Cybersecurity is a perennial focus of government, but with a year of high profile cyber incidents behind us, a new federal mandate, and ongoing remote work, 2022 is shaping up to be a key turning point in how government implements modern cybersecurity practices. This 2022 cybersecurity trend report aims to outline the key trends shaping government’s approach to securing data and systems.
The Executive Order on Improving the Nation’s Cybersecurity (Cyber EO), issued in 2021, serves to prioritize cybersecurity reviews and improvements. This focus and direction are helpful as “improving cybersecurity” is a huge, multi-layer undertaking. Over the next year, agencies must show progress in
- Improving software supply chain security
- Creating a standard playbook for responding to cyber incidents
- Improving detection of cybersecurity incidents
- Improving cybersecurity investigation and remediation
- Modernizing and implementing stronger cybersecurity standards in government
To help agencies in meeting these goals of cybersecurity modernization, we’ve pinpointed five key cybersecurity trends government needs to be dialed into as they work toward Cyber EO compliance.
1. The Expanding Attack Surface as a Long-Term Reality
Telework is a long-term reality for our government workforce. In 2021, two thirds of the federal workforce were still primarily working remotely. This number is unlikely to change significantly after the pandemic risks are behind us, making remote work cybersecurity an ongoing challenge. Additionally, more and more government services have moved completely online to meet the needs of citizens staying at home. Again, a return to standing in line at government offices is unlikely as citizens expect to receive services with a click or a tap of a finger whether they are hailing a ride or checking on the status of a tax refund.
It is estimated that the pandemic response accelerated digital transformation by seven years. New digital systems for employees and citizens are (for the most part) working smoothly, but that does not mean it is time for rest. 2022 may be the year to step back and really look at the digital investments made over the past two years to see if they are simply “keeping the lights on.” Will the solutions in place today continue to scale to support the organization and respond to the ever changing threat landscape?
Meeting the threat with zero trust
The Cyber EO highlights zero trust as one way to meet the challenges introduced by the expanding attack surface. A zero trust architecture (ZTA) is what it sounds like. It is an approach to security where no person, machine, or application is viewed as trusted until they are authenticated and verified. While this may sound like a herculean task, there are a number of technologies that work together to make this process appear seamless to end users. Zero trust involves adopting very granular, rigid user identification policies along with strict authentication. Creating a zero trust architecture requires a number of different technologies working together to keep organizations secure.
According to NIST Special Publication 800-207 organizations can implement ZTA with three key approaches:
- Enhanced Identity Governance: Focusing on letting the right person or device get to the right resources by verifying their identities and assigned attributes.
- Micro-Segmentation: Placing individual or small groups of related resources on different network segments respectively. Protecting that data with its own layer of security.
- Network Infrastructure and Software Defined Perimeters (SDP): Replacing a hardware-defined network perimeter with a software-defined one, so that the infrastructure is invisible to external individuals (including the attackers) and can only be accessed by authorized subjects.
A zero trust approach is important not just in meeting today’s reality of remote work and digital access for citizens – it is critical to meet the upcoming influx of Internet of Things (IoT) technologies being deployed.
2. Growth of IoT Connected Devices
With Build Back Better funding passed and additional infrastructure funding likely coming, states and localities (as well as the federal government) will have the resources they need to bring smart city and smart infrastructure plans into reality. Today, there are an estimated 12 billion connected devices and trillions of sensors working among those devices. That number is expected to grow to more than 30 billion by 2025. These IoT devices provide visibility into critical infrastructure security including road conditions, bridge stability, traffic pacing, electrical grid, water sources, and more. They also provide an on-ramp for bad actors to access the networks they connect to, elevating the need for smart city cybersecurity policies and processes.
As IoT technology and systems are rolled out, government agencies must look at IoT cybersecurity from a number of different levels. NIST issued guidance on establishing IoT device security detailing how security requirement support is needed below the information system level and should be examined on the devices themselves. This need to look at every element of a system is tied closely to supply chain security challenges.
3. Elevated Focus on Supply Chain Cybersecurity
A supply chain breach means that an attacker infiltrates a system through a third-party supplier instead of attacking the network directly. As we saw with SolarWinds and Microsoft in 2021, these types of attacks can be far-reaching given the number of customers these companies have. These supply chain attacks are hard to identify because they are buried cleverly within code of outside technology.
Supply chain cybersecurity is a key focus of the Cyber EO and other executive-level guidance. The GAO issued a report showing that in late 2020 (concurrent with the SolarWinds incident) “none of 23 civilian agencies had fully implemented selected foundational practices for managing information and communication technology (ICT) supply chain risks—known as supply chain risk management (SCRM).”
Supply chain starts within
Agencies are quickly taking steps to get these foundational practices in place with the help of guidance from NIST. Their definition of “critical software” has allowed agencies to hone in on the technologies to prioritize for security evaluation and updates. It includes identity controls, endpoint protection, data backup, web browsers, and network and operational monitoring tools. 2022 will see a continued focus on understanding all of the elements that make up digital systems.
Industry plays a role in securing supply chain
Vendors also have a role to play here. NIST issued guidance on best practices for vendors to maintain the security and integrity of their software code in which vendors must confirm they meet security rules before their solution can be used in a government system. Within a year, language will be added to the Federal Acquisition Regulation (FAR) to cover these new supply chain security practices. Together, government and industry can close the doors that allow attackers to exploit critical systems and infrastructure. Supply chain attacks were not the only high profile attack that spurred the Executive Office focus on security. Ransomware also had a huge impact in 2021.
4. Tracking Ransomware Trends
The highest profile ransomware attack of 2021 was the Colonial Pipeline hack, but smaller, yet just as impactful attacks are happening daily. State and Local and educational institutions have proven to be attractive targets for ransomware attacks. These organizations tend to have less sophisticated security (because of lower funding, not for lack of attention) while holding personal data that is incredibly valuable. One study found that espionage was the motive behind 11% of higher education cyber attacks.
Email’s role in ransomware
It is estimated that one in every 6,000 emails contains a suspicious link, and clicking these links is a main vector for ransomware. This vector can be immobilized with better education on basic cyber hygiene and the phishing methods used to get well-intentioned people to click links that can shut down entire systems. To further disable this threat, agencies must incorporate cyber education into 2022 employee benefits and resource planning.
In addition to personal responsibility, many support ransomware policy changes, including incentivizing organizations to use ransomware-resistant best practices, ending victims’ ability to pass cyber ransom costs along to insurance providers, and banning the payment of ransoms.
5. Addressing the Cybersecurity Skills Gap
While educating employees on cybersecurity best practices is important and can make a critical difference, agencies should also focus on hiring those trained in the technical and logistical side of cybersecurity to their workforce.
Government must undertake a concerted recruiting effort to onboard digital natives and those graduating with cyber degrees, but to do so will need to compete with the perks and pay that the private sector offers. Flexibility in work location, access to modern technologies, and an emphasis on the service aspect of public service are needed to woo cyber talent into government organizations.
This gap can also be closed by re-skilling people already in the public sector workforce. As automation streamlines manual tasks, many in the workforce can now apply their skills to jobs that require higher-level thinking and action. A government-run academy can help train existing employees as well as new hires in the exact skills needed within government.
Tracking Government Cybersecurity Trends through 2022
GovWhitePapers will stay informed on these cybersecurity trends as well as new trends discovered throughout the year in an effort to provide valuable resources to the community. Our goal is to help government navigate challenges, learn best practices, and stay up to date on technology innovations to continue driving government technology innovation forward.
Sign up for a free GovWhitePapers membership today and continue to stay informed and connected on the latest government tech, trends and best practices.
