Technologies like cloud computing are changing the way federal agencies think about cybersecurity, with more emphasis on network resilience over perimeter security and an overriding need for automation, officials said Thursday.
Cybersecurity today “comes down to automating your response. If you cannot automate your response [to an attack], you are hosed, you simply are hosed,” Paul Pitelli, head of information assurance at the NSA, told a panel at the 2017 McAfee Security Through Innovation Summit, produced by CyberScoop.
Automation was a continuing theme at the event, discussed as a way to address cybersecurity workforce shortages and also improve the consistency and reliability of network defenses.
Speakers drew a distinction between tasks that could be made “automatic” — where no input was required — and those that might be mundane but require some input or judgment, which could be automated with sufficiently sophisticated software.
“Have your humans work on human tasks and your computers work on computer tasks,” said Andy Brody, who is a member of the U.S. Digital Service.
The death of perimeter defense was another theme speakers reiterated at the event. Current conventional wisdom dictates that, assuming a network compromise is inevitable, defenders should concentrate on detecting hackers’ presence as quickly as possible, along with protecting the organization’s highest value data and other assets.
“We have to stop treating our networks as these walled gardens and concentrating all our defense at the perimeter because it just doesn’t work anymore,” said Brody.
But there are many challenges to reaching the end-state of a resilient network, with challenge number one being the user.
“Ease of use of authentication is very, very challenging,” said Pitelli, brandishing the Defense Department’s notorious Common Access Card, or CAC — a decade-plus old smart card system the military uses for identity authentication, both for physical access to buildings as well as network access.
Pitelli said the Pentagon was looking into a more flexible approach to identity authentication, perhaps using behavioral biometrics. “How do we let the humans do want they want to, which is use their devices,” he said.