In ways yet to be seen, cybersecurity has already affected the “agency of the future.” Today, the world is interconnected like never before. As a nation, we must work collaboratively to ensure that cyber defense strategies are robust and effective to secure our way of life.
President Obama said during remarks at the White House, “the cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”
Throughout his tenure, President Obama has directed agencies to conduct a thorough analysis of the Federal Government’s efforts to protect data, information, communication and critical infrastructure. Often, we forget that every day Americans rely on cyber defense for our economic viability and security.
Cyber includes much more than just our personal identity and social security numbers. Every day, cyber defense is used to protect:
Broadband networks
Information networks that power business, hospitals and schools
Critical infrastructure
Classified government intelligence and documents
http://www.govloop.com/profiles/blogs/the-govloop-guide-winning-the-cybersecurity-battle
2. 1. A G E N C Y O F T H E F U T U R E
T A B L E O F C O N T E N T S
3E X E C U T I V E S U M M A R Y
T H E R E S U L T S O F T H E G O V L O O P
C Y B E R S E C U R I T Y S U R V E Y
T U R N I N G T H E O R Y I N T O P R A C T I C E :
M I C H I G A N ’ S T R A N S F O R M A T I V E C Y B E R S E C U R I T Y
S T R A T E G Y
T H E I M P O R TA N C E O F A S S E S S I N G Y O U R
I T E N V I R O N M E N T
P R O T E C T I N G O U R N A T I O N : A N O V E R -
V I E W O F T H E F E D E R A L G O V E R N M E N T ’ S C Y B E R S E C U -
R I T Y W A R
6
12
15
18
3. 2.C Y B E R S E C U R I T Y
1 9 M E T R I C S T O T R A C K Y O U R
C Y B E R S E C U R I T Y E F F O R T S
P R I V A T E S E C T O R S O L U T I O N S
F O R F E D E R A L G O V E R N M E N T
C Y B E R S E C U R I T Y
8 W A Y S T O M I T I G A T E R I S K S
Y O U R C Y B E R S E C U R I T Y C H E A T
S H E E T
A B O U T G O V L O O P
20
21
24
29
31
4. 3. A G E N C Y O F T H E F U T U R E
This “Winning the Cybersecurity Battle” report is
part of GovLoop’s Agency of the Future series, which
explores the latest trends shaping government in the
next 3-5 years. In ways yet to be seen, cybersecurity
has already affected the “agency of the future.” Today,
the world is interconnected like never before. As a
nation, we must work collaboratively to ensure that
cyber defense strategies are robust and effective to
secure our way of life.
President Obama said during remarks at the White
House, “the cyber threat is one of the most serious
economic and national security challenges we face as
a nation” and that “America’s economic prosperity
in the 21st century will depend on cybersecurity.”
Throughout his tenure, President Obama has direct-
ed agencies to conduct a thorough analysis of the
Federal Government’s efforts to protect data, infor-
mation, communication and critical infrastructure.
Often, we forget that every day Americans rely on
cyber defense for our economic viability and security.
Cyber includes much more than just our personal
identity and social security numbers. Every day, cyber
defense is used to protect:
„„ Broadband networks
„„ Information networks that power business, hospi-
tals and schools
„„ Critical infrastructure
„„ Classified government intelligence and documents
C Y B E R S E C U R I T Y :
W I N N I N G T H E
C Y B E R S E C U R I T Y B A T T L E
A G E N C Y O F T H E F U T U R E
E X E C U T I V E S U M M A R Y
5. 4.C Y B E R S E C U R I T Y
This report provides an overview of the current cy-
bersecurity landscape and the ‘need to know’ cyber
information for government professionals. This re-
port includes:
Results from 156 Public Sector Employees: This
survey finds that 84% of respondents see cyberse-
curity as a priority for their agency in the next 3-5
years.The trend cannot be overlooked; cybersecurity
is now a mission critical practice within an agency.
Additional findings include:
„„ 90 percent of respondents do not believe their
agencies are fully prepared for a cyber attack.
They cited the ever-changing nature of cyber
threats, as well as inadequate staffing and training
as primary obstacles for preparedness.
„„ 49 percent of respondents cited phishing as the
largest threat to cyber security at their agency.
„„ 22 percent of respondents could not accurately
assess the cybersecurity systems and policies of
their agencies.
Interview with Dan Lohrmann – Chief Information
Security Officer, Michigan: Lohrmann shares his ex-
perience and expertise keeping Michigan safe through
innovative practices, such as the Michigan Cyber
Range and improved training methods for state em-
ployees.
Overview of Federal Government Cybersecurity
Landscape: This section provides an overview of
some of the efforts by the Obama Administration and
highlights key findings from a recent GAO report.
Industry Perspectives: This report also includes
three interviews with industry experts, highlighting
how industry is assisting government in keeping in-
formation and data safe.
Cybersecurity Cheat Sheet: Our cheat sheet will
provide you with a synopsis of the guide, and the
need to know cybersecurity information.
The agency of the future will revolve around con-
solidating and integrating IT systems and connecting
disparate data sets to improve decision-making. Ad-
ditionally, the agency of the future will be rooted in
data, cloud and mobile technology.With these trends
shaping the public sector, the need is clear to adopt
robust security protocols. This report is your first
step to winning the cybersecurity battle.
I N A G O V L O O P S U R V E Y O F 1 6 7
P U B L I C S E C T O R E M P L O Y E E S ,
8 4 % S A I D C Y B E R S E C U R I T Y I S A
P R I O R I T Y F O R T H E I R A G E N C Y I N
T H E N E X T 3 - 5 Y E A R S .
6.
7. 6.C Y B E R S E C U R I T Y
With the digitization of documents, increased Inter-
net access to public information, and data storage in
the cloud, government resources have become more
convenient and accessible for citizens and public sec-
tor professionals. Yet, the increased access has also
led to valuable data becoming vulnerable to those
seeking to breach government security.
Recently, GovLoop conducted a survey of 167 gov-
ernment and industry professionals on their agency’s
approach to cybersecurity. Respondents represent-
ed federal agencies, such as the U.S. Department of
State, the U.S. Department of Commerce, local and
state government agencies from Montana, New York,
and Idaho, as well as private sector professionals.The
survey focused on the critical issue of cybersecurity
and what agencies are doing (and, in many cases, not
doing) to address cybersecurity concerns.
WHAT IS YOUR BIGGEST
CHALLENGE WITH
CYBERSECURITY?
The survey asked respondents to identify their big-
gest cybersecurity challenge (See Figure 1). Respon-
dents could choose from inadequate funding, inad-
equate training, increased sophistication in threats,
high volume of attacks, an agency’s failure to make
cybersecurity a priority, or emerging technology.The
survey found:
„„ 30 percent of respondents identified sophistica-
tion of threats as their biggest concern.
