GSA’s Cybersecurity Perspective on Emerging Technologies

As federal agencies seek to adopt various emerging technologies – such as Artificial Intelligence (AI), the Internet of Things (IoT), Fifth-Generation Wireless Technology (5G), and increasingly advanced uses of Cloud Computing – agencies face challenges in deploying and operating them securely on their networks.

Recently the General Services Administration (GSA) held a virtual event, IT Security in Emerging Technology, where participants from GSA’s Information Technology Category, the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), the FedRAMP Program Office and others discussed their efforts and challenges to securely embrace these emerging technologies.

Panel topics included the various security considerations for 5G, AI, the IoT, and Cloud as well as supply chain risk management (SCRM) for emerging technologies. Some of the comments and takeaways include:

Cloud Computing

Historically CISA has focused their work with agencies to protect their infrastructure, but for several years now CISA has been increasingly supporting agencies shift to Cloud deployments as they have updated policies to the Trusted Internet Connection (TIC) program and related implementation guidance that includes newer concepts like Zero Trust architectures, trust zones and micro segmentation. In July, CISA released an updated Cloud Interface Reference Architecture.

Cloud has also been a huge enabler in the recent shift to remote workforces. The COVID-19 pandemic has increased the urgency for cloud from agencies as they rushed to enable telework and other flexible operations models. Cloud Service Providers (CSPs) have been innovating as well, so it all meshed fairly well. Cloud and the remote shift has helped agencies become more resilient as a result.

The Internet of Things (IoT)

When looking at the topic of IoT it is important to consider how an agency defines and scopes what makes up the IoT in their operational context. One way to look at it is in terms of connected devices . . . anything that is connected to your network may be an avenue for malicious activity and introduce cybersecurity risk. From that perspective, a connected printer presents similar levels of risk as a laptop or smart phone because each of these connected devices can operate above their basic level due to the IP capabilities they have. And as the use of sensors operating outside an agency’s physical domain continues to increase, so do the potential threat vectors and risks. The TIC program management office has various use cases that address risk considerations of many sensor deployment models, e.g. farm sensors, quake sensor, tsunami sensor, as well as various law enforcement applications. Agencies need to resist the rush to IoT to leverage its promise unless they first evaluate how they will proactively mitigate certain risks and maintain security. Further, evaluating the risks of certain IoT devices will help drive requirements that can inform acquisition decisions.

Fifth-Generation Wireless Technology (5G)

Almost overnight, remote working and digital government became a reality for many agencies. As this reality continues and becomes more entrenched the emergence of 5G will bring huge changes to agencies, similar to how it will continue to impact the larger society. Current 5G use cases across the federal government include agencies establishing private 5G networks to pilot and test new capabilities in a secure and controlled way. For example, the Navy is piloting a private 5G network, the Air Force is modernizing its infrastructure for 5G readiness. The Army is testing Artificial Intelligence (IA) via 5G networks. Other 5G use cases include applications for telemedicine, first responders and communications, portable monitoring, law enforcement, and intelligent imaging/video.

Artificial Intelligence (AI)

The potential applications of Artificial Intelligence (AI) and Machine Learning (ML) as well as other advanced analytic capabilities seem endless. The hopes of leveraging analytical automation that these capabilities offer is particularly attractive to those in the cybersecurity realm as the volume of network monitoring data continues to grow beyond human capacity to process it effectively. One aspect of AI use that seems clear is the interdependencies that exists between AI and other areas of IT – such as cloud computing and infrastructure modernization and optimization. To successfully deploy and leverage AI and other analytics capabilities agencies will need to both modernize/optimize their infrastructure and leverage cloud computing. Piloting AI applications helps agencies to build effective cloud use cases and justification for targeted infrastructure investments. Another consideration is an agency’s acquisition environment and preferred contract vehicles that can shape their technology priorities. For example, as agencies work through their transition to the EIS contract for their broad communications needs it is a good time to modernize their information infrastructure and a good time to adopt cloud computing capabilities.