Federal agencies are faced with a number of unique challenges when it comes to securing their sprawling IT networks—particularly because they protect some of the most sensitive data and face severe consequences around national security. Given the nature of this information, nation-state actors and cybercriminals are constantly seeking new avenues to infiltrate systems and gain access to this data.
To learn more about the cybersecurity challenges facing Federal agencies, we asked Fortinet Federal’s Bob Fortna and Jim Richberg as well as Aamir Lakhani from Fortinet’s FortiGuard Labs threat intelligence team to share their perspective on how these organizations can effectively protect their critical data and infrastructure against advanced cyber threats.
What are the most significant cybersecurity trends top of mind for Federal agencies now, from both a technology and threat perspective?
Bob: I have worked in the Federal sector for years and some concerns persist but of course new concerns appear as cyber threats evolve. With a sophisticated threat landscape, an expanding attack surface, continuous government mandates, and a growing cyber skills gap, cybersecurity is top of mind. Some specific topics that come up frequently are: persistent attacks from nation-state actors, protecting mission and agency data, ensuring security in a work from home environment, maintaining and upskilling a cybersecurity skilled labor force, secure cloud migration, and of course election security.
Jim: One of the biggest issues that is top of mind for agencies right now is not unique to only Federal agencies—that of building capacity for a ‘new normal’ including sustained, reliable, and secure remote telework by a significant portion of their workforce. Where this challenge becomes unique to Federal agencies is that they have to implement it against requirements such as TIC 3.0 standards for cloud access and CISA’s interim guidance on remote telework. Some agencies, especially those with a significant geographically distributed presence, are also beginning to explore software defined networking – SD-WAN and SD-Branch. These capabilities have enjoyed dramatic growth in the private sector because of their cost and performance advantages, along with greater operational flexibility.
Aamir: One of the top priorities for Federal agencies has been their cloud strategy. Cloud has always had a byproduct of enabling flexibility of work from a remote workforce. However, enabling remote access has become a much bigger priority during the COVID-19 pandemic. Agencies are trying to understand what the most efficient way to deploy remote access is while maintaining security and minimizing the burden on IT support. Solutions like SD-WAN that meet the unique requirements of agencies are gaining popularity.
Can you talk about risk and what it means for Federal agencies? How does it differ from industry concerns around risk?
Bob: Because the Federal government provides safety and security to the country, the stakes are much higher for Federal agencies. Most companies weigh the risk/benefit cost and make decisions based on that. The government cannot diminish risk when referring to national defense, healthcare, financial systems etc. That said, resources are not endless and they face fixed budgets, skilled labor availability, and competing priorities. Federal agencies must make very different and complex decisions vs the private sector.
Jim: Figuring out how much risk is acceptable and how to handle it is key. There are four broad tools for risk management — “the four T’s”:
- Treating risk (mitigation)
- Tolerating risk (acceptance)
- Terminating risk (avoidance)
- Transferring risk (via third party insurance)
Government typically only uses two of these tools—treating risk or occasionally terminating a risky activity. And while many organizations evaluate tactical/transactional risk associated with a specific activity, relatively few organizations in the public or private sectors look holistically at risk across their organization.
Aamir: Risk has always centered around opportunity for attackers to do harm, and their intention and motivation to do so. Attackers have ample motivation to attack federal agencies. Some of these motivations can include things such as stealing medical research, stealing employee information for blackmail or phishing, or disrupting operations in order to cause panic in the perceived stability of the government. In other words, the stakes are high for Federal agencies and they must ensure they have secure networks, applications, and cyber policies. In addition, agencies have tough and detailed certification processes for implementing technologies to ensure it meets their internal security, business, and support policies and practices.
There are lots of mandates and guidance put out in the Federal sector for agencies to follow, how do you counsel your contacts in terms of managing these changes successfully?
Bob: We encourage agencies to simplify their operations by consolidating, integrating and automating their security architectures. By doing so, they will reduce dependencies on human touch at every step in the security stack, and reduce cost with less training, licenses, footprint, but with faster diagnosis or response time. There are lots of mandates but first and foremost we make sure agencies are following NIST (National Institute of Standards and Technology) and STIG (Security Technical Implementation Guides).