„„ 21 percent of respondents cited staffing and
training as a challenge.
„„ 11 percent of respondents identified thats cyber-
security not a big enough priority within agency.
T H E R E S U L T S O F
T H E G O V L O O P
C Y B E R S E C U R I T Y
S U R V E Y
8. 7. A G E N C Y O F T H E F U T U R E
In addition, respondents were able
to add comments on how to im-
prove cybersecurity in a unique
government culture. One respon-
dent said, “Overzealous IT ad-
ministrators put unfriendly user
controls on programs, driving em-
ployees to work around security
systems, instead of supporting the
systems.” Recognizing these chal-
lenges, 84% of respondents believe
cybersecurity will be very impor-
tant in the next 3-5 years.
WHAT IS YOUR
AGENCY’S LEVEL
OF PREPAREDNESS
FOR ATTACK?
The survey also asked respondents
to rate their agency’s prepared-
ness for a cyber attack. Accord-
ing to our results, agencies have
an opportunity to make significant
strides to be prepared in the event
of an attack (See Figure 2):
„„ 8 percent of respondents said
their agencies are not at all
prepared for a cyber attack.
„„ 10 percent of respondents said
their agencies were fully pre-
pared for a cyber attack.
„„ 22 percent of respondents
admitted they did not know
enough to provide an answer,
showing a lack of awareness of
cybersecurity issues.
„„ 60 percent of respondents be-
lieve their agencies are either
moderately (30 percent) or
somewhat (30 percent) pre-
pared for a cyber attack.
WHAT TYPE OF
CYBER ATTACKS
CONCERNS YOU
MOST?
The survey also explored the kinds
of cyber attacks that most con-
cerns agencies. Respondents could
choose from cross-site scripting,
denial of service, phishing, distrib-
uted denial of service, logic bombs,
and structured query language in-
jection (See Figure 3). Forty nine
percent believe phishing (obtain-
ing a user’s personal information
by posing as a trustworthy entity)
is the attack that poses the highest
risk. As agencies focus on where
to begin in improving cybersecuri-
ty, clearly phishing should be a pri-
ority. For those that said “other,”
many wrote they have “no idea”
or simply “don’t know” which at-
tacks pose the highest threat.This
What is your biggest challenge with cybersecurity?(Figure 1)
What is Your Agencies Level of Preparedness? (Figure 2)
Inadequate
staffing and
training
Emerging
technology
increases risks
Limited funding
to provide
protection
Not a big
enough priority
within agency
Speed, number
and consistency
of attacks
30% 21% 12%12% 11% 4%
Growing
sophistication
of threats
Moderately
prepared to combat
an attack
Somewhat
prepared to combat
an attack
Fully
prepared to combat
an attack
Not
prepared to combat
an attack
8%10%22%30%30%
Unknown -
I am unable to
make an appropriate
assessment
9. answer adds to a general trend in
the results of this survey: a lack of
awareness about important cyber
security issues and initiatives.
Hackers may operate alone or in
very small groups. Additionally,
hackers can be part of foreign na-
tions’ military efforts, in which na-
tions organize widespread hacking
operations as part of their na-
tional security strategy. Agencies
may have a hard time prosecuting
the culprits and must focus on the
kind of security that would pre-
vent an attack, instead of trying to
take legal action later.
What Type of Cyber
Attacks Concern You
the Most? (Figure3)
Who is Conducting the
Attacks? (Figure4)
49%
49%
38%
27%
27%
26%
19%
16%
14%
11%
10%
6%
Viruses
Phishing
Trojan Horses
Denial -
of - service
Worms
Distributed
Denial - of - service
Other
Cross -
site scripting
Structured Query
Language injection
Passive
wiretapping
Logic bombs
Wardriving
Phishing
60%
48%
44%
44%
40%
35%
34%
28%
21%
21%
13%
10%
Hackers
Spyware or
malware authors
Criminal groups
Phishers
Nations
Spammers
Terrorists
Bot - Network
operators
Insiders
International
corporate spies
Other
Business competitors
Survey in Review
To overcome some of the chal-
lenges presented by the survey, the
GovLoop survey finds that cyberse-
curity is a critically important field
that will benefit from increased
collaboration and implementation
of best practices. The key findings
from our survey include:
„„ 90 percent of respondents do
not believe their agencies are
fully prepared for a cyber attack
and named the ever-changing,
ever-challenging nature of cyber
threats as well as inadequate
staffing and training as the big-
gest obstacles standing in the
way of full-preparedness.
„„ 84 percent see cybersecurity as
a priority for their agency in the
next 3-5 years.
„„ 49 percent of respondents cited
phishing as the largest threat to
cyber security at their agency.
„„ 22 percent of respondents
could not accurately assess the
cybersecurity systems and poli-
cies of their agencies.
Cybersecurity initiatives are es-
sential to protect critical infra-
structure, identities and confiden-
tial government data.Agencies can
no longer afford to take a reac-
tive stance to cybersecurity; they
must continue to become more
proactive, ahead of the trends and
one step ahead of attackers. Our
report continues to provide an
overview of the government land-
scape, and how agencies can stay
secure in a quickly changing threat
environment.
10. How Will Cyber Security Shape the Agency of the Future?
In the next three to five years,
cybersecurity will remain the
key focus for government agen-
cies. As cloud computing and
mobile technologies are adopt-
ed, agencies must pay close at-
tention to their security efforts.
The ability to proactively stop
and mitigate cyber attacks is a guiding principle for
the agency of the future.
Chris Daly, Lead Business Program Manager and
Solutions Architect for Data Centers Security and
Switching at Juniper Networks, shared expert in-
sights on how cybersecurity will shape the future
of government. Daly noted, “Attacks are becoming
much more visible and pervasive. Before, attacks re-
sembled single skirmishes between an attacker and
a single target. Now there are full attack campaigns,
with well thought out strategies and tactics, mul-
tiple targets, and specific goals by attackers.” Daly
cautioned that sophisticated attacks will continue
to grow in complexity, and in the next three to five
years, agencies must consider significantly new ap-
proaches to address these complex threats.
Agencies will not only be tested by more perva-
sive and complex threats, but they also will face the
prospect of additional cyber legislation. Potential
legislation will mandate specific actions in regards
to cyber defense strategies. “Cybersecurity will
become one of the must-haves and agencies face
the reality of cyber security legislation coming out
within the next three to five years as well. There’s
no way it can be avoided,” noted Daly. President
Obama’s recent Executive Order provides a step in
the right direction, yet legislation is still needed to
address private and public sector requirements for
cyber initiatives.
