The fallout from the latest leak of highly classified information from the Department of Defense (DoD) is just beginning to be felt. This intelligence debacle demonstrates a clear need by government departments and agencies to more closely monitor who is accessing their databases and networks. With over one million individuals currently holding a top secret security clearance and an even larger number authorized to view secret and confidential information, the risk of a leak is very high. In addition to the millions of clearance holders, there are many more millions of computers, devices, and sensors that are part of government networks. All together, they make securing information a daunting challenge.
Given the sheer size of government networks and the sheer number of access points, it is clear that the traditional approach to cybersecurity, which focuses on creating an impenetrable barrier to hostile penetration, is going to fail. Even if such a defense worked, it would not address the insider threat from individuals such as Edward Snowden and Jack Teixeira.
The current consensus among cybersecurity leaders is that providers of IT services and their customers must operate with the assumption that hostile actors are able to penetrate networks and gain access to, or even manipulate, their information. The appropriate response is a strategy based on the principle of Zero Trust. As described by a premier cybersecurity company, “Zero trust is a cybersecurity framework developed around the concept of ‘never trust, always verify.’ It requires all users, whether they are inside or outside an organization’s network, to be continuously validated to access applications and data.”
Zero Trust requires a continual effort to monitor networks in order to know who is seeking access, what information they are authorized to access, and if the proper security protocol and software is in place to secure that information. Because of the magnitude of such a task and the speed at which it must be accomplished, implementing a Zero Trust security system requires a sophisticated automated capability that not only identifies and tracks actors on a network but establishes their identity and the legitimacy of their access request. One such system being developed for DoD is called Identity, Credential and Access Management, or ICAM.
Even with the best automated security systems, protecting government networks requires a large cadre of trained cyber specialists. DoD, which operates the largest set of networks in the federal government, deploys specialists at all levels of the organization, at overseas bases and posts, and within units in the field. Some are in uniform, others are DoD-employed civilians, and still others are private contractors. Because it recognizes the centrality of cyberwarfare in future high-end conflicts and the increasing danger posed by cyber threats, DoD is working to expand its cadre of cybersecurity specialists.
Other federal departments and agencies are also taking the need to provide enhanced security for their respective networks, computers, and databases more seriously. One of these is the State Department. With 163 embassies and 93 consulates around the world and the need to access an enormous amount of classified data, State Department networks and nodes are a lucrative target for malevolent actors. Given the presence of non-U.S. citizens at virtually all embassies and consulates, there must also be concern for insider threats.
Over the past few years, the State Department has begun to invest serious resources in enhanced cybersecurity. According to the Department’s chief information officer, today some 80 percent of their systems use multifactor authentication to identify and credential users, a major increase from the recent past. State also has begun to employ what it calls “cybersecurity scorecards” to determine the adequacy of security measures on the networks at its various locations.
This month, the Department took another step forward. Ambassador at Large for Cyberspace and Digital Policy Nathaniel Fick announced that the State Department’s Bureau of Cyberspace and Digital Policy would finally implement its plans to put a trained cyber and digital officer in every embassy, saying this would be accomplished by the end of next year. But developing a cadre of cyber experts of sufficient size and training to address the range of issues confronting the State Department in the digital domain is no small task. Recently, the Foreign Service created a skill code for individuals with the requisite cyber background and knowledge within the organization.
While the State Department must be applauded for moving forward on a long-standing commitment to enhance its cybersecurity and digital workforce, this action is not sufficient. At present, the State Department’s Bureau of Cyberspace and Digital Policy has 115 cyber specialists on staff, with authorization to add 25 more individuals as expected civil service hires. The bureau also has head room for 30 additional personnel.
Unfortunately, the current total of 170 cyber-trained individuals across the department is inadequate to meet Ambassador Fick’s commitment to put even one of these experts in every embassy, despite the need to staff State Department installations in the United States. Moreover, not all these individuals will be assigned the cyber defense mission. In addition, what happens when that lone person is out sick, on vacation, or at a training session? The proposed number also does not provide any experts to staff the 93 consulates.
The State Department is in danger of succumbing to the fallacy that by just making some progress, it has solved the whole problem. The department needs to take action to hire or develop a cyber cadre sufficient to provide a high level of security for its 256 embassies and consulates. Just to maintain a continuous cyber presence at all of these installations and headquarters would require numbers on the order of 1,000 individuals.
While State has made progress in applying automated security systems to its networks, more needs to be done. The department should look at what the defense department has done in developing the tools and techniques associated with its Comply-to-Connect concept for implementing Zero Trust. Defense’s ICAM capability is another potential option to address the State Department’s need for automated identity verification of network users.
Dr. Goure is Senior Vice President with the Lexington Institute, a nonprofit public-policy research organization headquartered in Arlington, Virginia. He is involved in a wide range of issues as part of the institute’s national security program. Goure is a 19FortyFive Contributing Editor.