What keeps federal cybersecurity leaders up at night? Well, a lot of things, it turns out.
Federal IT security leaders are concerned that their agencies are not fast enough in deploying new cybersecurity solutions, their departments are too sprawling to secure and legacy technology assets can hamper security.
While there is no magic formula of technologies to help address all of these pain points, officials from the Defense Department, National Geospatial-Intelligence Agency and Department of Health and Human Services said at a recent industry event on cybersecurity in Washington, D.C., that there are tactics they can employ.
Some of those tactics are specifically oriented around technology, like updating old operating systems and patching security vulnerabilities. Others are more geared toward policy — approaching cybersecurity from an enterprisewide view.
Key Pain Points in Federal Cybersecurity
The federal bureaucracy can sometimes move slowly, which is definitely a liability in cybersecurity. Matt Conner, CISO of the National Geospatial-Intelligence Agency, noted at the event that he often speaks to employees inside and outside the intelligence agency about the speed of solutions.
“People want an informed, contextual-rich decision about whatever outcome they are trying to achieve,” he said. Speed is becoming more important at NGA, he added, and moving “at the speed of mission” is now part of NGA’s mission statement. The NGA is in charge of collecting, analyzing and distributing geospatial intelligence, especially through satellite imagery, for national security officials.
NGA intelligence analysts and operators as well as NGA’s government customers want solutions fielded and operational as quickly as possible, and the old ways of deploying technology just won’t do, he said. For several months, NGA has been pushing to secure authority-to-operate certifications for cloud services in a single day. Cloud service providers need to build their offerings on NGA’s Platform as a Service architecture, use the agency’s DevOps security stack to assess the code for vulnerabilities and then go through a specific promotion path for approval.
So far, the agency has been able to reduce that time down to five days, Conner said, with 24 hours continuing to be the goal. However, he said, accelerating the deployment of cybersecurity solutions remains a pain point.
Meanwhile, Mitchell Komaroff, deputy CIO for cybersecurity at DOD, said that the sheer size, scope and complexity of the Pentagon inhibits cybersecurity. The fact that DOD components can make cybersecurity decisions in a decentralized manner, and that many DOD processes are oriented around how particular systems run, means that it is challenging for Defense Secretary James Mattis to achieve integration.
“That’s also tied with a certain lag of what I would call the legacy installed base that we face,” Komaroff said, “and the fact that those decentralized decisions make it difficult to move out with a kind of periodicity or regularity that allows you to maintain a current technology installed base, as opposed to an installed base that limits your options from a standpoint of cybersecurity.”
Chris Wlaschin, CISO of HHS, said President Donald Trump’s cybersecurity executive order brought into “crystal clear focus” the need to go after the agency’s biggest risks. For HHS, those risks include high-value assets and legacy IT systems.
Wlaschin also said HHS is facing a shortage of cybersecurity talent, as are other agencies. “There’s just not enough good cyber people to go around,” he said, so HHS is partnering with industry and educational institutions that are accredited by the National Security Agency and others to develop a grassroots cybersecurity talent pool that the agency can tap into.
How Technology Can Address Cybersecurity Gaps
There’s not a single technology “silver bullet” that is going to address all of the DOD’s cybersecurity pain points, Komaroff said. In general, he said, there are pervasive improvements in technology that enhance security, including improving the quality and security of operating systems on users’ PCs.
The DOD is shifting its entire enterprise to Microsoft’s Windows 10 platform via Secure Host Baseline, which includes not only the Windows 10 operating system but also additional secure applications that have been preconfigured. That shift is being driven at the highest levels of the department, Komaroff said, so that all DOD components plan to make the switch.
Another key element of DOD’s cybersecurity approach, Komaroff said, is joint regional security stacks (JRSS). Through JRSS, the Defense Information Systems Agency is partnering with the Army and Air Force to change the way the DOD secures and protects its information networks. JRSS is a suite of equipment that performs firewall functions, intrusion detection and prevention, enterprise management, virtual routing and forwarding, and provides a host of network security capabilities.
According to Komaroff, DOD is leveraging emerging technologies but managing them at an enterprise level. That top-down approach is essential to effective cybersecurity, Conner added, especially in terms of risk aggregation and management perspective.
“If you are not looking at it from an enterprise perspective, you are destined to fail,” Conner said, “both from a risk that we incur but also the ability to apply solutions.” NGA is working on enterprisewide security services, including domain access management and agencywide security analytics.
NGA is also investing heavily in automation technology for security and can help agencies that lack IT security staff. Conner said, “Increasing automation can help be a force multiplier for our capabilities.”
Though, Conner added that there is more to cybersecurity than technology and that integration, people and processes are key to security. He is trying to get NGA’s leadership to understand that security is “not something you buy as much as something that you do.”
For more on cybersecurity issues, visit fedtechmag.com/security.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.