Although threats persist and agencies face the
prospects of additional cyber mandates, agencies
can still mitigate risks by taking the proper secu-
rity measures. One of the first steps to improved
security is defining the kinds of attacks that exist
and the threats to the agency.As Daly identified,“At
Juniper Networks we have defined two major types
of attacks - what we call the ‘outside-in attacks’ and
‘inside-out attacks.’ Essentially, an outside-in attack is
when an attacker focuses on the web resources of
a data center as the target, and we are seeing a lot
more of those attacks as a result of poor coding and
web security designs.” An inside-out attack is where
a user endpoint is targeted by a remote attacker. So-
cial engineering techniques and weak endpoint de-
fenses have made these attacks easier to succeed,
and the exploited endpoints are used to launch at-
tacks on enterprise resources.
To prevent these attacks from happening, Daly rec-
ommended a few best practices as a starting point.
Daly recommended the following steps as starting
points:
„„ Stay current with the NIST report 800-53r4 and
recommended controls.
„„ Identify and continuously monitor the devices, us-
ers and access points on your network.
„„ Learn about your vendor partner roadmap and
product feature sets.
„„ Be a prudent early adopter of new technology
that can address some of the new complex threats
that are emerging.
Finally, Daly indicated the importance of communi-
cation. “One example that comes to mind in terms
of showing the importance of communication is that
a customer may ask about a capability, not realizing
that a feature set was already included in a product
they had,” said Daly.“It’s important to get that educa-
tion, and go deep with your vendor partners as you
try to address new requirements.” Undoubtedly, the
agency of the future will be defined by a proactive
approach to cybersecurity efforts.
An expert interview with Chris Daly, Lead Business Program Manager and Solutions Architect for
Data Centers Security and Switching, Juniper Networks
13. 12.C Y B E R S E C U R I T Y
T U R N I N G T H E O R Y
I N T O P R A C T I C E :
In an effort to improve cybersecurity programs, the
State of Michigan launched a robust cyber strategy in
2011.The strategy included improved training meth-
ods for employees and created the Michigan Cyber
Range.These initiatives were created in the State of
Michigan as government leaders recognized the ur-
gency and importance of a properly defined cyberse-
curity strategy.
As multiple IT systems power government service
delivery, agencies are exposed to more risks. Rogue
cloud use by agency employees, too much reliance
on vulnerable mobile apps, and a lack of understand-
ing of what is on agency’s networks have exposed or-
ganizations to increased cyber risks. “Cybersecurity
is vitally important in everything we do. Technology
is an integral part of Governor Snyder’s plan and his
whole strategy as governor is to enable efficiency
using technology,” said Lohrmann.
OVERVIEW OF THE MICHIGAN
CYBERSECURITY STRATEGY
In this report, Dan Lohrmann, Chief Security
Officer, State of Michigan, shared his expertise
as a leader in cybersecurity defense.
M I C H I G A N ’ S T R A N S F O R M A T I V E
C Y B E R S E C U R I T Y S T R A T E G Y
Prevention: take proactive steps to keep an event
from occurring.
Early Detection and Rapid Response: to discover
attacks early and respond quickly to minimize risks.
Control, Management and Restoration: take appro-
priate steps to minimize damage and quickly return
to normal operations if an attack occurs.
Under Lohrmann’s leadership, Michigan has become
a national leader in cyber defense.The cybersecurity
strategy developed in 2011 by the State of Michigan is
published at michigan.gov/cybersecurity, and is
available for download. This strategy is a must read
for any security professional working in government.
Specifically, Michigan’s cyber strategy addressed:
14. 13. A G E N C Y O F T H E F U T U R E
In addition, the strategy includes
three distinct sections. Part I de-
fines cybersecurity in the State of
Michigan, which is built on three
pillars:
Confidentiality:ensurethatprivate
information remains private.
Integrity: make sure that govern-
ment data is complete, whole and
defensibly sound.
Availability: make information se-
curely available to those who need
access.
The cyber plan also includes sec-
tions on Michigan’s cyber response
strategy and Michigan’s unique cy-
ber industry opportunity. “We’re
about halfway through that plan
now. It involved many components
and we’ve taken many steps,” not-
ed Lohrmann.
Across all levels of government,
one of the main concerns by Chief
Security Officers (CSO) is the lack
of training for employees. Michigan
has proactively offered cyber train-
ing. Beyond providing resources
and training to state employees,
cyber training and resources are
available to contractors, local
government officials, businesses,
homes and families. Each of these
stakeholder groups can access on-
line toolkits tailored specifically to
meet their cyber needs.
TRANSFORMING
CYBERSECURITY
TRAINING: THE
MICHIGAN CYBER
RANGE
Within the state government,
Lohrmann led an initiative to
transform how the state conducts
cyber training.“Every CIO will tell
you that training is important. But
to give you an example, we’ve re-
ally overhauled our whole training
approach.We basically threw away
our whole training. It was not ef-
fective. It was not working. It was
death by PowerPoint.”
„„ Michigan created a new, in-
teractive training opportunity
through informative videos
around core topics. Initially,
the training program included
about 5,000 people, but has
now grown to well over 45,000
employees. “We’ve gotten fan-
tastic feedback - employees say
they love it. It’s just been a huge
success, a totally different ap-
proach,” said Lohrmann. Some
of the training topics include:
„„ Understanding Security at
Work
„„ Employee Responsibilities
„„ Confidential Information
„„ Password Security
„„ Workstation Security
„„ Physical Security
„„ Common Threats and Viruses
„„ Mobile Worker Challenges
„„ Internet Access at Work
The challenging part of cyber
training is that effective training
requires tailored information for
each employee. To overcome this
obstacle, Michigan has launched
the Cyber Range, which is de-
signed specifically for cybersecu-
rity professionals. “It’s a research,
development and test environ-
“ AT TA C K S R A N G E T H E F U L L G A M U T : E V E R Y T H I N G
F R O M W E B - B A S E D AT TA C K S T O P E O P L E
S C A N N I N G O U R N E T W O R K S T R Y I N G T O F I N D
H O L E S I N T H E P E R I M E T E R , ” S A I D D A N L O H R M A N N ,
“ S TAT E O F M I C H I G A N C S O .
15. 14.C Y B E R S E C U R I T Y
ment, a leading edge, team training
for technology professionals. We
are providing really good training
for not just government staff, but
also partnering with the private
sector. We’ve had a lot of private
critical infrastructure protection
operators involved in the Cyber
Range,” said Lohrmann.
The Michigan Cyber Range is a fas-
cinating initiative to stay in front
of attackers. Like a shooting range,
the Cyber Range allows organiza-
tions to conduct “live-fire” exer-
cises in a controlled environment.
