150 ideas for better cybersecurity in government

As the government gears up for a second "cybersecurity sprint" and begins to absorb the Office of Management and Budget's just-released strategy, a group of industry and agency leaders has been canvassing the federal IT community for ideas on how to do cybersecurity better.

"After the OMB breach, a number of us in ACT-IAC started a conversation" with the Office of Management and Budget, said Dan Chenok, executive director of the IBM Center for the Business of Government, at the recent Executive Leadership Conference in Williamsburg, Va. "And we were talking about how there were lots of good ideas in industry [to generate] forward movement on cybersecurity for government."

"OMB thought it was a terrific idea for us to act essentially as a collector of ideas," Chenok added, so the group created an online "ideation site" and started asking the federal IT community for suggestions. Eight specific challenges were identified, and more than 150 ideas were captured. An initial briefing was given to U.S. CIO Tony Scott in late September, and a more detailed report is now in the works.

Clearly, it doesn't work to "just tell people, 'Do what all that policy says you should've been doing and you'll be fine,'" said Mike Howell, senior director of ACT-IAC's Institute for Innovation. Instead, agencies need ideas for how to "do it different better, faster, cheaper, easier rather than just beating you head against the same old wall."

Veris Group Chief Strategist David McClure, who helped lead the initiative, said the suggestions ranged from cutting-edge techniques being tested in the private sector to management and communication strategies that can help agency leaders better understand the risks at hand.

"Going into a board meeting or an agency executive meeting and having a conversation about cyber can be challenging," McClure said. "They're often talking in different languages.... Risks are not very well defined, and it really becomes just 'how much money do you want from me?'"

Also in the mix, he added, are seemingly simple solutions that could nonetheless have a huge impact. "A lot of our problems with security are that the fundamentals are not being done -- period," he said. "It's not necessarily that we have the wrong stuff or we're doing it the wrong way -- it's that we're not doing it."

Chenok, Howell and McClure declined to comment on the specific recommendations that will be included in the group's full report, but the ideas discussed include:

• Self-audit checklists. The Securities and Exchange Commission has produced guidelines to help the securities industry assess its own security measures; a similar toolkit could be provided to federal agencies. "Why wait [until] after the auditors come in and respond after the fact," Chenok said. "Let's think like the auditor would."
• Mimicking Walmart's "security mavens." By training development team members to provide first-level security support, the retail giant has dramatically boosted its ability to defend and respond. Similar training could be done across agencies, or a "security SWAT team" could be created as a shared resource across government.
• Cybersecurity reserves. Given the stiff competition for trained cybersecurity experts, the government might consider building a "cybersecurity reserve corps" that draws on private-sector talent rather than trying to hire individuals full-time. High-visibility projects and college loan repayments could be used as recruiting incentives.
• Taking advantage of FITARA. The governance requirements of the Federal IT Acquisition Reform Act could be used to build cybersecurity into program and budgeting evaluations upfront.
• Tips of the day. Annual training is not nearly enough. Simple cybersecurity rules and reminders could be rotated on login screens, intranet home pages and other locations that federal employees see daily.
• A "red team" BPA. Simulated attacks and "hunting" expeditions by outside experts are effective means of identifying vulnerabilities because "the mentality inside is different from the view outside," McClure said. A governmentwide blanket purchase agreement for such services could encourage civilian agencies to emulate the military's use of "red team" operations.

"No single idea here is going to bring a fundamental change," Chenok said. "But the sum total of these ideas -- and we've talked to OMB about this -- can help to create a framework that will lead to that."

A catalog of the submitted ideas is on the ACT-IAC website. Briefings for Scott, the CIO Council and other government cybersecurity stakeholders are planned for the coming weeks, and a public report is expected by late November.