The government’s struggle to simplify its cybersecurity
This story first appeared on CyberScoop.
When it comes to protecting the federal government from cyberattacks, simplicity is not that simple.
That was the underlying message Monday during multiple panels at RSA Public Sector conference in San Francisco, where government cybersecurity experts and the federal contractors that carry out the government’s cybersecurity operations discussed why things are currently complicated and what it will take to make things easier.
The government’s ongoing embrace of the cloud is helping move things in the right direction, but because agencies often follow a hybrid cloud model, watching over a government enterprise is still a highly complex task. Kevin Cox, the program manager for the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, said Monday that it’s a challenge to ascertain exactly how each agency has its enterprise configured.
“From our perspective, CDM is working with civilian agencies to have a foundation in place to have the proper visibility on [on-premise data centers]. Yet, we are looking to support the agencies beyond into the cloud,” he said. “At the end of the day, we want to make sure the agencies have a comprehensive understanding where all of their data is, what their architecture looks like and how it connects back to the users, but supports the visibility for new technologies.”
Yet that architecture is often what causes problems, according to Steve Harris, senior vice president and general manager of federal at Dell EMC. He told CyberScoop that he’s still seeing security systems bolted on top of older security systems, which are then attached to bigger IT systems, making things nearly impossible to use for agency employees. He believes a holistically different approach would help simplify the issues he sees inside the government.
“When we actually treat the infrastructure as a platform, it allows customers to greatly simplify their development and the way the build software,” Harris told CyberScoop. “When you start building software in that way, it greatly reduces bad actors’ ability to attack you. What we’re accomplishing is taking what were many silos or products, and we’re integrating them together into a platform approach, which is eminently more defendable and securable.”
Yet even if the tech is modernized, the entire employee base still must understand the cybersecurity mission. Chris Novak, global director of Verizon’s threat research advisory center, says the technical people often get caught up in their own language and don’t grasp the true implications that IT vulnerabilities present to an enterprise.
“The challenge we often see is the folks who need to hear and understand threats don’t understand the CVE numbers and what that actually means,” Novak said. “They hear about Heartbleed and WannaCry and then ask ‘Is that good or is that bad?’ Over the last couple of years, we’ve changed the way we have conversations with our customers and say ‘If you were to talk this to the C-suite or the board, they want to know what’s the risk to business.’ ”
In order to bridge the communication gap, agencies are relying more on training non-technical people on cybersecurity than training the cyber experts on how to communicate with the rest of the enterprise.
“It is much easier to take an OT expert and make them smart on cybersecurity and then bring that back to their environment, as opposed to the length of time it would take to bring someone from an IT environment and come up with highly sophisticated types of ways of looking at [how to communicate],” said Jennifer Silk, a senior adviser for cybersecurity at the Department of Energy.
Most agreed however, that one of the biggest tools in simplifying the way that agencies think about cybersecurity is the NIST cybersecurity framework, which has long been considered a watershed document when it comes to the way enterprises construct their security methods.
“I had the opportunity to visit the cyber works at the Air Force — they are really using the cybersecurity framework language to describe the work they do, all the way down to training,” said Troy Taitano, chief of the cyber modernization office at the National Reconnaissance Office, a Department of Defense agency. “To sell that to leadership in D.C. is really important.”