Federal governments, citizens can’t afford untested cybersecurity solutions
To create a truly secure cyber ecosystem for the systems, cybersecurity professionals should implement solutions that are transparent, resilient and validated.
It’s undeniable that the stakes for federal and critical infrastructure cybersecurity have increased exponentially, particularly since the advent of generative AI. Yet many cybersecurity solutions available today use opaque algorithms that may not yet have proven themselves against the magnitude of the threat our adversaries pose. To create a truly secure cyber ecosystem for the systems that protect citizen data and livelihoods, federal cybersecurity professionals should implement solutions that are transparent, resilient and validated.
Threat sophistication is increasing, while issues with cybersecurity effectiveness remain
Advanced cyber threat actors, like Volt Typhoon and Salt Typhoon, illustrate the increasing sophistication with which near-peer competitors are seeking to establish potentially disruptive cyber capabilities. Accelerating this threat, the advent of natural language artificial intelligence has enabled the quantity of phishing attacks to increase by as much as 1,265% with a success rate as good or better than human-generated phishing emails.
Even as the magnitude of the ever-evolving threats increases, many of the issues with the underlying effectiveness of cybersecurity solutions highlighted in a commercial market survey and the Cyberspace Solarium Commission report from 2020 remain. Both reports found that cybersecurity practitioners have neither the time nor the resources to test the solutions they implement against adversarial attacks, much less the sophisticated, multi-stage attacks being leveraged by near-peer competitors. Except for the FCC’s nascent Cyber Trust Mark program for Internet of Things (IoT) devices — which is highly reliant on vendor self-certification — this remains true today.
Without testing solutions against realistic threats, federal and critical infrastructure cybersecurity leaders have no choice but to trust that their newly implemented solutions, along with those already in place in their ecosystems, are robust enough to stand up to an increasing threat. Or, to quote one of the CISOs interviewed in the 2020 market study, “We buy it, and then we cross our fingers and hope that the technology will work.”
Unfortunately, the cost of cybersecurity technology failing to work as expected is greater than ever: If a technology does not prevent an adversary from entering an organization’s systems altogether, adversaries can use techniques like living off the land (LotL) to create low-visibility, hard-to-remove footholds in government systems.
The answer is transparent, resilient and validated solutions
To do more than cross their fingers, federal cybersecurity leaders should ensure that they are using transparent, resilient and validated solutions. These three key characteristics provide cybersecurity leaders with a clear-eyed view of how the solutions they select work together to mitigate risk holistically, with some solutions compensating for the gaps in others. Systems designed this way will be better prepared for sophisticated attacks.
Transparent cybersecurity solutions provide a straightforward and verifiable way for cybersecurity teams to go beyond knowing what a technology does to instead understanding how it achieves the desired effect. Federal buyers can evaluate the transparency of a cybersecurity solution by asking for details about the underlying security mechanisms. For example, requesting software bills of materials (SBOMs) to ensure that no open-source software with a track record of compromise is used in the security enforcement mechanism or requesting to review high-level schematics of security enforcement mechanisms implemented in hardware. This information not only helps cybersecurity experts verify that a technology goes beyond buzzwords but also enables them to better understand where the technology fits best within their cybersecurity ecosystem.
Choosing a resilient cybersecurity solution means that the technology itself has built-in fail-safes to prevent adversaries from evading or (even worse) subverting the technology. A solution resilient to sophisticated attacks is especially critical as adversaries continue trying to exploit security-related devices and services like firewalls, routers and VPNs. Buyers can evaluate the resiliency of solutions by asking how a solution detects fail states, how it reacts (fail closed vs fail open) to fail states, and how it verifies that it has recovered from fail states without compromise to its underlying security enforcement mechanism.
Finally, when possible, federal cybersecurity leaders should lean on existing research and recognized assessments to select validated technologies. Cybersecurity technologies should be tested by a third party to ensure that their security enforcement mechanisms work against the most sophisticated adversaries — in tangible terms, this means standing up not only to known technical exploits, but also to zero-day attacks and other unforeseen threat vectors.
This testing is normally associated with use in high security environments, like the cross domain use cases overseen by the National Security Agency’s National Cross Domain Strategy & Management Office under its Raise the Bar program. Other certification programs like the Federal Risk and Authorization Management Program are also important for ensuring that a solution does not put the agency at further risk, but they may not test to see if the security enforcement mechanism works as advertised.
The challenges are daunting, but not insurmountable
The challenges posed by an AI-accelerated adversary emboldened to target federal civilian agencies are daunting but not insurmountable. The government can partner with industry to ensure that the technology used to secure high-consequence networks across the federal government and critical infrastructure is transparent in its execution of security functions, resilient enough to withstand attacks, and validated against sophisticated threats. By doing so, federal cybersecurity leaders can contribute to improving not only federal cybersecurity but also the security of our data and way of life.
Adam Maruyama is field chief technology officer for digital transformation and AI at Everfox.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