These simulations are tailored to
the participants and used to un-
derstand a variety of situations.
The Range conducts cyber train-
ings for groups or individuals, and
participants learn strategies fo-
cused on protecting:
„„ Critical infrastructure defense
„„ Homeland security
„„ Criminal justice and law en-
forcement
„„ Information Communications
Technology (ICT) and related
industry academic and educa-
tional programs and curriculum
„„ Private sector entrepreneurial,
small and medium business sec-
tors
The Cyber Range model is a great
exercise to collaborate and share
information across sectors.
PERSISTENT AND
EVOLVING THREATS
REMAIN FOR STATE
GOVERNMENTS
Although Michigan has taken a
robust approach to their cyber
defense strategy, Lohrmann em-
phasized they are still at risk.
Lohrmann said,“Attacks range the
full gamut: everything from web-
based attacks to people scanning
our networks trying to find holes
in the perimeter.”
In particular, this year Lohrmann
has noticed an uptick in spear
phishing. Spear phishing is an e-
mail spoofing attack that attempts
to retrieve unauthorized access
of data and information. For in-
stance, a spear phishing attack may
solicit personal information from
a specific (often senior) official
within an organization. Instead of
a mass e-mail to everyone in an
organization, it may be directed
at the CEO asking them by name
to open an attached file or click
a link. In Michigan, Lohrmann ex-
plained they have seen four spear
fishing attacks this year. In each
case, employees received a simple
email that attempts to obtain un-
authorized access to IT systems.
“We had a number of emails sent
that were very simple and said
things like, ‘Your email box is full.
Click here and we’ll take care
of it for you at the help desk.’ In
some cases, the more simplistic,
the more powerful.This is because
the email used words like SOM.”
In Michigan, SOM is used internally
to abbreviate State of Michigan. In
this instance, the attacker used
specific language to target their
attack.Although the attack was ul-
timately thwarted, the spoofing ef-
fort is still a powerful temptation
for employees.
During one spear phishing attack,
2,500 employees received the
email and another 156 fell victim
to the attack. After clicking, the
156 employees were asked for
their credentials used to login to
government resources. “The at-
tacker knew that once they had
those credentials, they could then
use that data to then go after the
databases and go after the bigger
fish.”
Thankfully, Lohrmann’s team was
able to prevent any data loss and
breach of systems from this at-
tack. He noted that these attacks
are becoming much more sophis-
ticated. “Never before have we
had that amount of dedicated
spear phishing in the state,” said
Lohrmann.
MICHIGAN CYBER
SUMMIT: ANOTHER
PROACTIVE STEP
TO THWART
THREATS
The State of Michigan has hosted
two Cyber Summits. The Summits
have included cybersecurity tracks
on business, education, home us-
ers/families, law enforcement and
government. Although work will
always remain, Michigan has taken
authoritative steps to maintain se-
curity in a dynamic environment.
16. 15. A G E N C Y O F T H E F U T U R E
The Importance of Assessing Your IT Environment
Jen Nowell, Director of Strategic
Program,US Public Sector,Syman-
tec, provided her expert insights
on the state of cybersecurity in
government. Nowell described
the importance of agencies con-
ducting a thorough analysis of
the risk and vulnerabilities of an
agency’s network. This has become especially impor-
tant, as the threat landscape for agencies is growing
more sophisticated. “As threats continue to grow in
complexity, the old approach of being reactive is re-
ally no longer effective,” said Nowell.“There has been
an increase in sophistication and highly-targeted at-
tacks are on the rise. Federal organizations’ data are
good targets for attackers.”
Employees and agencies are now deploying dozens
of devices, approved and unapproved on public sec-
tor networks. This dynamic has challenged agencies
to retain visibility on their networks. Everything from
mobile phones, printers, routers and switches or any-
thing with an IP address, may potentially lead to a
security threat. In light of this changing reality, Nowell
cites three key action steps for agencies:
1. BROADEN YOUR
AWARENESS
To combat this growing sophistication of threats,
agencies must gain broader awareness of the risks
on their networks. Nowell suggests that agencies
may not have the tools in place to adequately un-
derstand their assets and security environment. “In
a lot of agencies, devices will come online that they
are not aware of. If they have a way to easily assess
at any point in time when new systems come online,
whether it’s hardware or software, that’s a good start.
Then administrators can start to assess what their
baseline is and watch for new vulnerabilities coming,”
said Nowell.
2. MAKE AN ASSESSMENT
In order to improve security, agencies need to start
by assessing the network and understanding who and
what is accessing the network. Nowell explained that,
“agencies need to start by understanding what their
assets are and then work to understand, ‘what is my
normal?’ Then explore what the deviations are from
the normal baselines. Ultimately, this gives value back
to the organization.”
3. INVOLVE SECURITY
PERSONNEL
“The security officer must also have a seat at the
table. Security officers can explain how assuming risk
here will create trade-offs for the agency,” said Now-
ell. Her comments reaffirmed the importance of two
important stages in building a robust security system:
„„ Increased visibility through asset discovery:
Agencies must validate users and identify the
point of entry for security.
„„ Management of devices and assets on a network:
Government agencies must correct misconfigured
devices and keep security patches updated. This
will help them be proactive and take action to as-
sure any compliance with policy to reduce risks.
Nowell identified additional challenges that revolve
around a quickly changing landscape. In particular,
Nowell identified mobile security as a challenge, “We
now have to look for vulnerabilities coming from [mo-
bile] devices coming online. So when we think about
a security program, you need to understand your en-
tire environment. Agencies really need to make sure
they have a handle on their environment before they
know what their standard baseline should look like.”
By conducting a thorough assessment of a network,
agencies can work towards building stronger secu-
rity protocols, and can help keep information secure.
Agencies are facing more sophisticated threats than
ever before, but by being proactive and working to
spot vulnerabilities and risk, they can mitigate the
growing risks.
19. 18.C Y B E R S E C U R I T Y
P R O T E C T I N G O U R
N A T I O N :
Michigan is not alone in its efforts to update its cy-
bersecurity strategy. At the federal level of govern-
ment, the need for improved security is clear as well.
The U.S. Computer Emergency Readiness Team (U.S.
CERT) reported that number of incidents reported
by federal agencies has increased 782 percent from
2006 to 2012.
Gregory Wilshusen recently spoke with Chris
Dorobek on GovLoop’s daily podcast, the DorobekI-
NSIDER, about these growing attacks. Wilshusen is
the Director of Information Security Issues at the
Government Accountability Office (GAO) and was
the main author of the report, “National Strat-
egy, Roles, and Responsibilities Need to Be Better
Defined and More Effectively Implemented.” Like
Lohrmann, Wilshusen called attention to the chal-
lenging threat landscape for federal agencies:
“We are in a constantly changing environment. So
you have trade-offs. Businesses and agencies are also
adding new technologies all the time, like cloud com-
puting or mobile devices. Sometimes the implemen-
tation of these devices precedes the development of
effective security controls over those technologies.
