Enhancing Cybersecurity Authentication in Government

The United States is continuously under relentless attack by state and non-state actors in cyberspace. Many believe the U.S. is losing the Cyber War with the staggering number of breaches year after year escalating to new heights.

For example, in 2015 Chinese hackers gained administrator privileges, enabling them to acquire full access to the computers of the U.S. Office of Personnel Management (OPM). Among other things, they were able to download confidential forms that list continuous contacts, including those overseas giving the Chinese communist government a new tool to identify and suppress dissenters. What is worse, federal authorities disclosed in a separate attack that gave Beijing full access to the confidential background-check information on federal employees and private contractors who apply for security clearances. That includes the 4.5 million Americans who currently have access to the country’s top secrets exposing them to blackmail.

Limiting the Damage

Hypothetical risks from the NSA have dominated the headlines about intelligence and surveillance in recent years. The OPM breach dwarfs the Edward Snowden leaks that distracted the federal government from engaging intelligence better to prevent foreign hacking of Americans, a challenge only the NSA has the vast resources to meet.  Powerless to defend other vital government agencies, the federal government failed in cross-agency collaboration.

Loss of Privacy

The U.S. intelligence and law enforcement can enhance agency collaboration and consequently expand monitoring of Americans with security clearances beyond their digital and telecommunication methods. The pressing issue going to this extraordinary step is millions of government employees and contractors entrusted with national secrets will lose their privacy as a price to pay because of the government’s inability to protect their confidential personal records.

The Steps to Take

Government policymakers must adopt solutions that move away from the current shared secret model authentication. According to the Chertoff Group, eight fundamental principles were published that addresses authentication policy:
  • A policy that explicitly addresses authentication. Sound authentication is one element on an overall approach to cyber risk management. Without an authentication policy will render any cybersecurity initiative incomplete.
  • Understand shared secret limitations. Most first-generation Multifactor Authentication (MFA) technologies rely on shared secrets; these are woefully inadequate with next-generation technologies that are more secure that utilize public key cryptography that is embedded in a device. For example, the Fast Identity Online (FIDO) authentication standards.
  • Authentication support on mobile devices. Policies that do not optimize MFA usage in mobile devices will fail to provide adequate protection for transactions conducted in that environment.
  • Privacy matters. Most MFA solutions vary in their approach to privacy. For example, some track users’ every move or create vast databases of consumer information exposing them to attack. Several authentication companies have developed privacy by design solutions that keep valuable biometrics on a user’s device and minimizes the amount of personal data stored on databases.
  • Appropriate biometrics use. Biometric sensors installed on mobile devices enable easy options for secure authentication, such as fingerprint and face recognition. Biometrics are best used as just one layer of a multi-factor authentication solution matching a biometric on a device to then unlock the second factor. It is best that biometrics be stored and matched only on a device, avoiding the need to address privacy and security risks associated with systems that store biometrics centrally. Any biometric data stored on a centralized server is vulnerable to getting in the wrong hands if that server is compromised.  This is precisely an element that compromised the OPM breach resulting in the exfiltration of 1.1 million fingerprints.
  • Consider all technologies focusing on standards and outcomes. Authentication innovation is moving forward, and new technologies will continue to emerge. For instance, governments must focus on a principles-based approach to authentication policy that embraces the use of new technologies.
  • Choosing authentication solutions that are easy to use. What frustrates users the most and prevents adoption is solutions that are non-user friendly. Next-generation MFA solutions provide user-friendliness while offering even greater security gains. Government policymakers should encourage the use of next-generation MFA that addresses both security and user experience.
  • Old barriers to strong authentication are obsolete. The overwhelming obstacle to implementing MFA solutions has been the cost. One of the most significant challenges to MFA adoption is cost. In today’s world, dozens of companies are delivering next-generation authentication solutions that are stronger than passwords, more straightforward to use and less expensive to deploy and manage.

The Road Ahead

Federal policymakers should understand that no technology or standard can eliminate the risk of a cyberattack. Today’s modern standards incorporate MFA and embrace FIDO which is designed to take advantage of the advanced security hardware embedded in devices. By taking advantage of these steps can help minimize the government’s cybersecurity risk.  Creating a policy foundation for MFA enhances cyber security and ensures greater privacy.