It was a long time coming, but when it dropped on the federal IT community in May, President Donald Trump’s executive order on cybersecurity provided much-needed clarity on the administration’s cyberpolicy direction. The order will foster a greater sense of responsibility among federal leaders (and not just IT chiefs) for cybersecurity, and will also push agencies to invest in technologies that actually solve security vulnerabilities, federal officials said.
The officials, both on the Civilian and DoD side, speaking on a panel at the recent MeriTalk GovProtect17 summit, argued that effective federal cybersecurity requires the involvement of a wide range of actors, and cannot be left merely to the IT security teams inside agencies.
Indeed, the order notes that “effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” The order also says that agency heads — not CIOs or CISOs — “will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
Forging a New Culture of Cybersecurity
Rod Turk, CISO and acting CIO of the Commerce Department, described the order as speaking specifically to cybersecurity as a “team sport,” requiring the involvement of the agency’s leaders, the CFO, IT leadership, human resources and others.
“I think that that’s probably, in my opinion, the most important aspect of the executive order,” Turk said. “Because, quite frankly, you’re not going to get anything done in your agencies unless everybody is on the same page, unless everybody is pulling on the rope together at the same level of effort.”
The federal government needs a new way of thinking about security, Turk said, and the order will force agencies to reckon with whether they have a culture of cybersecurity. Culture, he said, is “how you think, how you act and what you do in the organization,” and leaders need to make cybersecurity inherent in all functions of an agency, not just a part of new IT projects. That way of thinking needs to run throughout the agency, from the IT security officials monitoring email traffic all the way up to agency leadership, Turk said.
George Jakabcin, CIO of the Treasury Inspector General for Tax Administration at the Treasury Department, said agencies are not currently integrating security into the development and lifecycle of IT projects.
“We do not think of security as a discipline in the same way that we think of networking, as systems engineering, as software development,” he said. “It’s still the bag on the side.”
“It’s still the thing that we add at the end” to get paperwork done and certifications issued, Jakabcin added.
Agencies, he said, are caught between mobile apps like Uber, on the one hand, that make the delivery of services seem seamless to consumers, and the laws, regulations and auditors, on the other hand, that monitor and constrain them.
“How do we change that mindset?” he said. “How do we get people to think about this in terms that are valuable to the individual and become those enablers, rather than Dr. No? And if I had the answer to that, I wouldn’t be doing what I’m doing, even though I love it very much.”
A New Approach to Cybersecurity Tools
Essye Miller, CISO and deputy CIO for cybersecurity at the Defense Department, noted that former Defense CIO Terry Halvorsen would convene a meeting every Friday with the CIOs of the service branches and go over a cybersecurity scorecard to discuss vulnerabilities and what the agency was doing to plug them.
The scorecard idea, first developed in 2015, encouraged DOD to “get back to basic” on cybersecurity and focus on cyberhygiene and best practices to keep Defense networks and information safe. It pushed everyone at DOD to “get serious” about cybersecurity and remove vulnerabilities from the department’s network.
Miller said DOD needs to think through how it can use technology to automate more cybersecurity tasks. “How do we get to a threat-based analysis?” she asked. “How are we looking at our environment on a regular basis based on threat information, and adjusting accordingly?”
Jakabcin said that agencies’ missions and the call of public service will bring young people into the federal government. The challenge for practitioners, he added, is that vendors often want agencies to put in place their unique cybersecurity tools and programs.
“Well, that’s very interesting,” Jakabcin said. “What problem are you trying to solve? Help me understand that. And then we can have an intelligent conservation as to whether or not this is really part of that solution. Or, is there something that we already have, that we already own, that we have not exploited from our own perspective to the betterment of the organization?”
For more on cybersecurity, visit fedtechmag.com/security.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.