Making some changes to how the federal government buys cyber tools is one of the things the new Homeland Security secretary has mentioned.
Alejandro Mayorkas, the new secretary at the Department of Homeland Security, recently gave a speech providing an extensive look at what he termed his “vision and roadmap” for the department’s upcoming cybersecurity efforts. A number of items in his March 31 remarks bear further exploration, as they will set the tone for the Biden administration’s approach to cybersecurity in the months and maybe the years to come.
Some Familiar Promises
At the outset, Mayorkas emphasized how important it is for the federal government to modernize its technology and to work with the private sector to address our nation’s cybersecurity challenges. But this has been stated so many times by so many government officials. By themselves, those promises won’t move the needle on cyber. They will require more specific and enduring follow-up actions, such as requesting more money for technology modernization from Congress and providing sufficient flexibility to best utilize those funds. The recent $1 billion expansion of the Technology Modernization Fund, or TMF, will be helpful but the federal government spends, by some accounts, about $90 billion annually on technology. So the administration must seek, and more importantly, Congress will have to provide, additional appropriations next year—and in the future—for the TMF to truly modernize the technology used by all federal departments and agencies.
Prioritizing Innovation in Technology and Procurement
It was interesting to see that Mayorkas mentioned the Biden administration’s desire to prioritize investments “inside and outside of government” to enable “bold and immediate innovations.” He also previewed an upcoming executive order on cybersecurity, which he said will include, among other things, improvements in the area of federal procurement for cyber tools.
The details of how these goals will be pursued are still to be announced. But it would be especially impactful if they were to include embracing a significant expansion of the use of other transaction authorities and other rapid acquisition strategies so important to obtaining innovative technologies and making a firm, governmentwide commitment to direct procurement offices down the line to follow the requirements of the Federal Acquisition Streamlining Act, which gives a preference to acquiring commercial-off-the-shelf technology items whenever possible.
Enabling CISA to Help State and Local Governments, and Federal Agencies
The COVID-19 pandemic has forced state and local governments—like virtually everyone else—to shift so much of their operations and provision of services online, but their technology has often struggled to keep up, and even worse it has exposed their cybersecurity vulnerabilities. That’s why Mayorkas said DHS is developing a proposed Cyber Response and Recovery Fund, which will be designed to enable his department’s Cybersecurity and Infrastructure Agency to provide additional assistance to state and local (and tribal and territorial) governments to defend against and respond to cybersecurity challenges. This is a serious problem, because breaches at the state and local levels can have devastating impacts on infrastructure and on individuals, whose personal information could be at risk.
Leaving No Stone Unturned
In his wide-ranging remarks, the secretary touched on the importance of addressing cybersecurity in the maritime sector and in “other transportation systems—from rail to pipelines—that fuel so much of our economy.” The recent hack of a municipal water system in Florida is just the tip of the iceberg: Our nation’s critical infrastructure is vast, touching our economy and citizens in so many ways every day. The administration should not just beef up CISA’s authorities and funding, it needs a comprehensive effort to enlist every sector in the battle for cyber resilience. Our cyber adversaries—whether they be nation-state, rogue individuals or anywhere in between—are constantly changing tactics and probing our infrastructure for vulnerabilities to inflict damage. Cybersecurity plans cannot be static, they must be constantly updated to meet evolving threats.
The series of “60-day sprints” he announced, focusing on what he called the most urgent cybersecurity priorities—including ransomware, critical infrastructure and transportation systems—is a good start. But, as Mayorkas also noted, there are medium-term and long-term priorities to address, such as supply chain security and possibly moving to a zero-trust architecture.
Included in all these initiatives, no matter their duration, should also be utilizing a risk-based approach to cybersecurity, which the secretary endorsed. This is a major step that is necessary to prioritize resources and focus cyber defenses.
In sum, Mayorkas’ cybersecurity roadmap is a good foundation. But these efforts will need to be sustained over time both within the administration and Congress to have the desired impacts and better protect our country, our infrastructure and our citizens.
Robert DuPree is manager of government affairs at Telos Corporation.