Hackers routinely target government websites because they’re easy prey; government agencies have been running unsecured websites for decades. For example, in June 2020, the collective known as “Anonymous” published 269 gigabytes of data stolen from 251 separate law enforcement websites.
This data dump exposed personal information belonging to around 700,000 law enforcement officers. Among the data leaked were officers’ full names, ranks, supervisors’ names, department or agency, email addresses, home addresses, cell phone numbers, and more.
For some reason, cybersecurity hasn’t been a priority even for websites connected to databases holding sensitive information. However, all that’s about to change with the Cybersecurity Executive Order of 2021.
The Cybersecurity Executive Order of 2021 requires tougher security
The U.S. federal government has finally had enough of hackers attacking federal IT systems and supply chains. President Joe Biden has released an executive order detailing requirements for sharing data online with a focus on Zero Trust architectures.
One particularly interesting part of the executive order is the requirement for federal agencies to begin moving to the cloud within 60 days. Within 180 days, federal agencies must employ multi-factor authentication (MFA) and end-to-end encryption for all data.
This move makes sense, considering most hackers exploit vulnerabilities that are easily eliminated using MFA and encryption. It’s about time the federal government started taking cybersecurity seriously. However, agencies will face challenges along the way.
What is cloud security?
In general, cloud security is a collection of internal policies, procedures, configurations, hardware, and software that secures cloud environments to protect data and systems from hackers.
Although many cloud hosting environments and cloud-based providers are secure, cloud security isn’t automatic. Each federal agency will need to understand how the shared responsibility model works. For example, Box.com explains that most data breaches result from stolen credentials or a customer misconfiguration. The customer has a responsibility to configure servers, databases, and account settings to make a cloud application or environment secure.
With a shared responsibility model, the customer – federal agencies in this case – are responsible for the following:
- Classifying assets as private, public, shareable to anyone with a link, or shareable only to specific users.
- Enabling multi-factor authentication (MFA).
- Configuring encryption options.
- Applying appropriate permissions to files, folders, admin accounts, moderator accounts, and user accounts.
- Creating and enforcing an internal IT security policy to utilize cybersecurity best practices like not sharing passwords and banning the use of personal devices to access the company network.
A federal agency’s level of security is only as effective as its configurations and enforcement of policies. By requiring federal agencies to adopt the Zero Trust architecture, there will be fewer data breaches. However, it’s up to each agency to move forward with the requirement.
What is a Zero Trust architecture?
Zero Trust architecture (ZTA) is exactly what it sounds like – the elimination of trust from network architecture. ZTA involves:
- Segmenting networks to prevent unauthorized access by curious employees
- Employing automated threat detection
- Enabling multiple forms of user verification and authentication
- Tightly controlling user access to network segments, account settings, files, and folders
ZTA is quite involved and isn’t something an organization can enable in a day. Federal agencies will need to hire an IT security professional to move to a ZTA. This means spending money, but it’s a worthy expense. Federal agencies should spare no expense when it comes to protecting their data.
Will federal agencies comply with the executive order? Probably – but not right away
Government agencies are known to drag their heels on due dates and deadlines. Despite the 60 and 180-day deadlines, there is reason to believe the transition to ZTA will take time to complete. Some organizations will likely put things off for a while either to see how others do it or to see how much time they can buy.
Most federal agencies aren’t all that tech-savvy and rely on IT personnel to manage everything tech-related. This transition will be no different. Unless there’s an IT tech on the team pushing management to make the required changes, agencies won’t likely have any motivation to jump on the task.
The solution to reducing federal data breaches has been mandated and it’s up to each agency to comply. With no threat of real consequences for not complying within the time limits, we probably won’t see a full federal transition to a secure cloud environment for several years. This means we can expect law enforcement and other government websites to continue getting hacked – at least for a little while.