Cybersecurity the right way
Agencies have no shortage of mandates and top-down guidance, but true risk management starts elsewhere.
Of all the government's challenges on the cybersecurity front, getting the attention of top leaders is not one of them. Indeed, with so many mandates being given, agency officials can be forgiven for wondering which top priority to tackle first.
FCW recently gathered a group of IT security leaders from across government to discuss how they bring organization and prioritization to their many cybersecurity efforts. The discussion was on the record but not for individual attribution (see below for a list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.
It takes more than a mandate
Unanimity was rare in the 90-minute conversation, but the participants agreed that top-down requirements on their own can't change the government's security posture.
"Anyone who has raised children knows that mandates don't work," one executive quipped. "It doesn't change any large organization. It has to be that agencies have internalized with their mission that cyber is important."
Another said public scorecards increase the compliance pressure on agencies. "Even though we've had the mandate for quite a long time, we still weren't able to break through with what we needed to implement it," the official said. But since being called out for poor scores, "we have shown tremendous progress toward getting things done."
A third official pushed back on that, though, asking: "But how does that influence your funding? Literally, even if I scored an F on every part of my scorecard, I will get the funding that I need. Nobody's pulling the rug under your feet right now."
Most participants said the real pressure comes from the escalating cyberthreats their agencies face. "We have a very strange dynamic," one said. "Inherent organizational inertia is coming head to head with a security tempo that's forcing government to change."
"I think we have no choice," another participant said. "The adversaries are not going to say, 'OK, we'll give you time.'"
Buy-in vs. budget
Most participants said their agencies have truly internalized the importance of cybersecurity. "We're finally past the point of trying to convince people that security is important," one official said. "I am in the secretary's office at least two or three times a month. So we'll never have enough resources, money, people, but we are now at the point where it's starting to be the first conversation that's being had."
Others agreed that the focus doesn't often turn into funding. "If I had to define buy-in by budget, I'd probably say no," one executive said. "If I define it by understanding, I would say, 'Yes, of course.'"
And although acquisition rules and contracting officers tend to be cast as obstacles to almost any IT initiative, the group said those are not the problems with cybersecurity. As one participant put it, "The mechanism is there.… Wonderfully, acquisition is not the excuse anymore."
Another said the problem more often is that program owners don't want security costs to come out of their budgets, adding, "One of the things we keep missing the target on is that the security isn't built in right from the beginning."
"It's coming to hurt us at the end," another added. "We are going in and doing test after test after test without paying attention to doing the test right from the beginning."
Participants
Seth Abrams
CTO, Department of Homeland Security Group, General Dynamics IT
Surendra Babu
Information System Security Manager, Department of Education
Maj. Tom Bereknyei
Lead Engineer, Defense Digital Service
Veronica Branch
Branch Chief, Department of State
Brian Gattoni
CTO, Office of Cybersecurity and Communications, Department of Homeland Security
Larry Hale
Director, Strategic Solutions and Security Services, General Services Administration
LCDR James Jones IV
Deputy Director of Cyber Security, National Oceanic and Atmospheric Administration
Wanda Jones-Heath
Chief Information Security Officer (SAF/CIO A6Z), U.S. Air Force
Matt McFadden
Cybersecurity Service Area Director, General Dynamics IT
Michael Powers
IT Security Manager, NASA
James Quinn
Senior Advisor for Cyber, Department of Homeland Security
Clinton Swart
Information System Security Officer, Smithsonian Institution
Note: FCW Editor-in-Chief Troy K. Schneider led the roundtable discussion. The Aug. 9 gathering was underwritten by General Dynamics IT, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither GDIT nor any of the roundtable participants had input beyond their Aug. 9 comments.
"There's this huge disparity," a third agreed. Project owners "will say, 'Oh, don't worry about security. We got another contractor.' And it's this little guy. We need to really move where the money is — where you can get your requirements into that big contract."
Another participant steered the discussion to the Department of Homeland Security's Continuous Diagnostics and Mitigation program, noting that it is both an acquisition enabler and an example of how important true buy-in will be.
CDM's Dynamic and Evolving Federal Enterprise Network Defense series of task orders "is exciting because it gives agencies more flexibility to embrace this [continuous monitoring] philosophy and to implement it in a way that is appropriate for that agency's enterprise," the official said. "But if it isn't viewed as a holistic ongoing security philosophy across the federal enterprise, then what happens when DHS stops funding it and the agencies have to pick up the tab? And then the whole thing stops, and we all go back to manual dashboards."
"I'm a huge supporter of the program," the official continued, "but if it's just another siloed mandate that we have to check the box for CDM, then it's never going to work."
Putting the right people in the room
Part of the solution is bringing deep expertise into all stages of planning for a system or program, most participants agreed. But although program owners, contracting officers and other key stakeholders can be educated on the importance of security, that's not likely to be sufficient.
"Are we going to be able to train a whole cadre of acquisition specialists to address these issues?" one participant asked. "We're starting to see hints that maybe you can't."
Instead, that official said, many initiatives need to have a true expert "in the room next to you to start throwing down the detailed plot of what needs to be done."
Such experts are in short supply, however — and they generally want to stick with technology, not acquisitions and life cycle costs. "I know in our case we can't afford to have a person in the room like that every time," one participant from a smaller agency said, as several others nodded in agreement.
Another executive, however, said agencies could turn to federally funded research and development centers for those in-the-room experts. "They've got the expertise and the competency and can be free of the conflicts of interest" that vendors might bring, the official said.
Also, many agencies have more expertise than they might think, said one official who has worked at multiple departments. "It's very rare that we show up somewhere and no one has the answers," that official said. "It's just that the person who has the answers is usually someone who is either not being listened to or is not empowered. So we can usually find those pockets of competence."
Time to create a crisis?
One participant said some agencies won't take appropriate steps until an incident forces them to and that perhaps it would be better to create those events on a manageable scale. "I hate to say it, but the reason DHS was formed was because planes flew into buildings, right?"
Such a provocation could take the form of unannounced penetration testing, the official said, or even the introduction of low-level problems into an agency's systems to force a response — the cyber equivalent of an inoculation.
"A lot of [penetration testing] programs essentially get neutered in effectiveness," the official said, because the resulting reports are easy to ignore. "So now you have to make a hard choice: Do you want to kind of take the gloves off and let real damage be caused? Because once there's real danger, sometimes the crisis actually does cause change. But doing that is obviously not easy."
Most of the group was uncomfortable with government actively hacking itself. "I would rather not think that we're so good at crisis management that we need a crisis to manage," one said. "I'm hoping that we just naturally say, 'This is what we've got to do' because we're cognizant of the consequences if we don't."
Learning to love risk management
Being cognizant of the consequences and acting accordingly is the bottom line, the group agreed. And if only one guidance matters, it's the Risk Management Framework.
Oversight can complicate agencies' efforts to adopt the RMF, several noted, because the Government Accountability Office and many inspectors general have not fully squared it with their auditing approaches. But framing the conversation in terms of risk can help with other potential friction points — such as agency financial officers.
One official who spent years butting heads with the finance team finally realized that his number-crunching colleagues were simply managing a different category of risk — a revelation that "was really useful in changing my communication with that group."
"Honor their processes," the official advised. "Tell them you're doing it but your way, in your world, and you can get a couple of allies from that side."