Cybersecurity Themes from the 2020 Billington CyberSecurity Summit

This week’s 11th Annual Billington CyberSecurity Summit included a deep roster of senior cybersecurity officials from across the U.S. federal government, international allies and industry partners supporting the shared cybersecurity mission. Participants included key players from the White House, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), the National Institute of Standards and Technology (NIST) and the Departments of Defense (DoD), Homeland Security (DHS) and Energy (DOE).

Noteworthy Themes, Priorities and Observations

Throughout the two-day fully virtual event several themes emerged of interest to the federal contracting community.

• The COVID-19 pandemic has both accelerated and challenged cybersecurity. One of the recurring topics throughout the various interviews and panel discussions is how agencies and supporting contractors have dealt with the rapid shift to telework due to the pandemic. While no agency admitted to hitting major obstacles or experiencing failures, nearly all expressed the challenges of increasing connectivity capacity for vast increases in remote users while securing that hugely expanded attack surface. Efforts included technologies, such as greater use of VPNs and multifactor authentication, but also operational shifts, such as maximizing work in non-classified environments and with unclassified information, where possible. One of the big tech winners in the remote shift is cloud computing due to its ability to rapidly spin up capacity and the inherent off-premises nature of so many of these deployments. Agencies that had been embracing cloud capabilities before the pandemic were well positioned for the shift and many agencies that were testing the waters with cloud found that the pandemic accelerated their timelines out of necessity.
• Election security is largely about combatting disinformation and reassuring public trust. Given that U.S. national, congressional and many state and local elections are just weeks away the topic of election security was a hot topic of discussion. Here the discussion really fell along two lines . . . the challenge of mis- or disinformation in the public sphere and the ground-level security of electronic voting machines and the security of local voting processes. Not at all to minimize the dangers of misinformation, but the focus here is on the cybersecurity of systems, data and processing. Those participants that addressed the security of voting machines and the voting process itself stressed that both the priority and reality of the security of the voting machines from outside tampering is long established and an ongoing vigilance effort. So the public should have confidence in those pieces of the election process while remaining vigilant and prudent in the other areas of propaganda.
• Use of DEVSECOPS for “baked-in” security is growing, but needs to be used more. The practice of bringing cybersecurity priorities and practices to bear on the software development process from the very onset is becoming more common, especially at agencies that have embraced agile software development methodologies and moved away from traditional waterfall development. This is the case in many areas of the DOD and DHS. Multiple participants from the Air Force highlighted how DEVSECOPS is being used to rapidly update software on aircraft and other platforms. It also played a crucial role in increasing capacity and productivity during the pandemic pivot to remote and distributed workforces. Challenges exist in having the right, skilled people in place to run with the methodology. Agencies need to understand the complexity of building DEVSECOPS capabilities, the people and resources needed to do it well. Leadership buy-in and a culture that thinks about security at each level is crucial to success.
• Automating key parts of cyber is the only way forward. The massive amounts of data that agencies are creating and managing for their operations as well as all the cybersecurity related data they are creating through network monitoring tools are overloading their cybersecurity analysts. And the data boom is only accelerating. The only way to manage, process and leverage all of this data is through effective automation tools that can free up skilled cybersecurity practitioners for decision-making and incident prevention and response, etc. Modeling and visualization tools are helping relieve some of the overload. AI/ML shows promise for user anomaly identification and other functions that benefit from large throughput capacities, but those capabilities are in their early stages of development.
• Zero Trust Architecture (ZTA) is the path to multi-layer security. Zero Trust is a growing approach to shift mindsets away from traditional perimeter-based security to applying security at multiple layers along the information stack, from user identity and access to the application and data levels. As such, ZT is more about architecture and governance than it is necessarily about tools. Those agency participants that have successfully used ZTA stressed the importance of engaging every stakeholder in the information/data user chain to both get input on its application as well as show the value of the approach.  ZT is another area where cloud computing is a winner because cloud inherently adjusts the concept of network perimeter and forces organizations to work through identity and access issues while doing so at arm’s length.
• Supply chain security is reshaping the federal contracting landscape. From the DOD’s Cybersecurity Maturity Model Certification (CMMC) program to routing out risky telecommunications and network components from government networks the scrutiny of the federal and supporting contractor supply chain has reached new levels. Congress continues to provide DOD and other agencies with greater authorities and mechanism to both identify and mitigate risks from the technology supply chain as well as institute requirements for future supply chain standards. As current efforts such as CMMC mature and take root in the procurement process the impacts will be to make a company’s supply chain a determinative factor in its ability to compete for federal contracts.  

These are just some of the themes that one would take away from this year’s summit. Others stressed the need for a more robust workforce and the need for federal agencies to modernize their IT to most effectively overcome their cybersecurity challenge. But one reality undergirds all of the themes and challenges expressed at the event and that is the integral impact of partnerships among public, private and international entities to tackle the scope and complexity of securing our communications and information infrastructure and assets from malevolent actors.