Witnesses from CISA, NIST, and the GSA spoke before a House Homeland subcommittee on their current efforts to bolster the nation’s cyber defenses.
Lawmakers explored courses of action to help bolster and secure the federal government’s digital networks, primarily through ongoing security software implementation and steady federal funding to protect sensitive U.S. data.
During a hearing hosted by the House Subcommittee on Cybersecurity, Infrastructure Protection & Innovation, witnesses from federal agencies at the forefront of developing a stronger federal cybersecurity posture talked about what their agencies have done and will need to support a secure government network.
“Cybersecurity must be considered alongside all other types of risks addressed by organizations and by leadership at the most senior level,” said Charles Romine, the director of the Information Technology Laboratory at the National Institute of Standards and Technology..
Leaders from other agencies, including the General Services Administration and the Cybersecurity and Infrastructure Security Agency, discussed some of their current strategies to implement stronger zero trust protocols across federal systems.
David Shive, the chief information officer with the GSA, explained that their push to modernize outdated legacy software systems will enable federal civilian users to engage with more secure authentication technologies.
“We are also accelerating our adoption of secure cloud services, leveraging modern cloud services to improve cybersecurity and user experience,” Shive testified. “By implementing these modernization efforts, GSA will improve cybersecurity capabilities to continually verify the security of users' devices, applications and data as well as to achieve broad based visibility across the GSA ecosystem with enhanced capabilities leveraging automation to manage the respect and respond to threats in real time.”
Shive added that sustained funding is critical to continued security implementation and creating zero trust architecture within federal networks.
Securing federal agencies by updating networks has also been a joint effort between the public and private sectors, a key tenant in one of President Joe Biden’s executive orders on strengthening the nation’s cybersecurity defenses.
These strategic relationships intend to help shore up cybersecurity defenses within both the public and private sectors, with the goal of withstanding future ransomware attacks. CISA has been charged with advancing this mission, with Executive Assistant Director Eric Goldstein saying that collaboration with private industry tech counterparts has helped CISA ward off Russian malware attacks.
“Our focus at CISA has been on taking any information that we can glean from our partners in the private sector, from our partners operating on the ground in Ukraine, Computer Emergency Response Teams in Eastern Europe, taking that information, distilling it down and then sharing it as quickly as possible with our key partners here in the US, including particularly federal civilian executive branch agencies,” he said.
Using these partnerships, officials at CISA can better disseminate advisories and warnings to agencies and firms against malware linked to Russia.
Goldstein also noted that as more federal employees use their cell phones to conduct work, CISA is also in the process of implementing mobile asset management security measures to further protect federal networks.
“We know in this new hybrid, even remote first universe in which we're living in, a lot of federal employees are really using their mobile devices for a significant volume of agency work and processing important information,” he said.
This parlays into agencies’ main goal to establish robust endpoint security across devices accessing federal networks. Goldstein said CISA is prioritizing this approach, and through its Continuous Diagnostic and Mitigation program, will create a new dashboard to make agency risks more transparent.
“We are gaining extraordinary centralized visibility into threats and risks targeting federal agencies through expansion of our endpoint detection and response capabilities through maturation of continuous diagnostics,” he said.
While the dashboard is still under development, Goldstein told Rep. Kathleen Rice, D-N.Y. that more federal agencies are jumping at the opportunity to have access to it.
“We are in the process of a rather remarkable technology improvement across the federal dashboard, which is giving us this object level data,” Goldstein said. “We are getting more agencies onboarded at this point every week.”
Beyond current cyber threats, agencies are also interested in additional Congressional support to work on regulating emerging technologies. Romine said that NIST is looking into managing potential risks ahead of mass adoption of newer technologies.
“Emerging technologies such as internet of things, quantum computing and artificial intelligence will add additional challenges for federal cybersecurity,” he said. “More than ever, federal agencies and other organizations must balance a rapidly evolving threat landscape against the need to fulfill mission requirements.”
Romine further added that as NIST begins to develop its post-quantum cryptography standards, the agency and its partners have identified multiple algorithms strong enough to withstand an attack from a given potentially viable quantum computer.
“NIST has been working for a number of years now, with the private sector with cryptographic experts around the world to identify the algorithms that will be resistant to quantum attack but also resistant to classical attack,” he testified.