Money Talks in Agency Cybersecurity, Former DOD Official Says

Cyber officials may feel pressure to prove how useful their programs are in thwarting attacks—especially when faced with unfunded mandates, one former Pentagon counterintelligence chief of staff says.

A better solution would be to fund cybersecurity programs but ensure agency heads are accountable for their effectiveness, Keith Lowry, currently a senior vice president at security and eDiscovery company Nuix and former chief of staff to the Pentagon’s undersecretary for human intelligence, counterintelligence and security, told Nextgov.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Lowry, who served under the Obama administration, suggested connecting the agencies’ information security professionals—who often buy technology—with human intelligence experts who understand how people use and could potentially exploit that technology. This conversation has been edited for length and clarity.

Nextgov: In your experience in government, were cybersecurity programs difficult to justify?

Keith Lowry: Cybersecurity always takes a backseat. Executive Order 13587 [a 2011 rule directing agencies to protect classified systems] was an unfunded mandate. ... The first [statement] out of their mouth was, “I’m not going to do it anyway because I don’t have the money to do it.”

The burden of proving the value was put on those people who were instructed to create the insider threat and cybersecurity programs, which is an impossible task. The metrics are key, but it’s also difficult to prove a negative. Even when you could prove that you had stopped a cybersecurity incident—or insiders or foreign intelligence penetration—it became a political hot potato because nobody wanted to admit they had a problem. And so they didn’t want to take it forward.

Nextgov: How do you suggest clearing those hurdles?

Lowry: If it’s not important to the head of an agency, it’s not going to be important to anybody beneath them. If I were the guy in charge, I would say to the head of an agency, “I’m going to hold you accountable for any incidents that occur that you have not taken adequate steps to prevent."

Nextgov: How do you incentivize agency heads to prevent those incidents?

Lowry: There’s the political end of things, then there’s the permanent staff, then there’s Congress—the budget and the appropriations. All that has to be brought together.

If you go to an agency head and say, "You have to do cybersecurity and an insider threat program, and by the way, we’re not going to give you the money," then you’ve already said it’s not important.

Nextgov: You’ve advocated for what you call a “centralized administration, decentralized execution” on cyber. What does that look like?

Lowry: I would make the IT department, the [chief information security officers, the chief security officers, the National Institute of Standards and Technology], all of that staff under one umbrella so they would speak with one voice. In an agency now, an [information security officer] will come and tell me one thing. NIST says another thing. And that’s all [about] technology, it doesn’t have anything to do with humans or insider threats.

Every event begins and ends with a human. So why do we spend all this money on IT technology and forget the fact that it’s a human, beginning to end, that’s causing this to occur? The majority of cybersecurity budgets always go to the IT department.

What happens when an IT guy finds something that’s wrong? They say, “I’ve done my job, I’ve patched it.” That’s not the totality of the problem. On the other side of that patch is a human who knows that patch and will go around that patch. Too many people are focused on a tool-based solution.