Securing the Federal Government: Challenges and Opportunities

Kathy StershicLast week’s Security Through Innovation Summit, presented by FedScoop, offered interesting perspectives on cybersecurity through a federal government lens. While there were new insights well worth learning, it seemed there was also a bit of an uncomfortable resignation in much of the audience: cyber threats have unfortunately become commonplace.

The ever-insightful Chris Young, CEO of McAfee, framed the current environment as having gone from theft-centric attacks to disruption-centric attacks (think Election 2016). The consequence is that fencing data in is no longer adequate when manipulating data is a real threat. Several other themes carried through comments from the broad slate of speakers:

Modernization of government IT continues to be a top priority. While there has been varying progress by agency, there is still a long way to go and many differing opinions about what modernization actually means. There is also a heavy focus on cloud adoption, and the mantra of Shared Services continues.

Of course modernizing and sharing technology introduces new levels of risk. In fact, several speakers discussed risk prioritization rather than just defense or compliance. Jeannette Manfra, Assistant Secretary, Office of Cybersecurity and Communication at the Department of Homeland Security (DHS), specifically stated that their job “is not to protect every computer in the country; it’s to figure out where the highest risk is and focus resources there.” To that end, DHS has designated National Critical Functions – like a stable financial system, clean water, safe energy and reliable communications infrastructure – to analyze how to best secure the ecosystems for each function.

Better automation is needed. McAfee Chief Technology Officer Steve Grobman explained the need for applying big data analytics and artificial intelligence (AI) to mine the plethora of available data. Automating identification and remediation of smaller risks will offload time-consuming human intervention better allocated to in-depth analysis of bigger risks. Grobman noted that adversaries are very focused on how to use AI in enhancing attacks; they understand its power for defenders and use that to get better at evading defense and improving offense.

That idea was reinforced by McAfee Chief Scientist Raj Samani, who explained that cyber criminals continually study industry blogs to see what vulnerabilities have been identified, and work quickly to rectify errors in their own code to continue the exploit. He cited one instance where this happened as quickly as 48 hours. According to Samani, that level of sophistication is a strong indicator of a nation-state attack; and those seem to be increasing.

Threat intelligence has to be shared – within stove-piped agencies, across agencies and public-to-private sector. DHS’ Automated Indicator Sharing has shown some success in the last two years, but government speakers, particularly from the FBI, noted the need for much better sharing and greater trust among commercial entities who aren’t constrained by Constitutional limits as the FBI is – essentially an appeal that common knowledge will help everyone. This will undoubtedly continue to be a struggle given current public sentiment and increasing privacy concerns. Howard Marshall, Deputy Assistant Director for the FBI’s Cyber Division, gave friendly and earnest remarks about the Agency’s Readiness, Outreach and Intelligence mission, emphasizing Outreach through many FBI-sponsored programs to engage private industry and citizens in information-sharing. Just one example: private sector CISOs can attend a CISO Academy at Quantico, where they can learn FBI defensive tactics and even participate in morning exercise runs with agent trainees. Sign me up!

Other stand-out topics from the day included the critical need for more women in cyber, and strengthening the cyber workforce in general. Ideas such as engaging Veterans, students, retirees or the unemployed to help fill the labor gap – estimated to reach a shortage of over 1.8 million workers worldwide within two years  – were discussed, as the government could play a big role in developing this untapped talent. Communication was another concern; there are big needs for dialog in a commonly understood taxonomy and a willingness to come to the table and talk in the first place. Matt Conner, CISO of the National Geospatial-Intelligence Agency, remarked that “industry conversations are generally more productive than those with other agencies” – a condition that clearly needs to change.

In fact, Wanda Jones-Heath, Deputy CISO of the U.S. Air Force, noted that the cyber team is frequently seen as the “Office of No” by others in the branch, necessitating more proactive conversations with a breadth of Branch stakeholders. That leads me to conclude that the government has a long way to go in cultivating a cybersecurity culture and mindset. In fairness, the same is true for many in the private sector and citizenry.

By now we all know that unfortunately cyberattacks aren’t going to stop. Howard Marshall flatly stated that we’ve not yet had our Cyber 9/11. It’s coming. A sage piece of advice from Trent Teyema, Chief of the FBI’s Cyber Readiness division is to “focus left of the event” and continually prepare for the next attack.