As the saying goes, “repetition is the mother of retention.” But here we are twenty years since the...
2003-to-2023: The Same as It Ever Was
It’s been just a shade over 20 years since the first national cybersecurity strategy was released by the George W. Bush administration. About the same time, the Federal Information Security Management Act (FISMA) was signed into law, providing a framework to protect government information and systems against threats. Much has changed since then, but an emphasis on improving our national cybersecurity and increasing organizational resilience has not – it is frankly, “…the same as it ever was.”
As we start the momentous 20th edition of Cybersecurity Awareness Month, both as individuals and organizations, let’s quickly reflect on how we got here and what we’ve learned along the way, and review the critical things we need to do to increase and reinforce cybersecurity awareness for the safety of those around us.
HOW DID WE GET HERE
If we consider the passage of FISMA and the execution of the first national cybersecurity strategy the start of our national cybersecurity journey, it’s also noteworthy to remember it was a dramatically different time. YouTube, Facebook, and Twitter (now X) didn’t even exist. Cloud computing and digital transformation didn’t really exist either. Wow, I hadn’t really thought about that for a while. Much of the focus back then was on the explosion of mobile devices, web 2.0/3.0, ecommerce, and colocation hosting services from an infrastructure perspective. Security was often optional.
To our credit, even back then we recognized the state of increasing risk we found ourselves in with regard to sensitive government systems and data. The growth of government data itself was exploding, with new data sources continuously coming online and more and more historical data being digitized every day. A precedent of fraud and identity theft was already established in the banking and payment card industries. Organized crime, terrorist organizations, and nation-state actors were all actively taking advantage of this and exploiting the new interconnected technologies and their early adopters at will.
Since then, of course, significant progress has been made to defend against these threats. Nationally, we’ve adopted the NIST Risk Management Framework, signed multiple revisions to FISMA (2014, 2022) into law, and are utilizing FITARA more recently to assess each federal government organization’s cybersecurity effectiveness – and that’s just to name a few changes to our national cybersecurity policies. We’ve also seen the cross-agency priority goals or CAP goals, which are part of OMB’s performance management framework, accelerate information sharing and progress within government organizations.
WHAT DID WE LEARN?
There are many, many detailed lessons learned that are worthy of a mention here e.g., passwords are bad, but I’d like to keep this short while still addressing both individual and organizational learning curves. With this in mind, perhaps the most important and critical lesson we need to take to heart now is that being…
…reactive isn’t good enough.
…proactive is required.
…predictable is where we need to be.
While great progress has been made, much more progress is required. Cyber adversaries and threat actors have continued to evolve their tactics, techniques, and procedures, often at a greater pace than we have been able to identify and adapt. Our adversaries have become much more nimble, dynamic, and creative with their attack methods – which means we must similarly adapt our defenses to stay ahead.
Let’s look at some data from 2022 which highlights the ongoing challenge (according to OKTA):
- 81% of breaches leveraged either stolen and/or weak passwords
- Social attacks, such as phishing, accounted for 43% of attacks that resulted in a data breach
- 51% of data breaches involved some form of credential-stealing malware
- Phishing attacks typically compromise 1 out of 20 employees successfully
This data makes very clear there are still fundamental cybersecurity practices from 2003 that continue to require our collective and continued attention and diligence – both individually and organizationally.
WHAT DO WE NEED TO [CONTINUE TO] DO?
For government organizations who are currently executing against strategic digital transformation plans, it’s imperative, as they did in 2003, to incorporate 2023 national cybersecurity objectives. These new priorities are additive but align the entire government to a proactive or even predictive posture with analytics against current threats—defend critical infrastructure, disrupt and dismantle threat actors, drive security and resilience by investing in the future, and forge partnerships in pursuit of shared goals. These objectives, established in the 2023 National Cybersecurity Strategy by the Biden administration, guide the cybersecurity initiatives and collaboration practices of public sector organizations into the future.
Thinking about what we can do as individuals to contribute to cybersecurity generally and Cybersecurity Awareness Month in particular, and with the Talking Heads’ movie Stop Making Sense back in theaters, I’m reminded of lyrics from the song “Once in a Lifetime,” which describe our individual status as “…the same as it ever was.” Our individual contribution to cybersecurity is, well, the same as it ever was.
We can be more proactive, reinforce our own cybersecurity, and increase cybersecurity awareness by exercising and sharing the following best practices with those we care about:
- Use strong passwords and use a password manager (change passwords frequently)
- Turn on multifactor authentication (every chance you get)
- Recognize and report phishing (share your experiences with peers and family)
- Update software (always update your apps as soon as possible)
These actions continue to be the most important things we can do as individuals to improve cybersecurity. Sharing these best practices with those close to you at work and at home is an even bigger contribution – especially when sharing them throughout the entire year.
In 2023 the importance of Cybersecurity is the same as it ever was, a mission imperative. Wish you all a great Cybersecurity Awareness Month!
President & CEO