So while those newer technologies can provide a lot
of benefits, if the security is not appropriately con-
sidered and implemented it can introduce risk to the
organization.”
Wilshusen’s comments fall closely in line with vari-
ous mandates and strategies created by the Obama
Administration. On February 12, 2013, President
Obama released the Executive Order, Improving
Critical Infrastructure Cybersecurity. This Executive
Order was a reminder that too often cybersecurity
is described solely as identity theft or stolen credit
card numbers.
The executive order specifically focuses on critical
infrastructure, which the executive order defines:
“As used in this order, the term critical infrastruc-
ture means systems and assets, whether physical or
virtual, so vital to the United States that the inca-
pacity or destruction of such systems and assets
would have a debilitating impact on security, national
economic security, national public health or safety,
or any combination of those matters.” Specifically,
O V E R V I E W O F T H E F E D E R A L
G O V E R N M E N T ’ S C Y B E R S E C U R I T Y W A R
20. 19. A G E N C Y O F T H E F U T U R E
the report defines critical infra-
structure as broadband networks,
power grids, financial data, hospi-
tals, schools, and dozens of other
services.
With this Executive Order, Presi-
dent Obama has made it readily
clear that cybersecurity is a vital
part of our national and economic
priorities. In a fact sheet provided
by the White House, the Adminis-
tration provides six focus areas:
„„ Development of a descrip-
tion of the functional relation-
ships within the Department of
Homeland Security and across
the Federal Government re-
lated to critical infrastructure
security and resilience within
120 days.
„„ Completion of an assessment
of the existing public-private
partnership model and recom-
mended options for improv-
ing the partnership within 150
days.
„„ Identification of baseline data
and systems requirements for
the Federal Government to en-
able efficient information ex-
change within 180 days.
„„ Development of a situational
awareness capability for critical
infrastructure within 240 days.
„„ Update the National Infrastruc-
ture Protection Plan within 240
days.
„„ Completion of a national criti-
cal infrastructure security and
resilience research and devel-
opment plan within 2 years.
Across the federal government,
agencies have been reforming their
security policies to comply with
Presidential Directives and man-
dates. In particular, the Depart-
ment of Defense has taken signifi-
cant steps to improve their cyber
defense. In 2011, the Department
of Defense named cyberspace a
new domain of warfare. Just like
our military protects us from
physical threats, cyber programs
are being developed to fight to
secure our personal information,
data and critical infrastructure.
One example is US Cyber Com-
mand (USCYBERCOM). “US-
CYBERCOM plans, coordinates,
integrates, synchronizes, and con-
ducts activities to: direct the op-
erations and defense of specified
Department of Defense informa-
tion networks and; prepare to, and
when directed, conduct full-spec-
trum military cyberspace opera-
tions in order to enable actions in
all domains, ensure US/Allied free-
dom of action in cyberspace and
deny the same to our adversar-
ies,” states the website. Additional
Department of Defense cyber de-
fense programs include:
Army Cyber Command
Navy Cyber Forces
Air Forces Cyber / 24th Air Force
Although the federal government
and the armed forces have made
great strides in cybersecurity ef-
forts, there will always be new and
emerging threats to critical infra-
structure and IT systems. Govern-
ment agencies must continue to
take the lead in advising cyberse-
curity policy and staying one step
ahead of the attackers.
21. 20.C Y B E R S E C U R I T Y
19 METRICS TO TRACK YOUR CYBERSECURITY EFFORTS
The steps taken by the federal government are just starting points, and much work is yet to be done to improve the
security of IT systems, data and critical infrastructure. Jim Richmann, Study Director of Cybersecurity Research, In-
stitute of Defense Analyses, recently spoke during a GovLoop webinar, Combating the Cyber Landscape. Richmann’s
presentation focused on how agencies can establish cyber metrics to improve security strategies. Prior to identifying
potential metrics for agencies to adopt, Richmann provided an overview of the foundational elements needed to create
metrics at an agency. Four areas he focused on were:
In the presentation, Richmann identified 19 potential metrics for agencies to use, but cautioned that agencies must
tailor their metrics to meet their needs.The examples he presented were:
1. Percentage of source traffic covered by foundational cyber defense assets in DMZs
2. Currency of enterprise virus signatures
3. Percentage of client systems that have current enterprise virus signatures
4. Percentage of desktops with automated patching
5. Percentage of desktops with automated integrity checking
6. Volume of traffic blocked at border router (segmented by type)
7. Blocked port scan volume at border router
8. Currency of firmware patches for foundational cyber defense assets
9. Known zero day export exposure (publicly known)
10. Uptime and availability for assets
11. Number of cyber attacks that are detected:Viruses, spam, phishing attacks, etc.
12. Assets not patched to current standard
13. Firmware not updated to enterprise standards
14. Assets failing integrity check
15. Non-standard software installations detected
16. Known zero-day exploit exposure (publicly known)
17. Currency of required administrator training
18. Vulnerability scan statistics
19. Source code scan results (where available and applicable)
Cybersecurity is only effective when agencies can baseline and measure success. In order to do so, agencies must
place an emphasis on defining metrics that fit organizational need, and work diligently to identify risks, assess vulner-
abilities and create a robust set of metrics to measure success.
Understand Your Cybersecurity Foundation: This foundation includes hardware and software assets, including, rout-
ers, switches, physical point-to-point circuits, SANs, management tools, satellite links and wireless hubs.
Know Your Dedicated Defense Assets: These assets are designed only to provide cyber defense. These elements in-
clude enterprise virus scanning software, intrusion detection systems, firewalls and PKI.
Identify Your Unique Cyberspace Assets: These assets exist only in cyberspace. Some examples include end-user
hardware clients, application servers, web servers, mobile devices, web servers, ERP systems, printers, scanners and
application software.
Assets that Leverage Cyberspace: These assets utilize cyberspace, but their primary existence and function is in other
domains. Some examples include weapons systems, related platforms, support systems and infrastructure.
22. Private Sector Solutions for Federal Government Cybersecurity
Today’s IT landscapes exerts tremendous pressures on
government entities to secure information. Response to
this imperative is coming under scrutiny from the high-
est levels of government. Dell’s Connected Security strat-
egy provides end-to-end security solutions to secure data
from the end point, through the data center, and into the
cloud. For example, Dell and Intel have collaborated in
developing one of the most secure tablets for government
agencies, the Latitude 10 ES.
