To Secure the Nation, Agencies Must Move Beyond Compliance and Toward Resiliency

The Obama Administration’s “Cyber Sprint” was a pivotal step toward improving the federal government’s cybersecurity posture. The program addressed and identified several key actions the government could take to enhance security writ large. However, since the introduction of the cyber sprint, threats have evolved and to keep data and systems safe agencies must look beyond simple compliance and static, manual checklists.

Threat actors are increasingly exploiting architectural vulnerabilities around and downstream from primary systems. And in addition to attacks against system confidentiality and integrity, agencies must focus on building cyber resiliency within their ecosystems, homing in on aspects like supply chain risk management, self-healing applications and networks via automated backups and gold master copies.

“The cyber sprint turned into a cyber marathon, and we’re continuing this progress. The congressional Cyberspace Solarium Report and Recommendations; the Cybersecurity Executive Order on Improving the Nation’s Cybersecurity and the National Security Memorandum 8 all build upon this,” says Tom Michelli, Strategic Account Executive, Cyber at Leidos.

Michelli, a former member of the senior executive service in both the Department of Defense (DoD) and the Department of Homeland Security (DHS), has been a leader and supporter in this journey. And to him, the government and industry is postured for success:

“We’re in a good position to accelerate the security of confidentiality and integrity of systems which were the primary focus of the cyber sprint. We now must focus on the resiliency of the cyber ecosystem: availability of systems (networks and applications); cyberculture and talent (from executives to front line); the security of an organization’s supply chain and the nation’s critical infrastructures,” says Michelli.

As the government continues to pick up speed in these critical mission areas, building robust resilient solutions will be a necessary step. And for federal leaders like National Cyber Director Chris Inglis and General Paul Nakasone, Commander, U.S. Cyber Command and Director of the National Security Administration (NSA), this means partnering with private industry, academia and international partners.

“Building robust, resilient solutions is a necessary step toward securing the nation’s infrastructure, and it requires people, processes and tools to be in alignment,” says Michelli.

With resources like direct appropriations and the Technology Modernization Fund offering additional funding for digital transformation, agencies will need to ensure the culture within their organization is “cyber aware,” ensuring that each dollar spent on IT capability is assessed for security and resiliency in addition to functionality.

Events like 2021’s Colonial Pipeline and Log4Shell are not oddities but rather a sign of the times, and agencies should move toward resiliency accordingly. Building a cyber culture around resilience requires investment in programs and resources from C-Suite executives down to line staff. Educating and training employees about how threats propagate not only within an organization but through partners, customers and the supply chain is a crucial step toward securing information.

“This is a culture and people challenge. It’s not just a dollar and technology problem,” says Michelli.

And as public sector organizations invest in educating and training their workforce, organizations would be keen to incorporate lessons surrounding networks, applications and the supply chain. For example, if a primary computer or server is no longer accessible are there alternate systems and paths? Or is there the ability to acquire backups through trusted supply chains? Do employees know how to or even have the ability to reconstitute systems?

Therefore, building comprehensive cyber culture programs should be top of mind. And the foundation for a more cyber resilient culture lies in employee training. Agencies must invest in the education of their entire organization, not just those who are IT professionals.

On the ground, talk of resiliency can seem like an overwhelming challenge. When hundreds of thousands of threat actors seek to gain access, the list of tasks and things to investigate is lengthy. And with the increasing number of cyber-physical devices in government, this list is only set to grow.

“These checklists become enormous,” Michelli explains. “And the checklist isn’t a one-and-done list. It needs to be continuous — because every day, new vulnerabilities and threats are discovered."

In addition to investing in cyber culture and talent, agency leadership can augment talent with additional automation as well as artificial intelligence and machine learning capabilities to cover talent gaps and enable proactive actions at mission speed.

“With the mitigations, the fixes and the enhancements to our security posture, we can automatically have the systems patch something, take a system offline and move it to an alternate system if we need to, in order to get that resiliency,” Michelli says.

In moving beyond compliance, SecOps experts are augmented and equipped with tools to help them move left of an event. At Leidos, this means integrating threat-informed policies and AI/ML research into development pipelines. Applications, networks and resources must be self-healing and be capable of running automatic checks regarding existing vulnerabilities, misconfigurations or tampering.

This resiliency generated by automated solutions is supported by front-line experts. Resiliency ultimately is the confluence of people, processes and technology — and in order to secure the nation and build resiliency, agencies must begin investing in solutions that move beyond checklists and work toward solutions that are fit for purpose. As Chris Inglis, National Cyber Director, Executive Office of the President, said during his testimony to the Senate Committee on Homeland Security and Governmental Affairs: "The Office will work to increase present and future resilience, not only within the Federal government but also across the American digital ecosystem. That is a big task for which we will start by exercising our incident response and planning processes, and we hope to soon be working to ensure our workforce, our technologies, and our very structures and organizations are not only fit for purpose today but are future-proofed for tomorrow.”