Cyberattacks have been growing in scale and sophistication for years, but the 2020 hack of network management software supplier SolarWinds jolted Washington into action. The cyberattack, which the US government has attributed to Russia’s intelligence service, compromised the computer networks of multiple federal agencies and scores of private-sector companies.
In May, the Biden administration issued an executive order designed to dramatically strengthen the government’s cybersecurity practices and use its influence to drive similar changes throughout the private sector. One of the top field generals in this battle, Federal Chief Information Security Officer Chris DeRusha, has been moving to implement key aspects of the order by promoting Zero Trust Architecture, which assumes attackers already may be present in computer networks, and establishing a Federal Acquisition Security Council to recommend when threatening technologies should be removed from federal information technology systems.
“We feel a sense of urgency in the administration and we want to maintain that sense of urgency,” DeRusha told Paul Mee, who leads Oliver Wyman’s Cyber Risk platform and the Oliver Wyman Forum’s cybersecurity initiative, in a fireside chat at the Billington CyberSecurity Summit. “We understand we won’t be completing and seeing the outcomes in year one, but we’re already making a lot of progress, and you can see the tide starting to turn and getting executives at agencies paying attention and understanding the risks better.”
Here are some of the highlights of the conversation.
Where are you as far as education and awareness is concerned, and sharing best practices and common goals?
It’s very important to us when we design anything that we’re thinking how to leverage best practices and learn from those who are furthest along. We put zero trust out for public comment because we recognize this is a beginning stage of a paradigm shift for everyone. Some organizations are further along than we are. And we really want to learn from those experts and get their feedback and make sure that we have the right plan moving forward.
It’s also ensuring we are institutionalizing collaboration across federal government. We have a CISO Council, which I chair, that brings together all the federal CISOs. And the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency runs a series of workshops that we’ve reprioritized about implementing these EO tasks together.
Is there a game plan for getting people to work differently and collaborate?
There’s a lot of talent but the skills that we’re seeking to make some of these changes are scarce. Automation is a piece of the answer, but also really treating talent acquisition and training as a mission priority and tracking your progress.
You also need to focus on executive education. Including cabinet heads or senior officials in exercises is one way, and having regular governance boards and meetings where you involve folks whose mission isn’t cybersecurity but it is tangentially through being the CFO or being the chief acquisition officer.
Another soft skill that’s crucial here is communication skills. You can recruit both hard technical skills and some soft skills with aptitude to learn the technical stuff. Having both of those is great. Some of the best cyber policy people I’ve seen in government are lawyers. It’s a balance. You don’t need just one skillset here.
You talked about a two-year window. When do you get to a stage where you can think, this is enough?
Measuring sufficiency in our space is quite hard. It’s important to try but it’s also important to understand that this is a risk management problem. Everything you’re doing is drawing down risk, managing risk. And the more you do, the more risk you can draw down. But you also have to be attuned to measuring that.
One way we’re going to try to do this is looking at sufficiency through the zero trust strategy. We’re using CISA’s capability maturity model so that we have a standard baseline we can benchmark across. We’re setting a three-year goal where we’re describing specific activities for agencies to shoot at. Then you can start to see when people are successfully implementing and showing outcomes. It is really the cornerstone cyber program.
What else can be done so we actually create an infrastructure and applications that have security embedded rather than being something that we bolt on?
When you look at zero trust, and we’re changing the way people access resources, you’re bumping into the business side immediately, and you need buy in. They need to understand why we’re doing the things we’re doing on the security end, in particular any time we involve an end-user. I believe we can do it in a way where it doesn’t disrupt, but it will change how people do work. It’s important to have senior agency leadership understanding and buy in. It means tight partnerships, as always with CFO but others, like the chief data officer.
One of the things you need to do is really understand where your sensitive data is, not where you think it is. You’ve got to use tooling to verify and validate. That can be a painful cultural journey that takes some time because we haven’t had that type of visibility and true understanding of exactly how we’re storing data. And how people work now, it’s changing constantly and moving out to the edge.
What degree of influence will you have on the IT strategy and investment priorities of the various agencies? And what’s the message to suppliers? What should they be prepared to do?
We’re being transparent about the direction we’re headed. You see that by our desire to receive public comment. I’ve been busy going out and engaging with various trade tech industry groups, hearing the feedback, trying to explain what we’re doing. This is all purposeful and intentional. This is a partnership. We can’t achieve success here alone.
The guiding light for us is really moving towards a zero trust paradigm. That is the message that I would like people to hear. And I truly would like assistance. It’s an administration priority. We understand that the current model that is pervasive for security no longer works. There’s lots of things we need to do, but the number one is get on this path of all the multi-year journey hard work that’s going to need to happen now, as fast as we can. Industry plays a huge role as a partner in federal cybersecurity.
The second theme I would add is innovation and automating. One of the biggest challenges I foresee here is overwhelming the current human capacity. I think we will only be able to start really beating our adversaries and having defense win is when we can do it at their speed. That means automation and then training people to understand how to use those tools.