Pessimism and Optimism Among Fed Cybersecurity Leaders

The Billington Cybersecurity Summit featured many current and former IT and cybersecurity leaders from across the federal government, as well as others from industry and academia. All were gathered to discuss the challenges and way forward for federal cybersecurity.  Here are a few of the broad areas discussed throughout the day along with comments the speakers made and some observations.

Threat Landscape Growing

• White House Cybersecurity Coordinator Michael Daniel says the threats just keep getting bigger because we keep networking more and more things, (i.e. the Internet of Things (IoT). Further, the sophistication of bad actors has grown and become more industrialized, reflected in a separation of labor, etc. among larger actors. Third, there’s been an increased willingness of adversaries to be more destructive, compared to the hackers of yesteryear who might do little more than leave graffiti to let you know they were there. Lastly, cyber has become a tool of statecraft for all nations, increasing the danger.
• Mega-repositories of data present a challenge to defenses. Multiple dependencies in the industrial supply chain and fragmented governance also add challenges. Collaboration among defenders across government, industry and other nations is important.
• We must recognize we are at war in the cyber domain. Nation-states, organized crime, hacktivists, terrorist organizations and others are all at work in the cyber domain.  More than 100 nations are building their cyber-warfare troops.

Organizational Culture Changes Needed

• DoD CIO Terry Halvorsen stressed the cultural change needed (and underway) that current cybersecurity realities bring.  He stressed the need for more cyber- discipline in DoD, across government and beyond that recognizes the ubiquitous nature of technology to everything we do. At DoD, this means putting cybersecurity on par with other areas of warfighting and defense, and getting cyber into every area of command. That culture change includes viewing the economics and enterprise with cybersecurity in mind. Current IT fragmentation and variances increase vulnerabilities.
• Another CIO participant noted a personal experience where the agency procurement staff considered the CISO an enemy who slows down procurements, which presented a challenge to cultural change to getting cybersecurity to play a more central consideration in procurement decisions.  To enforce considering cyber at the beginning of an acquisition he had to enforce it a few times to get the culture to begin to change. It improves with practice and time.
• The National Initiative for Cybersecurity Education (NICE) efforts to bolster cyber skills training and to map NICE frameworks education requirements have been producing and placing graduates into the cyber workforce. This will help change organization cultures in the future.

Innovation Prospects

• Innovation comes from necessity, which comes from understanding the depth and breadth of the cybersecurity landscape and challenge. It's not just about technological innovation, but it also includes innovative strategies, processes, and approaches.
• Vice Admiral Jan Tighe, Commander of the Navy’s U.S. Fleet Cyber Command sees innovation tied directly to the cyber workforce. She noted that the adversary is adapting every day and are developing training and testing to build their workforce. She sees a need to take our workforce and innovate to secure the IoT.
• Chris Inglis, former Deputy Director at the NSA and now a Distinguished Visiting Professor in Cyber Security at the U.S. Naval Academy remarked that DoD shouldn't reinvent innovation found in the private sector. Rather, the two should collaborate more and the flow of intellectual property should be unhindered. He did note that we need more discussion at the policy level, e.g. encryption, to discuss the bigger issues rather than going straight to looking at the technologies.

As much as the presenters admitted that the challenges we face could lead to pessimism, they also balanced their remarks with some optimism. The White House’s Daniel is optimistic that the cybersecurity problem is solvable. “We created it. We can fix it,” although he admitted that some problems may get worse before things get better (mostly tied to securing outdated IT systems.) 

Several urged that automation and self-healing networks combined with migrating to current technologies like cloud computing and modern architectures will help. Stronger cybersecurity awareness/hygiene training for the average user was another major theme since many of the threats target these users with increasingly-sophisticated phishing attacks and other social engineering attack techniques.