PERSPECTIVE: How Expecting Breaches Can Help Federal Agencies Combat Cyberattacks

The news is full of stories about cybersecurity breaches at all levels of government, and federal agencies are a particularly popular target. In fact, the Microsoft Digital Defense Report found that 46 percent of all nation-state cyberattacks in a one-year period were directed at U.S. organizations and 48 percent of attacks targeted government agencies.

Unfortunately, these attacks are becoming more dangerous and costly. IBM’s 2022 Cost of a Data Breach report explained that the average cost of a public-sector breach is $2.07 million. Moreover, the average time to detect and contain a breach was 277 days, driving up costs and increasing risks.

Federal agency personnel and industry experts are constantly discussing how to best protect government systems from the persistent threat of cyberattacks, especially as the attack surface widens and agencies become more vulnerable. And while there are many dimensions to the challenges organizations face, there’s no one-size-fits-all solution. However, one thing is clear: it’s time for the federal government to rethink their approach to cyberattacks and breaches with a more resilient strategy.

An Overdue Mindset Shift 

Agencies often deal with cyberattacks and breaches on an as-needed basis. When IT staff detect a breach, cybersecurity teams mobilize to block the attack and mitigate the damage. This approach was sufficient in the days when cyberattacks were a relatively infrequent problem. But today’s federal agencies are vulnerable and under constant attack.

While our defenses are designed to prevent most threats from accessing or entering government systems (think perimeter defenses, like firewalls, VPNs, etc., that try to keep bad actors out), it is an inevitable reality of our hyperconnected world that some attacks break through.

Agencies must shift their mindsets, policies, and procedures away from the impossible task of preventing all breaches from happening to also finding ways to limit the damage from successful attacks. Rather than focusing time and money solely on preventing breaches, agencies should concentrate on assuming they will occur, and containing them to prevent their spread – therefore mitigating the damage and operational fallout they can cause. Agencies must shift their mindset to “assume breach.” This will require a significant cultural change.

Agencies often focus on compliance, following the rules and ticking every box on a checklist – for example, fulfilling the requirements of the Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Instead, experts advocate for a proactive approach in which agencies identify the areas where cybersecurity is the weakest and allocate resources to build resilience in that area.

This requires the federal government to invest more in capabilities like visibility upfront, so they can better understand the risks facing their infrastructure, networks, and systems, and make more educated investment decisions early on. However, today, most agencies do not identify these weaknesses until a breach has occurred. By then it’s often too late. No system is perfect; vulnerabilities exist in every organization. But if an agency has not prepared for breaches and strategized about how to contain them proactively, then that lack of preparation may lead to more drastic consequences.

Planning Ahead with a Proactive Approach

To reduce risk and build resilience to inevitable breaches, agencies must plan ahead. They need to take a more proactive approach to cyber funding, given the complex procurement and budgeting process they must manage, and commit to spending money on cybersecurity continuously. This process will never be finished. Every year, agencies should identify areas for improvement and include those in budget plans. This bakes continuous cybersecurity improvement into each agency’s culture.

Even if cybersecurity teams are not sure what they will need to fix or which solutions they will put in place, they should ensure that money is still allocated in the budget. That way, they’ll have resources available if they find a gap in their defenses – or if they must adhere to the requirements of a new mandate like the May 2021 cybersecurity executive order (EO).

In the EO, the Biden administration noted that within 60 days agency heads must “develop a plan to implement Zero Trust Architecture … and describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.” Mandating widespread Zero Trust adoption is just one example of the government pushing for a more proactive approach to cybersecurity (CISA and the OMB have called for it too).

Zero Trust assumes that even internal network traffic cannot be trusted without prior authorization and authentication of the user and device. It’s a “never trust, always verify” approach to security. With Zero Trust tools and technologies in place, like Zero Trust Segmentation (i.e., microsegmentation), federal agencies can prevent cyberattacks from moving, isolate ransomware, and ultimately curtail operational impact and monetary losses. Zero Trust shrinks the attack surface from the start, making it easier for federal agencies to combat today’s evolving threat landscape while maximizing their budget.

While agencies have many ways to address modern cybersecurity threats, the most sustainable and resilient course of action is to be proactive. Breaches are going to happen, so assume they’re already inside your network and implement Zero Trust strategies to contain them proactively. This reduces risk and builds resilience, so that agencies can keep critical infrastructure, operations, and assets running and secure.