The Latitude 10 tablet, is powered by the dual core Intel®
Atom™ processor Z2760. The Intel® Atom™ processor
Z2760 delivers the hardware, authentication, data protec-
tion, tracking and recovery security features that meet the
stringent security needs for government agencies. Some
security features include:
„„ Dell Data Protection Security Tools, providing an inte-
grated end point security management suite that utiliz-
es the fingerprint and smart card reader in the Latitude
10 as well as third-party security devices.
„„ Trusted Platform Module (TPM) 1.2 hardware to allow
networks to check device integrity and to assign full
trust.
„„ Microsoft® BitLocker Drive Encryption.
„„ Computrace Support for stealth tracking software to
allow the recovery of lost or stolen devices.
„„ A Noble Lock slot for added hardware security.
„„ The Latitude 10 is currently the only tablet in the mar-
ket that provides dual-authentication of Windows 8.
In a special government edition of Dell Power Solutions
Magazine, Scott Stevens, Senior Security Strategist, and
Robert Slocum, Senior Marketing Strategist for Security
and Mobility Solutions, build on Dell and Intel’s security
focus, exploring how the federal government has priori-
tized cybersecurity. The Comprehensive National Cyber-
security Initiative (CNCI) signed by President Obama in
2008 as well as the February 2013 Executive Order 13636,
Improving Critical Infrastructure Cybersecurity, mandate
calls for enhancing the security and resiliency through vol-
untary, collaborative efforts between the commercial civil-
ian community, technology venders and service providers,
and federal agencies.
Adapted from the 2013 Government Special Edition of Dell Power Solutions
CHALLENGE: CREATING
COMPREHENSIVE SECURITY
The goal of the CNCI is to enhance “situational aware-
ness of network vulnerabilities, threats and events within
the federal government.” Sharing data across a network
as vast as the federal government is extremely complex.
Federal agencies need to create a comprehensive security
approach that can ensure security within an agency and
between agencies.
SOLUTION: UTILIZING
HOLISTIC APPROACHES
IT systems are more than the sum of parts. “Rather than
thinking about security as a stand-alone problem, gov-
ernment entities at all levels should consider a holistic
method.” The Dell Connected Security Portfolio embeds
by addressing security measures at the start of develop-
ment, protects by detecting threats and mitigating risks
and responds by destroying threats and collecting digital
evidence.
CHALLENGE: BALANCING
ACCESS AND PROTECTION
Some agencies share and secure information. As Slocum
and Stevens pointed out,“Agencies charged with safeguard-
ing constituent data, employee information and intellectual
property also must provide rapid access to the information
that government workforces need to perform their jobs.”
This dual mandate creates a challenge for cybersecurity.
SOLUTION: STORING DATA
SMARTER
Government agencies must analyze the costs and benefits
of offline, mobile, or cloud access to their data. Once agen-
cies decide on a storage solution, they can tailor a security
approach. “If data does not need to reside on endpoint
devices,” said the authors,“a virtualized client environment
may be suitable.” On the other hand,“if data does need to
reside on endpoint devices, deploying encryption for data
at rest can be essential for keeping information from falling
into the wrong hands,” noted the authors.
President Obama called upon federal agencies to create
cybersecurity protocols that ensure the safety of our na-
tion and critical infrastructure. Dell answered the call and
offers integrated and innovative solutions to accomplish
this critical mission.
23. "Cyber threats are rising rapidly and
government needs an alternative, secure solution
to the present operating environment where
multiple types of information."
Read about “Ensuring Cross-Domain
Security with SecureView MILS Workstations”
"IT Professionals are faced with providing secure
technology solutions in a quickly changing IT
landscape. Dell's Connected Security approach
allows US Federal agencies to securely connect and
share intelligence across the entire enterprise, boost
IT productivity and protect sensitive information"
Read about
“Providing Secure Mobility for US Federal Agencies”
24.
25. 24.C Y B E R S E C U R I T Y
8 W A Y S T O
M I T I G A T E R I S K S
The GovLoop survey, Michigan case study and the
federal cybersecurity overview provide a solid over-
view of the current state of cybersecurity in govern-
ment and the obstacles blocking improvement. States
like Michigan have been able to retain security and
meet mission needs. Below we have highlighted eight
best practices to prevent cyber attacks.
1. LEADERSHIP
In order to effectively adopt cyber efforts, executive
buy-in is required. High-level support is needed not
only to obtain organizational support, but also to ob-
tain proper funding levels. “In Michigan, we’ve been
fortunate to have executive buy-in. Getting buy-in
and an understanding by executive leadership is key.
We’ve had that with our governor and CIO, a team
of people that really get it and understand the impor-
tance of cybersecurity,” said Lohrmann.
2. TRAINING / EDUCATION
In order to retain security personnel, organizations
need to focus on investing in training for employees.
In order for training to be effective, organizations
must provide the right level of training for each em-
ployee. For instance, personnel working on the front
lines of cybersecurity defense strategies will require
different training from employees in the public affairs
department. Michigan is a great example of this dis-
tinction, as they adopted numerous training programs
for employees, tailored specifically toward their skill
26. 25. A G E N C Y O F T H E F U T U R E
level. As Lohrmann noted, “I think
that education and training are key.
I think that the reality is that our
staff is both our biggest strength
and also our biggest cyber weak-
ness.You talk to almost any CIO in
the country or any organization in
the government or private sector
says you need training.”
Providing training alone is not
enough. Organizations need to
implement metrics around train-
ing to measure effectiveness. The
Michigan case study is a great ex-
ample. In that case, when their old
training model was not working,
they developed new training to fit
organizational need. “In Michigan,
we had to start over and throw
out our old training and start
from scratch.We took a hard look
at our training and decided to
do something that’s more effec-
tive and has metrics that we can
measure. Now, we can see if we’re
changing behavior or if we’re actu-
ally making a difference with our
training,” said Lohrmann.
3. CONTINUOUS
MONITORING
Continuous monitoring is one part
of a six-step process in the NIST
Risk Management Framework
(RMF), from NIST publication 800-
53, rev4. Continuous monitoring is
a process where an agency defines
their IT systems, categorizes risk
levels, applies controls and then
continuously monitors their sys-
tems against threats. Continuous
monitoring is an essential step for
organizations to identify and mea-
sure the security implications for
planned and unexpected changes
to hardware, software, and firm-
ware to assess vulnerabilities in a
dynamic threat space.This holistic
view of security for IT systems
is essential as agencies are faced
with increasing threats.
