Government agencies collect and hold massive amounts of personally identifiable information (PII), creating valuable targets for cybercrime. Recently proposed legislation would impose baseline standards for cyber hygiene on federal agencies. State and local governments, as well as private industry, should measure themselves against the same federal standards to protect against catastrophic loss of PII.
Security experts estimate that approximately 90% of successful cyberattacks are due to poor cyber hygiene and security management at the targets. The Promoting Good Cyber Hygiene Act of 2017 (the “Act”), introduced in the Senate, as well as comparable legislation introduced in the House, is designed to address potential shortcomings in federal agencies’ cyber hygiene practices. The Act would require the National Institute of Standards and Technology (NIST) to establish a list of best practices for effective and usable cyber hygiene for use by the Federal Government. The list also would be published as a standard for state and local government agencies, as well as the private sector.
Specifically, NIST must provide a list (1) of simple, basic controls that have the most impact in defending against common cyber security threats, (2) that utilizes commercial off-the-shelf technologies, based on international standards, and (3) that, if practicable, is based on and consistent with the Cybersecurity Framework contained Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”). Also, the Act requires DHS, in coordination with the FTC and NIST to conduct a study on cybersecurity threats relating to the Internet of Things (“IoT”), and in August, 2017, the Senate introduced the IoT Cybersecurity Improvement Act of 2017, which includes minimum security standards for IoT devices connecting to federal government systems.
The Act requires NIST to consider the benefits of emerging technologies and processes such as multi-factor authentication, data loss prevention, micro-segmentation, data encryption, cloud services, anonymization, software patching and maintenance, phishing education and other standard cybersecurity measures. NIST, as well as Federal and state governments should also consider implementing the following security best practices:
- Compartmentalize and segment data and limit access to segmented data on a need to know basis. Only collect data that is necessary to provide its services.
- Train all users (everyone with access to its systems, including contractors and subcontractors) on identifying and avoiding security threats.
- Create comprehensive forensic evidence logs for data breaches to help identify and plug deficiencies in its systems.
- Keep up to date on all operating systems versions and patches, and ensure its vendors are also up to date on its systems.
- Monitor user activities and look for anomalies and discrepancies in access or usage patterns; track potentially suspicious activities.
- Automate workflows and courses of action to reduce incident response times, and minimize the impact of a security breach.
- Create, implement, and improve upon incident response and disaster recovery plans and risk mitigation strategies and best practices, both internally, as well as externally by requiring third party contractors to implement comparable practices.
- Back up critical data on a continual basis to avoid susceptibility to ransomware demands.
In addition to new standards contemplated by the Act, NIST standards currently are being implemented into federal procurements. Federal Acquisition Regulation (“FAR”) and Department of Defense FAR Supplement (DFARS) provisions incorporated into government contracts require contractors to safeguard systems and information in accordance with all or part of NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These new mandatory contract clauses underscore the vulnerability of information that may not remain in a single system. True risk mitigation includes requiring strategic partners to comply with proper cybersecurity measures.
In addition to storing PII, government agencies also own and operate critical systems, networks and infrastructure. In light of the increasingly high profile, more sophisticated, and numerous ransomware and other malware attacks, such as “Wanna Cry” and “not-Petya” infecting networks worldwide in the first half of 2017, it is more critical than ever for government agencies to identify, contain, remediate, and prevent cyberattacks. State and local government, as well as industry, should take advantage of the lessons learned and best practices incorporated in current and pending federal cybersecurity standards.
Federal standards such as those incorporated into government contracts and contemplated under the Act serve as a baseline starting point, and should continually be re-examined and updated once such best practices are implemented. Cyberattacks are not static and will evolve into sophisticated, higher volume attacks Cyber-countermeasures and best practices must follow suit and evolve and improve with each lesson learned from every attack.