Rising Threats Push Agencies to Revamp Cyber Defenses

Federal leaders are seeing a rise in cyberattacks, particularly with ransomware incidents like Medusa and Van Helsing, spurring agencies to evolve cybersecurity strategies, secure non-human access points and move beyond traditional role-based access control towards attribute-based access control (ABAC) to secure sensitive data, officials said during the GovCIO Media & Research CyberScape Summit in Bethesda, Maryland on Thursday.

“Credentialing, access management and user analytics are extremely important [to fight ransomware]” Program Management Office, Defense Healthcare Management Systems Chief of Cybersecurity Chris Wallace said. “To protect the data, you have to have the data to see and work through all those problems, to get out ahead and fix things before [cyber criminals] find things.”

NIST’s CSF 2.0 Adds Govern Function

The National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF) 2.0 helps establish governance for data security, Wallace added. NIST Cybersecurity Center of Excellence Director Cherilyn Pascoe said that the document, including the new “govern” function, assists agencies navigating challenges in securing data against threat actors.

“The NIST cybersecurity framework is a very helpful tool to help you assess, communicate and prioritize your cybersecurity efforts within your organization,” she explained. “Folks like the new function focused on cybersecurity governance, making sure that folks understand their roles and responsibilities and the role of senior leadership.”

“Cybersecurity is a is a constant challenge and there’s a lot of different priorities right now,” Pascoe added. “We’re collectively harnessing all of the goodness from the cybersecurity community to be able to help implement this framework.”

The Move to Attribute-Based Access Control

GitLab Federal CTO Joel Krooswyk echoed the importance of CSF 2.0 in governing access management, both on the application programming interface (API) and human side of access.

“Our failure to secure APIs continues to be this dominant thing, and APIs are the dominant way we access our data,” Krooswyk warned. “When we talk about governance and we talk about data, how are you governing the access to your data through something like an API? Is it an afterthought?”

To secure data, Wallace said agencies need to move beyond traditional role-based access control towards ABAC for enhanced insight into potential insider threats and improved anomaly detection.

He stressed that while human factors play a significant role in access management, non-human access points like APIs often represent a blind spot. The subtle anomalies indicative of malicious activity, particularly within APIs, require robust monitoring and analytical capabilities to detect and address.

“Looking at that API security … I would argue that ABAC is probably the better way to go,” said Wallace. “You have a better insight into potential insider threat. You can improve on anomaly detection when you start to add in some of the other tools that you should have in your environment.”

AI Requires a Multimodal Environment

Wallace added that API configurations “are still managed by humans” and that artificial intelligence can buttress data security within systems.

Pascoe said that NIST is currently working on “a community profile for AI” as part of an update to CSF 2.0. She said that the project is to “both have the secure use of AI and figure out how we can advance AI for cybersecurity” in collaboration with industry, government and academia.

“There is a lot of work already being done in this space and we don’t want to duplicate any of it. If anything, we want to make sure that we are drawing connections between existing resources,” said Pascoe.

Wallace said that AI is still evolving for data security and that agencies need to constantly evolve cybersecurity practices. He cautioned against viewing AI as a singular solution, emphasizing the need for a “multimodal environment” and responsible implementation.

“You need to prepare for a multimodal environment, because you’re going to need AI and [machine learning] or you’re going to need other functions to manage those AIs eventually,” said Wallace.

Krooswyk added that agencies need to use multiple AI models and have insight into what those models are doing and where they are pulling information. To keep data secure, the complexity of AI systems require knowledge of the amount of models, systems and data.

“You’re not using a single model, you’re not using a single interface system, unless you’re hosting it all yourself, even then there’s a public, private partnership issue here,” said Krooswyk. “If you’re hosting the engine yourself, that’s one thing. If you’re in an isolated environment, that’s another. If you’re in the cloud, it may be that you’re actually using one product that has tendrils out into 10 different AI systems, utilizing 15 to 20 different models. I would love for you to know exactly what engines, what clouds and what models you’re using, regardless of what product you are working in.”

The changing environment of cybersecurity and evolving threats require constant vigilance, Pascoe said. She underscored the principle of continuous improvement embedded in CSF 2.0 as a north star for cybersecurity.

“There is no such thing as like, ‘Oh, I did cybersecurity today, and I’m done,’” she said. “We are all continuing to continue to evolve in our cyber security efforts and it is something that we’re continuing to learn from and grow together.”