Noteworthy Themes from the 2019 Billington CyberSecurity Summit

At the recent 10th Annual Billington CyberSecurity Summit the agenda included senior cybersecurity officials from across the federal government, including the White House, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), the National Institute of Standards and Technology (NIST) and the Departments of Defense (DoD), Homeland Security (DHS) Energy (DOE) and Justice (DOJ). Numerous leaders from the fed cyber vendor community also participated in the discussions. Amidst the various keynote addresses and panel discussions several themes emerged that should be of interest to the federal contracting community.

Noteworthy Themes, Priorities and Observations

• Artificial Intelligence/Machine Learning for Cyber is the Hot Topic – AI/ML and automation was the focus of one of the first panels and was highlighted throughout the conference by other speakers. Given its prominence in the minds of federal leaders it is clearly one of the latest priorities, dare I say panaceas, for improving cybersecurity. A few years ago Continuous Monitoring (CM) with its related data streams and software tools was the major focus. Now agencies need AI to make sense of all those streams that are bogging down their people with analysis work and administration. Automation a focus in this context. Look for a federal strategic plan for AI R&D later in 2019.
• Cyber Workforce Development is an Ongoing Challenge – The challenge of building a federal cyber workforce in the DoD and civilian agencies has received significant focus for several years. Efforts like the DoD’s Cyber Excepted Service (CES) streamline the traditionally cumbersome and slow federal hiring process to bring in new people while cyber reskilling initiatives work to train existing personnel with in-demand cyber skills to meet pressing needs. Issues with retention and competition for talent with private industry are continued challenges. But the general tone among agencies was that they are making some progress and working to build the mechanisms for a sustained pipeline.
• Supply Chain Security is Under Scrutiny – The risks associated with inherent vulnerabilities of unsecure components, devices and software are in the front-of-mind for federal cybersecurity leaders. They stressed the need to engineer-in security into products, services and processes. Recognition of the challenge is driving efforts like the Supply Chain Risk Management (SCRM) initiative at DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Supply Chain Risk Management (C-SCRM) initiative at NIST. Building on earlier White House SC security directives the DoD is rolling out their new Cybersecurity Maturity Model Certification (CMMC), which requires contractors to be third-party cybersecurity certified to be eligible to compete on all DoD contracts. That’s a big deal with the potential to limit opportunities to many vendors in the DoD space, but I did not perceive any panic from the industry members that were present, probably because they work in the cyber sector.
• Zero Trust Computing is the New Norm – Addressing the vulnerabilities associated with less-than-constrained privileged access rights and the plethora of devices and applications accessing agency networks and data federal agencies have been working to reign in access and validate user identities/profiles going forward. While NIST is preparing a Special Publication that addresses ZT, several officials noted that at its core ZT is an IT governance policy and architecture issue. New products are not needed. Rather, agencies need to discipline themselves with the proper mindset, policies and architectures necessary to drive appropriate access and that is largely a culture shift more than technology change. That said, industry partners can help agencies develop the appropriate IT governance policies and assist with data protections and identity management capabilities.
• Security Must Be Embedded in Organizational Culture – An agency’s cybersecurity is only as strong as the weakest link in the chain. This mindset recognizes that anyone who touches any form of information technology is a cyber-actor in the contested space of cybersecurity and the enterprise information environment. There was frequent mention of changing agency culture to place security in the forefront of people’s minds – from department heads on down to rank and file non-technical staff. This is evident in the Zero Trust discussion and examples mentioned above as well as the staff orientation and training efforts at federal agencies. Several speakers said they are actually seeing some success in morphing their agency’s culture to make cybersecurity a core value.

One reality underpins everything that was discussed at the event – federal IT modernization really is the best and only way to fully attack and overcome the cybersecurity challenge that agencies face. The scope, scale and complexity of government-wide IT modernization underscores the effort ahead, but the cyber-threats that exist compel agencies to take action and maintain resolve.