Recent data breaches in government agencies have raised concerns about cyber security. Former White House chief information officer (CIO) Theresa Payton discusses the new challenges facing the government and the best way to deal with threats.
If anyone knows about cyber security threats in the government, it’s Theresa Payton. She served as the White House chief information officer (CIO) for the Bush administration from 2006 to 2008, overseeing the information security of more than 3,000 members of the executive branch.
Now the CEO of Fortalice and co-founder of tech startup Dark Cubed, she consults to public and private organizations on security, risk and fraud. Theresa shares her insights on cyber security in government agencies and the challenges professionals face.
What are the new challenges government agencies face in fighting cyber crime?
Some things don’t change. The idea that the human element could be your weakest link in the chain – that is still the main constant.
When you look at some of the most recent data breaches that were accidental, when you look at the forensics, oftentimes it’s the human element that’s the cause. For instance, a password that was used on a private sector online site that was breached and then they recycled the same password at work; plugging in a thumb drive; or clicking on a link in a spear phishing email. A lot of that has not changed.
However, the tactics of the cyber criminal have changed. They’ve honed their ability to create really sophisticated spear phishing emails that look like they’re coming from a different department and agency. Social engineering can be done at massive scale with massive sophistication. That has changed.
How does the government balance cyber security and privacy?
The first thing is making sure you’ve got the appropriate training in place. Advanced education, like a Master’s degree in cyber security, is an essential part of any cyber security professional’s training. These programs form the foundations for a professional’s career progression and development, with other certifications and workplace-mandated programs adding further detail.
For example, government organizations like the Department of Homeland Security often ask employees to undertake privacy training. You may be asked annually to do up to eight hours on understanding your responsibility as an employee to protect the privacy of information you come in contact with each and every day.
The other thing that government organizations will need to do as they think of insider-threat protocol is really trying to understand both accidental insider threat and the on-purpose insider threat – somebody willingly taking information off the government’s network and putting it on portable media or sending it to their home email for whatever purpose.
You need to put in place a government structure and actually make sure you’re in compliance with privacy regulations. Be open and candid and offer both written and verbal training and communications. Demonstrate that you have a program in place and explain what you’re monitoring and how this fits into the government structure. This allows you to be a good steward of the privacy of your own employees and contractors while at the same time being a good steward of the data you’re protecting.
How can the public and private sectors work together to improve cyber security?
One of the biggest things you can do is share information. One of the largest underreported crimes of last year was ransomware.
When a hacker holds a company’s files for ransom, companies are finding that for $500 or $1,000 they’d prefer to pay the money and not tell anybody. They’re embarrassed and they don’t want their competitors to know, so they don’t report it.
I understand why. Businesses are busy. You were distracted by the ransomware. You had to get back online and take care of your customers. However, when companies don’t report this information – and there are ways to do it where you’re not named as the victim – then the greater good of the community suffers.
When your company is a victim of a cyber crime, you can actually contact your local FBI and tell them you don’t want your name to be used. That way you can report that something has happened for the greater good while still maintaining your anonymity.
Of course, if it creates something that’s a reportable event, like stolen healthcare information or social security numbers, then that’s a different issue. You and your chief information officer have an obligation and a duty to report it.
How does your company assist the government in fighting cyber crime?
We have worked with both federal and local government organizations. We have done everything from risk assessments to adversarial targeting.
We’ll study the government organization and talk about what the threats are: who would want to attack, who would be surveilling the government organization? We would act like the adversary and do social engineering, ‘red teaming’ and penetration testing, and then go over our findings with the government organization.
We’ve also done education and awareness segments where we made their employees more aware of the social engineering that sits behind cybercrime and phishing attempts and how to report issues.
Find out what a career in cyber security, either in the government or private sector, would look like for you with our Careers in Cyber Security section.