Black Hat 2018: Understanding Government Cyber Policy

Even the most tech savvy among us get caught flat-footed once in a while. For Justin Cleveland, head of government business at Authentic8, it was an experience at home. Cleveland arrived at his house to find a dozen boxes from Amazon.com on his doorstep. Not having ordered anything, he asked his wife what she had bought. Nothing. She had no idea what he was talking about. It was then that Cleveland and his wife noticed their 4-year-old daughter standing in the corner, her expression somewhere between alarmed and proud of herself.

“Did you ask Alexa for something?” they asked her.

Justin Cleveland

“I wanted some new dolls,” the girl replied. “Alexa said she would get them for me.” Mystery solved, but oh boy… The fact that Cleveland, who logged a decade in the intelligence community, could be outsmarted by a toddler and a home shopping assistant is very revealing in this day and age.

Do we ever truly understand what’s going on behind the scenes? Certainly, things are not always as they appear. Authentic8 approaches this problem through a secure browser. Authentic8 sets up a buffer between the machine, user and the external Internet. “Using the web puts your machine into contact with many unknown entities,” said Cleveland. “Regardless of what security tools you have, you really have no idea what code is being loaded onto your machine, and what data you are exposing to the outside world when you surf the net. Yet, there’s no way to control it, unless you establish a secure browsing presence.”

Cleveland’s job is to interest government agencies in the merits of secure browsing. Government personnel are online like everyone else, exposing their employers to zero day attacks and a variety of advanced persistent threats. Cleveland is finding strong interest in secure browsing in the government sector as the government, in his view, has become increasingly serious about cyber security. The Department of Defense, for example, has begun tightening controls governing data management by defense contractors. This is a topic we have covered previously.

According to Cleveland, government cyber security policy is still uneven, however. “It depends on the department,” he observed. Some agencies assume a leadership role in policy setting and standards of policy enforcement. He cited the example of the Customs Service inside the Department of Homeland Security. “They establish a path forward on cyber, and other agencies inside DHS follow their lead.”

Politics affect the process of securing the government, Cleveland also noted. “It’s inevitable, but it can be frustrating,” he observed. “There is more emphasis on sharing threat data today, and progress is being made on that front, but things could be going a lot more smoothly.” In the meantime, he’s advocating for secure browsing as a countermeasure for unknown threats.

Photo Credit: Virvatulia Flickr via Compfight cc