Add to collection(s) Add to saved
  1. No category
Uploaded by Staci Gaschler

W7 Paper Staci Gaschler

advertisement 
Government Corporate Contracting and Cybersecurity
Staci Gaschler
Intrusion Detection and Incident Handling
Dr. Wenbin
21 January 2021
INTRODUCTION
Cybersecurity is an ever-expanding field as we rely more and more on the field to
conduct our business. In 2020 alone, the investment spend on cybersecurity was projected to
reach upwards of 123 billion dollars (Columbus, 2020). Of course, our information and
intelligence are only as secure as the information technology and security of its platform as well
as the analysts behind it (Singh, 2008). As our technologies expand, so too do the numerous
ways we approach the discipline, and the numerous different ways that we solve the challenges
and dangers. This could be from building up our internal resources to outsourcing the problem
(Sloan & Warner, 2019). However, no matter which direction and what investment we talk to
protection our information we will never reach zero risk when it comes to our information
technology and systems.
PROBLEM STATEMENT
Government information technology is a like a titanosaur. It is one of the largest entities
on earth but is falling behind the times. As it grows, it has trouble keeping up with the field and
so exposes itself to risk of loss and damage to itself as well as the real people working for the
government. This was the case in the 2013 – 2015 hacking of the Office of Personnel
Management. Further, the corporate information technology and cyber security interact more
often than most normally recognize. To be effective, the government relies on the ingenuity of
the private sector and the partnerships that exist between the two are key for the success of the
nation. However, that partnership between the government and at least thousands of contracting
companies means that there will be different languages spoken in the still growing field. Without
a clear standardized understanding of security expectations and so different programs will
operate to differently interpreted standards. This introduces incredible risk, even in the
unclassified world. The Council of Economic advisors estimates that malicious cyber actors cost
$570 billion to $1.07 trillion to the US economy over a ten year period. There is more than just
cost involved; it is an issue of national security as well. As shared in the Federal Register “The
theft of intellectual property and sensitive information from all U.S. industrial sectors due to
malicious cyber activity threatens U.S. economic and national security. The aggregate loss of
intellectual property and certain unclassified information from the DoD supply chain can
undercut U.S. technical advantages and innovation, as well as significantly increase risk to
national security” (Defense Acquisition Regulations System, Department of Defense (DoD),
2020). This means that the world is both less secure and more expensive, as well as more
cumbersome. (Singh, 2008).
RELEVANCE AND SIGNIFICANCE
Office of Personnel Management
As the United States government continues to catch up to the ever-evolving world of
technology and cybersecurity, there are many instances where the security aspects of our
government’s information technology have serious significance to our national security, trust,
and general wellbeing. Even in a 2019 survey of local government within the United States, it
was found that although localities are subject to near constant cyber attack (half of respondents
reported fielding daily attacks), there remain in place extremely poor mitigation efforts and
practices. The conclusion was that the cybersecurity field in the localities are underprepared and
underfunded (Norris, 2019). One would still expect the Federal level to be much more secure,
but not so. The two yearlong Office of Personnel Management breach caught worldwide
attention.
In June 2015, the Office of Personnel Management announced a major data breach
which affected over four million workers - civilians, servicemembers and contractors - across
every conceivable government agency (Faragher, 2015). This loss began in 2013, likely by
Chinese attackers, and took two years to finally announce – and only after a year of foibles and
mishandling of counter maneuvers that allowed the hackers unmonitored and continued access
(Fruhlinger, 2020). The significance of this loss is hard to overstate; the data included security
clearance forms for those people trusted with our highest security clearances, and access to our
most sensitive information and intelligence (Fruhlinger, 2020). This could allow our adversaries
to impersonate or blackmail the victims and their families (Faragher, 2015). Despite the Office of
Personnel Management’s spilt milk solution of free credit monitoring for all those potentially
affected, the damage from the loss remains staggering and yet still unquantifiable as the full
consequences may remain unknown.
How did this happen? On the surface, the answers are technical, such as a lack of two
factor authentication. A more bird’s eye view can shed light on other, more systemic answers,
the most egregious being ego and hubris.
Private Meets Public
Government contracts are another source of risk and there are many proactive efforts to
meet that challenge. There have been increasing large requirements for the cybersecurity of
government contractors to help mitigate that risk. The most recent example is a new rule that
came into effect at the end of November of last year. The rule amends the Defense Federal
Acquisition Regulation Supplement by requiring the “implementation of a DoD Assessment
Methodology and Cybersecurity Maturity Model Certification (CMMC) framework to ensure
unclassified information within the Department of Defense supply chain is protected” (Brook,
2020) Effectively this just means that every contracting company, whether a sub or a prime, will
have to undergo assessments by third parties to find where they fall in the model, as in Figure 1
below.
Figure 1, Defense Federal Acquisition Regulation Supplement: Assessing Contractor
Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), 85 FR 61505.
