Fedscoop’s Technology Editor Greg Otto, with sponsorship from Symantec, conducted many interviews with senior ranking federal government officials and civilians actively engaged in the cyber-security realm. Otto’s interviews were so interesting that I decided to cherry pick the following question and answer, and put into a consolidated format, for they provide some great cyber-security insights:
1. Donna Dodson – Chief Cybersecurity Advisor for the National Institute of Standards and Technology (NIST)
How can agencies push boundaries when it comes to protecting and securing data?
“Using security automation can lead to a better understanding of your network, which will in turn allow for better protection of it. In addition, identity management needs to be improved to establish stronger credentials and classification – in particular, more of a focus on derived credentials.”
2. Tim Ruland – Chief Information Security Officer (CISO) for US Census Bureau
How have you helped improve cybersecurity posture inside your agency?
“Over the last 5 years, we’ve implemented a risk management framework using the requirements established by NIST. We’ve moved away from the checklist mentality and have become much more agile, which is more cost efficient. In the beginning, we conducted interviews with everyone from directors to administrators to identify their pain points. Then when we developed the program, we kept these conversations in mind. We have also had a stronger focus on our defense operations at every level: from firewalls to the Department of Homeland Security’s EINSTEIN program. We also built a computer incident response team with forensics capabilities and they constantly monitor our network. All these programs have raised the awareness of cybersecurity, as well as strengthened the culture around it.”
3. Stephen Smith – Insider Risk Management Program Coordinator for the Department of State
How do we drive agencies to think differently about cybersecurity culture?
“We have split up our work force into two groups: foreign service and civil service. A lot of our employees are here domestically in America, but we also do a lot of work with third party contractors that are based in foreign countries. When it comes to anyone hired to work with the agency, it is important to thoroughly vet them and make sure they’re in place to do good for the organization, not harm it. The insider threat program is in place to monitor and manage risks by utilizing tactics such as classification of data and establishing appropriate security clearances to access that data.”
4. Leo Scanlon – Acting Chief Information Security Officer (CISO) for the Department of Health and Human Services (HHS)
How do we drive agencies to think differently about cybersecurity culture?
“Cyber Care is an award-winning program that introduced security information media across the agency. We also established very sophisticated anti-phishing campaigns that go beyond just addressing email attacks; these campaigns are also developing the infrastructure to support data protection at the data level rather than just the system level.”
5. Robert Silvers – Assistant Secretary for Cyber Policy for the Department of Homeland Security (DHS)
How have you helped improve the cybersecurity posture inside your agency?
“We are enhancing our best programs and making them accessible to more of our private sector stakeholders and sister agencies at the federal, state, and local levels. We are interested in growing cyber threat information sharing and recently created an automated indicator sharing program to allow us to immediately identify and let the right people know about an attack, which allows for quicker reactions in real time. Currently, we are in the process of signing up 80 agencies for this program, including companies, cybersecurity organizations, and even foreign governments. We’re also both enhancing and making available some of our existing programs, such as our signature perimeter defense program EINSTEIN and our continuous diagnostics and mitigation program.”
How can agencies push boundaries when it comes to protecting and securing large amounts of data?
o We need to be very vigilant while executing our current priorities, but also be able to anticipate what is coming down the road. That is extremely hard to do in this field because data and technology is rapid and ever-changing, but we can do it by making sure the basics are in place. We need to have perimeter defense and internal monitoring, anomaly and behavioral detection software, artificial intelligence, and block chain storage implementation. By leveraging the best available technologies in our day and age, we are establishing the most secure cybersecurity environment.
How do we drive agencies to think differently about cybersecurity culture?
“We have to drive the cultural change through action. We need to perform our new cybersecurity enhancements in a way that our employees and customers can see so that they understand it is a main priority for both the agency and themselves. In recent years, we have required multi-factor authentication and enhanced training programs to communicate to our stakeholders that cybersecurity is vitally important.”
What is the number one practice that agencies should be using when it comes to cybersecurity?
“The key is defense in depth. We need to have protocols and safeguards at every level and every step in the network to protect against threats. To describe it using a physical location like a prison, you first have a guard house that you drive up to, then you need a badge to get through doors; security cameras monitor all activity everywhere, and guards patrol the halls. The network works together to create the most secure environment because you can’t rely on just one piece to counteract every possible threat. It’s exactly the same with cybersecurity and we need to be holistic.”
6. Emmerson Buie – Section Chief in the FBI’s Cyber Division
How is the FBI driving people to think differently about cybersecurity and the culture around it?
“The FBI believes in a one-team approach which is why we partner with organizations in the private sector, as well as local and state government agencies to establish a solidified approach to address cyber incidents. One example of this is the National Cyber Forensic and Training Alliance (NCFTA) that provides law enforcement, academia, and private industries a platform to discuss threats, freely share information, and then work to come up with appropriate solutions.”
7. Michael Garcia – Acting Director of National Strategy for Trusted Identities in Cyberspace for the National Institute of Standards and Technology (NIST)
As agencies look to leverage private sector technology, how can they push boundaries when it comes to protecting and securing large amounts of data?