4. PREPARING
AGAINST
SOPHISTICATED
ATTACKS
Attacks are becoming more so-
phisticated and complex for agen-
cies. As the Michigan case study
showed, attackers are improving
their ability to mask attacks and
spoofing efforts. Michigan’s Cyber
Range is a great example of a gov-
ernment agency learning to stay
one step ahead of attackers, and
being ready to thwart sophisticat-
ed attacks.
“ T H E R E A L I T Y I S T H AT O U R S TA F F I S
B O T H O U R B I G G E S T S T R E N G T H A N D A L S O
O U R B I G G E S T C Y B E R W E A K N E S S , ” D A N
L O H R M A N N , C I S O , S TAT E O F M I C H I G A N
27. 26.C Y B E R S E C U R I T Y
5. KEEPING
SYSTEMS UPDATED
Although preparing for sophisti-
cated attacks is essential, the ma-
jority of attacks still remain related
to phishing attempts and attacks
against unpatched systems. In or-
der to prevent the more common
attacks, be sure to always update
systems with the latest software
patches and upgrades. Often these
updates are removing vulnerabili-
ties, and helping to keep systems
secure.
6. TALENT
MANAGEMENT
Like many IT fields, government
agencies are desperately in need of
hiring top cyber talent. Lohrmann
noted that keeping talent is key to
success,“I’d say another best prac-
tice is retaining talent. We’ve lost
a number of good, key people. It’s
a hot market right now. Keeping
talent and keeping good people is
difficult at the moment. Attracting
the right people and keeping them
is challenging for government.”
7. DISASTER
RECOVERY
PLANNING
For government agencies, the real-
ity is that getting attacked is not
a matter of if, but when. With the
growing sophistication of threats,
no system is perfect and at some
point, an agency will be compro-
mised. Therefore, it’s essential for
agencies to have a plan in place as
to what to do once they are at-
tacked and how to get the system
back up and running, minimizing
data loss.
8. PROPERLY
FUNDING
PROGRAMS
With any government program,
funding is a challenge. Lohrmann
identified a work-around for
funding cyber programs: “When
we didn’t have the funding, didn’t
have the priorities, we made sure
that security was built into those
key enterprise projects early on.
There are always projects happen-
ing in government, so what proj-
ects are getting funded? What are
the major new systems?” In these
cases, he advised agencies to be-
come involved in core enterprise
projects early and make sure that
security is built up front for those
programs, rather than seeking spe-
cial funding that is separate from
enterprise projects.
28. What does it mean to be Secure?
In today’s complex and quickly
changing cybersecurity land-
scape, organizations are con-
stantly under the threat of a
cyber attack.As attacks become
more common and risks in-
crease, how can IT departments
understand how secure they are
in a dynamic threat landscape?
To explore this trend, GovLoop spoke with Sanjay
Castelino, the vice president and market leader of
SolarWinds. SolarWinds delivers powerful and af-
fordable IT management and monitoring software
to over 150,000 customers worldwide – from Glob-
al 1000 enterprises to nearly every civilian agency,
DoD branch and intelligence agency, and was named
by Forbes as one of the top 10 fastest growing tech-
nology companies. Castelino highlighted what being
secured means for government agencies. “To be se-
cured means you [are able to] verify that the strate-
gy and approach you’ve taken around securing your
environment is being executed well,” said Castelino.
Castelino noted how security professionals often
assist their clients in defining the right level of se-
curity.“Most security professionals will tell you that
they will take an approach where they built layers of
security. They expect certain security layers could
be breached and that multiple layers will ultimately
provide them enough protection so that it’s highly
unlikely that a significant breach will occur,” said
Castelino.
One of the security strategies often deployed is con-
tinuous monitoring. “Continuous monitoring is one
step in any risk framework as it pertains to securi-
ty,” said Castelino. However, continuous monitoring
has a unique set of challenges for IT administrators.
To create an effective continuous monitoring strat-
egy, agencies need to focus on both the training of
personnel and the automation of tasks.As Castelino
said, “To do continuous monitoring effectively, you
have to take a holistic approach to security.”
Taking the holistic approach recommended by Casteli-
no does not mean monitoring everything. “Monitor-
ing everything makes no sense in the IT realm. Since
there is so much data, you literally couldn’t make
sense of monitoring everything,” identified Castelino.
“The whole idea in securing your environment is
making sure the people, both inside and outside the
organization, aren’t breaking the rules. There are al-
ways people who don’t think the rules apply to them
and want to do something different. At the end of
the day, the continuous monitoring technology and
approach ensures people don’t do that by flagging
activity as it happens,” noted Castelino.
Castelino identified additional questions IT admin-
istrators should ask when starting a continuous
monitoring plan. One of them is,“What am I already
monitoring and what do I want to monitor?” Once
that answer is identified, Castelino recommends to
“then close that gap in the simplest way that you
can, you don’t need to buy into big security frame-
works or expensive tools. A lot of organizations are
already monitoring a lot. For example, you might al-
ready have a configuration management tool in place
that can provide the data for identifying unauthor-
ized configuration changes on a continuous basis.”
For agencies already monitoring, the challenge be-
comes effectively executing security policies and
finding an intelligent means to correlate data.This is
where agencies often turn to a Security Information
& Event Management (SIEM) solution.
Continuous monitoring is one step to confirm se-
cure IT environments for government agencies. “So-
larWinds is about practical tools for the IT users
that are powerful and affordable and easy to use.
That’s been SolarWinds’ mantra from day one. If you
don’t implement something practical, you could have
a great strategy that is very poorly implemented,”
said Castelino. Security in a modern context is truly
complex, but by taking actions such as continuous
monitoring, agencies can reduce risks and mitigate
damage from attacks.
An expert interview with Sanjay Castelino,Vice President and Market Leader, SolarWinds
29. 28.C Y B E R S E C U R I T Y
Network • Application&Server • Storage • Virtualization
Log&Security • HelpDesk • SecureFileTransfer
IT Management & Monitoring Solutions
for Government
mountabetterdefense
Cyber attacks are a serious threat to our economy and national security. Agencies
need the capability to quickly defend against and respond to known threats and
recover from incidents, whether caused by accident, natural disaster, or malicious attack.
Government IT managers are responding to these threats with continuous monitoring.
Their operations, information assurance, and cyber security teams are well served with
actionable intelligence from SolarWinds®
IT management and monitoring software,
which can be used to proactively identify threats, take automated action to quarantine
and mitigate damage, and analyze data to prevent future attacks.
SolarWinds solutions use a “collect once, report many” strategy that’s a unique functionality
in a single, cost-effectiveset of tools.
Join nearly every civilian agency, DoD branch, and intelligence agency in using SolarWinds
to address IT management and monitoring challenges.
