Lately, it seems like a day doesn’t go by without hearing about havoc wreaked by cyberattacks in public and private sectors alike. Just look at the headlines:
- “C.I.A. scrambles to contain damage from WikiLeaks documents” – New York Times, March 8, 2017
- “U.S. authorities charge Russian spies, hackers in huge Yahoo hack” – Reuters, March 16, 2017
- “Angry Shadow Brokers release password for suspected NSA hacking tools” – PC World from IDG, April 10, 2017
The issue isn’t a new one, but it doesn’t appear to be going away any time soon either. In the U.S., anyone from common criminals to government contractors might be behind data theft or loss. Beyond our borders, malicious actors, like foreign intelligence organizations or international terrorist groups, are relentless in their pursuit of the most highly classified information that could put our nation’s security at risk.
The cost of data breaches is staggering. The 2015 Office of Personnel Management breach, for example, cost an estimated $1 billion and exposed the personal data of over 2.1 million citizens. Similarly, Edward Snowden’s breach of the National Security Agency in 2013 hurt national security, put American military lives at risk and cost many U.S. commercial companies billions of dollars in lost global business.
The U.S. Government Says “Enough”
Following the NSA breach, the Executive Office of the President enacted new measures to protect our nation’s most sensitive information, and on November 18, 2013, the Office of Management and Budget issued a memorandum titled Enhancing the Security of Federal Information and Information Systems. The plan, which outlined a strategy for bolstering the nation’s cybersecurity position, included best-of-breed technology, engineering, automation and monitoring.
In conjunction with the memorandum, the Department of Homeland Security established the Continuous Diagnostics and Mitigation (CDM) program, which offered assistance to federal, state, local and tribal governments in procuring the tools needed to effectively secure their information systems. Through CDM, the DHS hoped to gain a better understanding of what resides on government networks, learn which risks are most relevant and find the best techniques to mitigate and continually monitor them. DHS envisioned implementing the CDM program in three phases, focusing on endpoints, identities and network traffic:
- Phase I – Scan systems and find vulnerabilities.
- Phase II – Limit access, establish identity management and respond to activity.
- Phase III – Continuously monitor for anomalous activity; respond and mitigate accordingly.
The Threat Persists
Originally conceived as a five-year program with a funding cap of $6 billion, the CDM program is now in its fifth year. Yet with the constantly changing and increasingly sophisticated threat landscape, it has become evident that the program requires an extension, as well as some adjustments, if it is to keep pace. Just prior to stepping down from his position as our nation’s first federal chief information officer (FCIO), Retired Brig. Gen. Touhill strongly urged the government to “double down” on the CDM program. While CDM has undoubtedly improved the security of perimeters, networks and architectures of U.S. systems, continued incidents, such as recent ones involving the DNC and the CIA, reveal a dire need for enhanced security at the level of data itself.
In response to that need – and in line with Touhill’s recommendation – the DHS recently requested $266.97 million from Congress to fund a proposed fourth phase of the CDM program. Like the first three phases, the fourth would also enable agencies across the civilian domain to procure the best cybersecurity methods available – but this time with a strong focus on tools to protect data at a granular level.
The Role of Digital Rights Management
Digital Rights Management is one of five data-centric technologies that Phase IV of CDM would make available. They include:
- Data Masking – mimics current data stores.
- Encryption – encodes the transfer of data.
- Micro-segmentation – creates multiple compartments within a system for data storage.
- Mobile Device Protection – deploys, secures, monitors, integrates and manages multiple mobile devices in the workplace, including smartphones, tablets and laptops.
- Digital Rights Management (DRM) – allows only previously authorized people to access and manipulate specific data.
Of all of these tools, the last of them – DRM – possesses the critical ability to protect data no matter where it is over its lifecycle by ensuring only authorized, intended recipients can access it. Even if a bad actor successfully breaches a network, whether it’s from an endpoint or the periphery, any stolen data would remain encrypted to the unauthorized attacker. With DRM programs in place where highly classified information resides, we might have averted disastrous losses.
Cybersecurity is a Nonpartisan Issue
With the promise of improved data-protection tools like DRM, many in the public sector believe the CDM program expansion and increased funding request should be a nonpartisan issue and hope to see it quickly approved in Congress. What do you think? Does your agency employ any of the tools available through the CDM program? If so, please share your experience with us!