“If we can develop a strong variety of solutions out in the marketplace, we’ll create more possible solutions to combat issues surrounding identity and authentication. This can create opportunities for agencies to find new solutions and adopt them from the marketplace rather quickly as opposed to sticking to what we know has worked in the past, which is very important because in the world of cybersecurity, technology is always rapidly evolving.”
8. Paul Morris – Acting Chief Information Security Officer (CISO) for the Transportation Security Administration (TSA)
How do we drive agencies to think differently about cybersecurity culture?
“After 9/11, we spent a lot of time and money figuring out how we are going to respond to the threat of terrorism. Our adversaries are very nimble and aren’t constrained by budget cycles, so we need a way to be able to keep up with them. As a result, we’re moving toward a more responsive system that will allow us to get things done quickly. Some of these changes include training and educating our personnel to become more aware of cyber threats. To engage them, we have flown to airports to do spot-checks and even use phishing tests to show them just how important the issue of cybersecurity is.”
9. Kiersten Todt – Executive Director of the Presidential Commission on Enhancing National Security for the National Institute of Standards and Technology (NIST)
How has your agency helped improve the cybersecurity posture of the nation?
“The Commission was formed under the Executive Order given by the President earlier this year. We are figuring out how to set up and facilitate the digital economy so that it is still secure years from now. It will be a forward-looking report that will determine the infrastructure of our digital economy.”
10. Bill Marion – Deputy Chief Information Officer (CIO) of the U.S. Air Force
How can agencies push boundaries when it comes to protecting and securing large amounts of data?
“We need to create an innovation framework that allows us to rapidly determine requirements and then create the technology so that we keep up with the fast and ever-changing world of cybersecurity. We also leverage and work with other organizations like 18F and Defense Innovation Unit Experimental (DIUx) to figure out what steps to take next to stay ahead of the curve.”
How do we drive agencies to think differently about cybersecurity culture
“The Office of Personnel Management (OPM) data breach was certainly an eye-opener, as well as the many other public hacking events that have taken place – it’s becoming a regular occurrence. As a result, that has changed the culture around cybersecurity in the fact that people generally now accept that they have to keep their data secure. However, now we need to change the way we think about acquiring security solutions. We can no longer afford to go through long acquisition processes, so we have to focus on risk management and establish faster ways to secure our data.”
11. Rob Palmer – Deputy Chief Technology Officer (CTO) for the Department of Homeland Security (DHS)
What are some of the barriers to innovation when it comes to mobility in the federal government?
“The levels of security that we need in these mobile phones are extremely high and it takes a lot of time to establish, which can act as a barrier when we can’t just immediately switch to the newest technology available. When making this decision, we have to evaluate if the new technology is able to stand up to our security standards, and if so, then take time to actually bring in that technology and implement it into our current tools.”
12. Dr. Phyllis Shneck – Deputy Under Secretary Cybersecurity and Communications at the Department of Homeland Security (DHS)
How can agencies push boundaries when it comes to protecting and securing large amounts of data?
“Continuous diagnostics and mitigation (CDM) is our program that we use to identify the best products to buy from the industry, rather than spending time trying to build programs that take too long to be effective. We should be taking the best products available in the private sector and then making them buyable and affordable for federal agencies, which is what this program does.”
13. Jonathan Alboum – Chief Information Officer (CIO) for the U.S. Department of Agriculture
How have you helped improve the cybersecurity posture inside your agency?
“We have focused tremendously on improving cybersecurity by implementing the use of personal identity verification (PIV) cards and identifying privileged users. We’ve also encouraged a culture surrounding cybersecurity and influenced the way our employees interact with technology and educating them on the consequences of not having strong cyber hygiene.”
What is the number one paradigm that agencies should be using when it comes to cybersecurity?
“Education and communication about cybersecurity and its risks is a key to be successful. It is everyone’s responsibility to stay safe, so to encourage good practices, we launched a phishing campaign to help our employees learn what may not be safe on the network.”
14. Jeffrey Eisensmith – Chief Information Security Officer (CISO) for the Department of Homeland Security (DHS)
How have you helped improve the cybersecurity posture inside your agency?
“The cyber sprint at the Office of Management and Budget (OMB) last year used a great model that we’ve now emulated. It had great leadership participation, hard dates, and a clear picture of what steps were to be taken next. So DHS leaders issued cyber orders that included clear language, rigid timelines, and also demanded a letter of acceptance of risk for everything that didn’t get accomplished. That ultimatum really pinned responsibility on the department, which in turn heavily drove effective changes for us.”
How can agencies push boundaries when it comes to protecting and securing large amounts of data?
“DHS is a member of Federal Risk and Authorization Management Program (FEDRAMP), which is a program that aims to share authorization among government agencies, like the Department of Defense and the General Services Administration. This allows us to maintain a secure cloud-based system using Joint Authorization Board Provisional Authorization (JAB P-ATO), which in turn cuts down approval time on decisions made regarding cybersecurity. When it comes to implementing this technology, it would be best to use DevOps (development and operations) to establish security requirements and harnesses that work together to create the most secure systems.”
Note: The above content belongs to Fedscoop.