyber initiatives is quite different heading into the New Year than in past years.
While there are always budgetary uncertainties and looming cuts in government IT spending, this year, we face an unprecedented financial uncertainty as our nation stands on the edge of a fiscal cliff. That will impact not only the resources we have to invest in technology, but how people work and live.
So, how would I characterize the “cyber” priorities in 2013?
Listed below are the federal cyber initiatives that will take precedence in 2013 and my view of how our nation’s financial woes will impact their launch into the coming year.
Fiscal realities will drive legislators to re-evaluate the costly requirements outlined in current legislation. Re-inventing the wheel is a luxury that government can no longer afford when it comes to cyber best practices and regulation.
The key to legislative success and improved cybersecurity practices in government will depend greatly upon the degree to which legislators and agency leaders seek broad collaboration among their industry, academia and government counterparts for realistic solutions to shared challenges.
Also of note, as cyber importance continues to elevate at the Executive level, I believe we will see more and more directives coming out that pertain to cyber, the nature of which will increasingly be deemed secret.
Cyber Workforce Demand:
Again, collaboration will be the key to achieving fiscally realistic progress in the effort to foster the cyber workforce of the future. The community (academia, government, professional organizations, etc.) as a whole will begin to shift its resources away from one-off awareness programs and silver-bullet methodologies and will put the big picture into greater focus.
In an effort to lay a solid foundation from which this effort will sustain and grow, more and more resources will be directed toward academic support and strengthening the cyber career pathway by getting more kids involved in IT and cyber security at earlier ages.
Cyber war strategy:
The US Government will continue to build its cyber operations as a new generation of warfare, expanding both its offensive and defensive cyber capabilities and tools. Although the U.S. appears to be losing dominance in the scientific/cyber space, we are still acknowledged as leaders by the rest of the world.
As we move into 2013, however, the gap will continue to shrink as other nations expand their capabilities, innovation and cyber power.
This is more of a ‘wish list’ item than a ‘prediction’, but compliance is currently a major shortcoming and must be strengthened in 2013. We know from the 2011 Verizon Data Breach Investigations Report that 80-to-90% of breaches are caused by simple attacks, and 96% of those breaches could be prevented with basic security controls. Until we can successfully implement and maintain basic system controls, we have no chance at managing advanced threats. (Verizon has since released its 2012 report.)
It’s time to demand better security from the beginning, as opposed to leaving systems vulnerable to sophisticated attacks. At long last, I believe the government will start developing better approaches to secure software as significant breaches related to software and supply chain integrity rise in the scope of damage and visibility.
Cloud, BYOD, and Virtualization:
While the virtual world and big data will continue to expand beyond our imagination, so will the number and complexity of attacks on these environments. Unfortunately, a lack of sufficient funding will result in a sub-standard level of data management and a greater volume of vulnerabilities that result in greater damage.
In an effort to save money, agencies’ bring-your-own-device (BYOD) architecture restrictions will continue to slip, resulting in financial efficiencies, along with an increased risk to agency systems and mobile devices. In 2013, we can also expect the critical component of “trust” in the cloud to advance at a slow pace waiting for the FedRAMP program to “gel.” The good news? The magnitude of potential cost savings will keep the government focused on cloud security requirements, and the FedRAMP compliance deadline of June 2014 will keep cloud service providers (CSPs) in pursuit of FedRAMP approval.
Mitigation as part of holistic security program will gain more attention in 2013. The recent impact of Hurricane Sandy on government systems will contribute to the prioritization of disaster recovery planning from a security perspective.
While I applaud the federal security community’s individual successes in 2012 and its best of intentions planning for 2013, now is a good time for stakeholders to set our pride aside and stay focused on the big picture.
The reality is that looming financial restrictions will dictate how information security initiatives fare in 2013, and the key to survival will be how well we, as a community, share information, insight and resources. The efforts of a collective whole will be the key to advancing federal cyber initiatives in 2013.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former CIO of the Department of Interior and recipient of the President’s Distinguished Rank Award.He writes regularly for Breaking Gov and serves on its board of editorial advisors.