FOR TODAY’S THREATS
Go to
SolarWinds.com/federal
for information
and a
FREE trial.
with SolarWinds Cyber Security & Continuous Monitoring Solutions
Call 877.946.3751
30. 29. A G E N C Y O F T H E F U T U R E
C H E A T S H E E T
Cyber security attacks may come from hackers, organizations, criminal networks, or disgruntled employees. A recent GAO
report, A Better Defined and Implemented National Strategy is Needed to Address Persistent Challenges, GAO highlights,
the most commonly cited attackers. Due to increasingly reliance on technology, there are more kinds of attackers, run-
ning both simple and sophisticated scripts, attempting to compromise information. We’ve highlighted the key terms for
you below:
BOT-NETWORK OPERATORS: GAO states, “Bot-network operators use a network, or bot-net, of compro-
mised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware
attacks.” Bot-network operators often are using these techniques in an attempt to obtain financial gains.
PHISHERS: Phishers are groups of people looking to steal identities or information, such as social security
information and credit card numbers, for monetary objectives. Spam, spyware and malware are commonly used to
corrupt information.
CROSS-SITE SCRIPTING: GAO describes this as “an attack that uses third-party web resources to run a script
within the victim’s web browser or scriptable application.” Users can fall victim to this when visiting malicious web-
sites or links. By visiting these sites, victims allow the attacker to potentially “steal cookies… log keystrokes, and
capture screenshots,” leaving sensitive information vulnerable for exploitation.
DENIAL-OF-SERVICE: This attacks prevents the user from gaining authorized access to networks, systems, or
applications by using up resources.
LOGIC BOMBS: According to GAO, a logic bomb is “a piece of programming code intentionally inserted into a
software system that will cause a malicious function to occur when one or more specified conditions are met”
STRUCTURED QUERY LANGUAGE INJECTION: This attack “involves the alteration of a database
search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a
database,” says GAO.
DATA-AT-REST: Data recorded and stored on storage media. Conversations on this topic revolve around
whether the data is encrypted, and how strong the encryption is.
DATA-IN-USE: Data that is not in an “at rest” state. Conversations revolve around the protocols that keeps this
kind of data secure, who has access, how data may be terminated.
DATA-IN-TRANSIT: Data that is being transferred between systems within or outside a network.
Agencies across all levels of government are looking at ways to
remain secure in a changing threat landscape. Our cheat sheet is
designed to get you up to speed on cyber terminology, access to
additional resources and chart out how cyber will impact your
agency in the next 3-5 years.
GLOSSARY – THE NEED TO KNOW TERMS
31. 30.
5 CORE CYBERSECURITY CHALLENGES
1 Responding to a quickly changing threat landscape
2 Retaining top cyber talent within government
3 Creating programs designed to assess risk and protect critical infrastructure
4 Educating and raising awareness about cyber programs
5 Promoting and funding research and development initiatives
5 CORE CYBERSECURITY OPPORTUNITIES
1 Developing security policies assuming that your network is always compromised
2 Organizing courses for employees as security and technology changes
3 Sending concise warnings and descriptions of possible threats to employees
4 Ensuring continuous monitoring, communication, education, awareness and assessment as threats change
5 Collaborating with peers and staying up-to-date on latest trends (see resources below)
CYBERSECURITY CORE RESOURCES
GovLoop Cybersecurity Knowledge Hub
Department of Homeland Security – Cybersecurity is Everyone’s Business
Michigan Cyber Initiative
Cybersecurity Resources: National Institute of Standards and Technology (NIST)
Stanford Cybersecurity Library
Strategies to Mitigate Targeted Cyber Intrusions
Glossary of Key Information Security Terms
CYBERSECURITY AND THE AGENCY OF THE FUTURE
Today, agencies are exposed to more threats than ever before. They are constantly looking at IT systems and looking at
ways to remain secure. A recent GAO report, A Better Defined and Implemented National Strategy is Needed to Address
Persistent Challenges, identifies reported incidents are up 786 percent since 2006. , The risks are too high and the con-
sequences too severe for agencies not to adapt their approach to cybersecurity. Agencies must become more proactive
in addressing cyber threats, and learning ways to stay out in front and quickly adapt in a changing landscape.
In the next 3-5 years, cybersecurity is going to be essential in protecting our way of life and government service provi-
sion. Cybersecurity is increasingly becoming the ability to protect critical infrastructure, along with our identities and
data. Some examples include:
Protecting our dams and water supply
Information networks that power our economy and fuel business growth
Networks that connect hospitals to data in crisis situations
Confidential government programs and data
Power grids in major metropolitan cities
Cybersecurity is essential to the agency of the future. As agencies continue to adopt new and emerging technologies,
they are becoming exposed to more risks. To protect IT systems and safely adopt technology, agencies must continue to
place an emphasis on cybersecurity initiatives.
32. 31. A G E N C Y O F T H E F U T U R E
A C K N O W L E D G E M E N T S
GovLoop’s mission is to connect government to improve government.We aim to inspire public sector profes-
sionals by acting as the knowledge network for government.The GovLoop community has over 65,000 mem-
bers working to foster collaboration, solve problems and share resources across government.
The GovLoop community has been widely recognized across multiple sectors. GovLoop members come from
across the public sector. Our membership includes federal, state, and local public servants, industry experts
and professionals grounded in academic research.Today, GovLoop is the leading site for addressing public sec-
tor issues.
GovLoop works with top industry partners to provide resources and tools to the government community.
GovLoop has developed a variety of guides, infographics, online training and educational events, all to help
public sector professionals become more efficient Civil Servants.
LOCATION
GovLoop is headquartered in Washington, D.C., where a team of dedicated professionals shares a common
commitment to connect and improve government.
734 15th St NW, Suite 500
Washington, DC 20005
Phone: (202) 407-7421
Fax: (202) 407-7501
A B O U T G O V L O O P
The GovLoop team is thankful to all of those who contributed to this report. We thank everyone for their
active community engagement, input and knowledge shared while developing this report. This guide would
not have been possible without your assistance and from the support of our sponsor, Dell, Juniper Networks,
SolarWinds and Symantec.
LEAD AUTHOR: Patrick Fiorenza, Senior Research Analyst
CO-AUTHOR: Kathryn David, GovLoop Research Fellow
EDITOR: Steve Ressler, GovLoop Founder and President and Andrew Krzmarzick, Director of Community
Engagement
DESIGNER Russell Yerkes, GovLoop Design Fellow
For more information about this report, please contact Patrick Fiorenza, Senior Research Analyst at pat@
govloop.com or @pjfiorenza.
33. 32.C Y B E R S E C U R I T Y
734 15th St NW, Suite 500
Washington, DC 20005
Phone: (202) 407-7421
Fax: (202) 407-7501