Jim: Agencies have to make choices in how they address IT modernization and cybersecurity, especially since the lengthy procurement cycle most agencies face makes it difficult for them to be on the cutting edge of technology. However, that lag in technology adoption can offer an upside, in that agencies can avoid many of the false starts and inefficiencies that come with being an early adopter, and they can move instead to solutions that have been validated and perfected through use in industry. SD-WAN is a good example of this—early versions of this capability deployed five years ago focused solely on traffic management and ignored security. Current capabilities have evolved to offer solutions that offer superior networking and strong security as an integrated capability. Because many Federal agencies face even greater challenges in recruiting and retaining a cyber-workforce than the private sector, I counsel Federal decision makers to look for solutions that offer integration and automation as ‘force multipliers’ for their staff and as ways of freeing personnel to focus on tasks requiring human judgment and skill.
Is it possible to sum up the threat landscape for Federal agencies in a few sentences?
Jim: While the private sector and state or local government may be targeted occasionally by nation-state adversaries, Federal agencies are consistently targeted by these actors, including sophisticated Advanced Persistent Threats (APT). Moreover, while the private sector is often the victim of financially-motivated crime, Federal agencies are typically targeted for theft of data—intellectual property and national security information—which is often harder to detect. Government is also responsible for unique services such as running elections which combine complex technical challenges with issues of perception and public confidence.
Aamir: Cloud attacks and application attacks are much more prevalent for Federal agencies. In other industries we are starting to see an increase in IoT attacks, but overall Federal agencies have implemented strong network access controls, but most attackers understand that Federal agencies have many web apps and other cloud-based access. Attackers seem to be focused on phishing and it is possible more sophisticated attackers have done reconnaissance and have targeted their phishing attacks to valuable targets. In addition, since attackers could use reverse shells and other attack methods, Federal agencies are starting to invest in cyber detection products such as deception based products, user and entity behavior analytics, and other network anomaly based systems.
What is the one thing that makes Fortinet Federal different?
Bob: Fortinet has been a trusted business partner of the U.S. Federal government for years for many reasons. Fortinet has been a leader in performance, integration and automation which is key. In addition, Fortinet by design provides for security simplification by consolidating functions, reducing footprint, and lowering costs. We provide integrated solutions across the entire security stack from zero trust endpoints, to data center segmentation, to seamless hybrid cloud solutions. We are not just one product or one offering and that is value for agencies. Another aspect that is important is our commitment to third-party validation and testing. Testing of security products and solutions plays such a critical role in thwarting cybercriminals. We have the most when compared to our competitors and that matters to customers.
Jim: The cyberattack surface is growing in breadth, and Fortinet is the only vendor with strong capabilities across the breadth of this expanding and complex environment—from network edge to core to cloud. The fact that all of Fortinet’s products and capabilities are integrated makes the effectiveness of the whole greater than the sum of the parts—and this has been demonstrated by independent third-party testing. Cybersecurity is a complex and interdisciplinary field, and Fortinet excels in disciplines as distinct as cutting edge engineering to global threat analysis and path-breaking AI development. All of these capabilities are available to Federal partners in a range of form factors—from physical devices to virtual services—and in consumption models ranging from zero-touch ‘plug and play’ to manual use by an agency’s security and network operations teams.
Aamir: A true differentiator of Fortinet Federal is that it is backed by FortiGuard Labs’ actionable threat intelligence. We are not just products. Our mission is to provide our customers the industry’s best threat intelligence to protect them from malicious cyberattacks. Using millions of global network sensors, FortiGuard Labs monitors the worldwide attack surface and employs artificial intelligence (AI) to mine that data for new threats.
Another aspect that I am passionate about as well is our commitment to cybersecurity training. The Fortinet Network Security Expert (NSE) Program is an 8-level training and assessment program designed for customers, partners, and employees. Fortinet has opened up our entire self-paced catalogue of advanced NSE training courses. The courses will be free for the remainder of 2020 to help address the rapidly evolving needs of organizations securing highly distributed and remote workforces.
Learn more about how Fortinet Federal helps Federal agencies efficiently protect U.S. government data and critical infrastructure against advanced nation-state threats.