Defense and Homeland Discuss Priorities for Cybersecurity
WASHINGTON — Dramatic changes in the workforce and service delivery have posed unique security challenges over the last year. Evolving technologies are accommodating training and remote work, but new cybersecurity threats continue to emerge.
In the last few years, directives have required federal agencies to take a variety of actions, including better managing their cybersecurity risks and coordinating to meet reporting requirements related to the cybersecurity of federal networks and critical infrastructure. Yet despite this progress, many agencies still face challenges in safeguarding their information systems and information.
Top defense and homeland IT security officials recently joined the Federal News Network to discuss their lessons learned and continued priorities for implementing strategies and initiatives around cybersecurity.
“Not that long ago, cyber was considered a tech issue to be addressed by just the IT team,” said Martin Kessler, chief information security officer for the Verizon Business Group. “Now we are keenly aware that there’s a business risk… that could affect our ability to deliver on missions.”
Cybersecurity is, at its core, about data loss prevention, detection, and response. In the government’s case, cybersecurity strategies often have national security implications.
“We’ve learned this year about [the Army’s] ability to do remote distributed operations,” offered Ron Pontius, deputy to the commander in the U.S. Army Cyber Command. The Army, like so many agencies and businesses, worked to pivot to remote telework, establish virtual private networks, and made drastic changes to its network as a result of moving its cyber command to Fort Gordon, Ga. last year.
“We rolled out a commercial vertical mode, and the Army has embraced it,” Pontius said. “We’ve created an environment where those that were base-oriented can now have more remote capability… It’s fundamentally changing how we’re doing business in the Army.”
Colleagues at the Defense Intelligence Agency and Department of Homeland Security agree that a cybersecurity focus is embedded into the culture of their agencies.
DHS has established the National Cybersecurity and Communications Integration Center, which functions as the 24/7 cyber monitoring, incident response, and management center for the federal civilian government.
“[Cybersecurity is] helping us … with real-time and security situational awareness, preventing outages and defending from hostile threats,” said Hemant Baidwan, acting deputy chief information security officer at DHS.
Baidwan admitted that moving to hybrid cloud computing helped to emphasize DHS employees’ cyber hygiene — meaning those practices that help keep data safe and well-protected — and created a structure capable of handling increased telework with uniform protections against cyber adversaries.
DIA, which operates across multiple networks from unclassified all the way up to top-secret, is also working to make cybersecurity part of its normal business rhythm and mindset.
“We’re [working to be] in a more secure state instead of just being compliant,” said Freddy Mercado, deputy chief information security officer at the DIA. This means revamping and revitalizing DIA’s asset management program, and requires a plan for comprehensive tracking, because as Mercado reminds, “If you don’t know what you own, it’s hard to defend it.”
Private enterprise partners like Fortinet are assisting federal agencies with security solutions to protect the network, users, and data from continually evolving threats.
“Cybersecurity is hard because of growing attacks,” said Fortinet’s Field Chief Information Security Officer Jim Richberg. “No one can solve this alone – it’s a public/private issue. We’ve worked with partners from health care to criminal investigators…. deploying technology to help be nimble and get away from the old approach to networks.”
Richberg offered that Fortinet was at the intersection of IT and operational technology, hardware and software that detects or causes a change through the direct monitoring and control of physical devices — a growing need.
“We’re in the year of the hybrid, and I don’t mean cars,” he added, alluding to a new mix of work patterns and hybrid workers, particularly since the start of the pandemic. “The environment is changing for everyone.”
Illumio, a cloud computing security company, is a federal agency partner that specifically prevents breaches from spreading within a network.
“Architectures are still…. based on detection technology,” said Matthew Glenn, Illumoio’s senior vice president of product management. “But detection will often fail, so the mindset [needs to be] changed about where defense needs to reside, and defenses need to be modified to prevent breach.”
Agencies were not previously equipped to determine how malicious actors were seeking to gain access to their information systems and data.
“Adversaries are looking at what our focus is and going for our weak spots,” Glenn added. He said that when the security focus is on the user, attackers learn to go behind the user and take advantage of the fact that previous cybersecurity efforts really only focused on the perimeter.
“[Now], the core mindset of zero trust is to assume breach and default deny,” meaning to only allow that which you should allow. So Illumio is helping federal partners to alleviate their cybersecurity concerns by compartmentalizing, “stopping abnormal communication patterns, focus[ing] on the end-user, and focus[ing] on the data center and cloud environments.”
Despite this improvement in federal agencies’ monitoring of their information security programs, however, there remain specific areas “to improve our ability to protect against malicious cybersecurity, including speed and how you protect and professionally train a civilian workforce to stay on mission,” according to Pontius. “Because you don’t do it for cybersecurity, you do it for the mission.”
Baidwan agrees that attracting and training top cyber workforce talent is increasingly difficult as the federal government has to compete with private industry. Proposals for a Cyber Workforce Talent Initiative prioritize and accelerate ongoing efforts to reform the way that the federal government recruits, evaluates, selects, pays, and places cyber talent.
“We need to improve the quality and quantity of professionals in the pipeline that can join this incredible mission,” he said.
In The News
WASHINGTON (AP) — Jolted by a sweeping hack that may have revealed government and corporate secrets to Russia, U.S. officials are scrambling to reinforce the nation's cyber defenses and recognizing that an agency created two years ago to protect America's networks and infrastructure lacks the money,... Read More
WASHINGTON -- Cybersecurity experts suggested to a congressional committee Wednesday that lawmakers act quickly to address growing threats from hackers. They mentioned the SolarWinds computer infiltration by the Russians last year and a hacker’s attempt to poison a Florida municipal water supply last week as examples.... Read More
ST. PETERSBURG, Fla. (AP) — A hacker's botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation's water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped, and lack the... Read More
WASHINGTON — Dramatic changes in the workforce and service delivery have posed unique security challenges over the last year. Evolving technologies are accommodating training and remote work, but new cybersecurity threats continue to emerge. In the last few years, directives have required federal agencies to take... Read More
Recent cyberattacks on U.S. federal systems point to the need to make the Cybersecurity and Infrastructure Agency the "centralizing authority system" for the nation, said Rep. John Katko, R-N.Y., during a fireside chat at the State of Net Conference. That said, Katko went on to say... Read More
WASHINGTON (AP) — The elite Russian hackers who gained access to computer systems of federal agencies last year didn't bother trying to break one by one into the networks of each department. Instead, they got inside by sneaking malicious code into a software update pushed out to thousands... Read More