The implication of public trust in our cybersecurity partnerships was also stark in 2020.
Regardless of the side and stance taken in the 2020 election, it was a controversial year. Whether
or not it was warranted, there existed serious doubt in the security and the sanctity of the
election, specifically in relation to Dominion Voting Systems. There continue to be allegations
about algorithms within the code that ‘flip’ votes from one candidate to another. Due to the
severity, adamancy, and frequency of these allegations, the Chief Executive Officer, John
Poulos, wrote an article in the Wall Street Journal to attempt to dispel concern about security risk
inherent in the system. He wrote that, “Third-party test labs, chosen by the bipartisan Election
Assistance Commission and accredited by a program of the National Institute of Standards and
Technology, perform complete source-code reviews on every federally certified tabulation
system. States replicate this process for their own certifications,” which all contribute to ensure
that the election is secure. (Poulos, 2020). The regulations associated with Dominion Voting
System’s contract, although do no appease the concerns about fraud and mal-actors in our
election processes, they are a necessary tool and requirement when those concerns go before
audits and investigations.
A Solution Across the Pond
The United Kingdom has met with the same challenges as the United States. They have
developed a three-tiered solution to attacking these issues. They include ensuring that adequate
measures are taken before the breach happens, fines imposed on those who do not, and having
the individual user take responsibility for his or her access to systems.
One issue with government work is that people do not feel personal responsibility or
ramification for incompetence that leads to real damage. This is because there is no profit motive
and therefore less incentive to do well, as not all are motivated by a sense of personal
accomplishment. For this reason, targeted fines and liability make a lot of sense to improve
cybersecurity. For example, in 2015, the Sussex police were fined £160,000 for mishandling
evidence and unintentionally leaking a video interview with a sexual assault victim. There is
currently a cap on that kind of liability, but as stated in the Employer’s Law Journal, “fines
issued by the Information Commissioner are capped at £500,000, but proposed new EU data
protection legislation could see the introduction of far more punitive fines of up to euro100,000,
or 5% of a company's annual turnover” (Faragher, 2015) This means that the fiduciaries will
have a stake in in their own security, which is a model that the United States may well benefit
from adopting.
Conclusion
Finally, cybersecurity will never be perfect, and we will never reach zero risk. The
regulatory structure that governs the contracting necessary for the government to function must
be well developed without being over-cumbersome to progress, for example, locking appropriate
and trusted users from systems. These regulations must not overly detract from the necessary
work to run an effective government. Regulation does slow down progress, so we must come to
terms of the appropriate amount of risk – both regulatory and cyber.
References
Brook, C. (2020, November 10). New Government Contractor Cybersecurity Requirements Loom.
Retrieved from Digital Guardian: https://digitalguardian.com/blog/new-government-contractorcybersecurity-requirements-loom
Columbus, L. (2020, August 9). Cybersecurity Spending To Reach $123B In 2020. Retrieved from Forbes:
https://www.forbes.com/sites/louiscolumbus/2020/08/09/cybersecurity-spending-to-reach123b-in-2020/?sh=252515a1705f
Defense Acquisition Regulations System, Department of Defense (DoD). (2020). Defense Federal
Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity
Requirements (DFARS Case 2019-D041). Federal Register. Retrieved from
https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federalacquisition-regulation-supplement-assessing-contractor-implementation-of
Faragher, J. (2015). Workers' data hacked in US Government breach. Employer's Law, 17.
Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China's Captain
America. Retrieved from CSO: https://www.csoonline.com/article/3318238/the-opm-hackexplained-bad-security-practices-meet-chinas-captain-america.html
Henderson, T. (2016). U.S. government data security is an embarrassment. Network World. Retrieved
January 21, 2021, from U.S. government data security is an embarrassment.
Norris, D. (2019). Cyberattacks at the Grass Roots: American Local Governments and the Need for High
Levels of Cybersecurity. Public Administration Review, 79(6), 895-904.
Poulos, J. (2020, 30 November). Fake Claims About Dominion Voting Systems Do Real Damage .
Retrieved from The Wall Street Journal: https://www.wsj.com/articles/fake-claims-aboutdominion-voting-systems-do-real-damage-11606755399
Singh, H. (2008). Security issues in government contracts and subcontracts: An analysis of information
security policy and practices. ProQuest Dissertations Publishing.
Sloan, R., & Warner, R. (2019). Why Don't We Defend Better? Boca Raton: CRC Press.
Related documents
Computer Networks 2 – Assignment
Computer Networks 2 – Assignment
doms mail
doms mail
Jeffrey yaw OWUSU RESUME
Jeffrey yaw OWUSU RESUME
ASSIGNMENT 1
ASSIGNMENT 1
BomberJacket Networks - Andover Cybersecurity and IT Support
BomberJacket Networks - Andover Cybersecurity and IT Support
Download
advertisement