What's next for agency cyber efforts?

When the White House issued its long-awaited executive order on cybersecurity in May, it formalized what many in government had long argued was necessary: adopting the National Institute of Standards and Technology’s Cybersecurity Framework and embracing enterprise risk management at every agency.

FCW gathered cybersecurity leaders on Aug. 9 — 90 days after the cyber order was issued and the date by which agencies were required to submit a written response to the Office of Management and Budget regarding their new risk assessments — and asked them to discuss their experiences to date. The discussion was on the record but not for individual attribution (see below for a list of participants), and the quotes included below have been edited for length and clarify. Here’s what the group had to say.

Big changes or paving the cowpaths?

Most participants said President Donald Trump’s May 11 executive order didn’t tell them anything they didn’t already know, but they still praised it for making cybersecurity’s importance clear governmentwide.

“We had already codified things such as the security framework as to ways we were moving forward,” one security executive said. “We’ve had maybe validation but no impact from the executive order at this time.”

She added that “we were already moving down that path. Because of that, I fully endorse what they’re doing.”

Another participant, whose agency was perhaps not quite so far along, agreed that “most people who were doing strategic planning within their agencies were fully cognizant” that different approaches were needed.

“Whether you talk about the need to prioritize cyber investments based on high-value assets or some other algorithm,” he said, “it was becoming very obvious because the number of dollars needed is ginormous. And agencies have mission activities that they need to do, so you can only compete so much for those funds.”

He added that “the recognition that we need to modernize the network structure is kind of also a self-evident truth. This is a core, systemic problem that exists, and…it is now recognized that modernizing the infrastructure is absolutely critical in order to solve our cyber problems because we can’t keep patching.… That was also intuitively obvious, but many things that are intuitively obvious aren’t really intuitively obvious until someone puts them into a formal document and says, ‘This is what’s going on.’”

That affirmation of generally held best practices also poses a bit of a risk for agencies that have already embraced them.

“What I see in the order is a lot of the same things that we’ve seen in the past, just stated in a different way,” one executive said. And like most guidance, the executive order and OMB’s implementation memo came with the unspoken assumption that “you weren’t doing it before.”

That executive’s agency — a Cabinet-level department — took care to establish a clear baseline for each of the five core activities in the Cybersecurity Framework. In its submissions to OMB, the agency showed “where we have made significant accomplishments in the past,” he said. “And because of those accomplishments, we’re going to move and build on those to move to the future.”

He added that “we do not want to give anybody, especially OMB, the impression that…we’re not continually improving and reviewing our cybersecurity posture.”

Another participant, however, said the order had already served as a valuable forcing mechanism for collaboration. “This was a great avenue to bring all different departments within the agency together to say, ‘Hey, how do we work together to respond to this EO? Because we can’t do it by ourselves, and if we want to be successful, we have to work together.’”

And virtually all the participants agreed that the cyber executive order was different from others in that it clearly explained the thinking behind the changes.

“They actually did attempt to provide background as to why they thought this thing needed to be addressed,” one participant said. “It was actually the first time, rather than just having a ‘You shall do.’”

Another participant praised OMB for acknowledging that some tactics — like Trusted Internet Connections — might not be the best approach now that the strategy has shifted from data center consolidation to “cloud whenever possible.”

“It is kind of unique for the government to say, ‘We choose to go down Path A, but we realize the world has changed,’” he said.

Culture still comes first

Several participants said the order’s message is important because so many people in the government still see cyber as a compliance exercise.

“You’ve got to go through the cultural shift first,” one said. “That’s essentially the pivotal change that has to occur because I don’t need to collect a whole bunch of data to fill out a compliance checklist.”

There are real operational challenges, the group said. For instance, cloud technology complicates asset methodology and the idea of attack surfaces. “But those are things that we can evolve to,” one executive said — unless “everyone still falls back on ‘security is compliance.’… You’ve got to change the overall approach to cybersecurity to be a much more proactive game that says you continuously have to be ready to do things because the threats are evolving.”

Many mission leaders and top agency officials still struggle to think about cybersecurity in this way, participants said, but several added that the NIST framework was making that education process easier.

“No one will ever say it’s simple,” one executive said. But the five basic levels — identify, protect, detect, respond and recover — make the framework “highly consumable by an executive understanding the complexities of the cybersecurity question.”

“You only have five words to work with,” he added. “You can build a great story around those five words that really resonates with the front office.”

Ultimately, another executive said, the challenge comes down to turf. “Every time I looked at an agency that was serious about doing consolidation or aggregation or modernization, it’s not finding the assets to do it that’s the challenge,” he said. “The hard part is the geopolitical effects to the agency in terms of human resources, organizational construct and who’s operating these systems.”

Accountability changes everything

The executive order’s declaration that agency leaders are directly responsible for cybersecurity is a big deal, most participants said. Although there have been few public signs of that shift, one executive said that for her agency, “it meant a complete change in everything.”

“This wasn’t just our CIO,” she said. “This was the top boss who said, ‘Cybersecurity: big deal, pay attention.’ It led us to change the actual structure of the organization.… The ability to move resources and to change the actual structure of the organization is huge.”

Another executive elaborated on what those changes look like. “If I knew that if I can’t accomplish that mission objective without having systems be secure, then I may restack the priority deck on where the assets are going. I may reallocate funding and reallocate effort — and it’s making that risk management decision at that top level.”

That accountability trickles down, several participants said. “When the most senior leaders are accountable, that means that the leaders under them are also accountable. In every one of my domains, every one of those leaders has to go to the top executive and say, ‘This is what I’ve done in the last six months in each one of these categories in the framework.’ This is the maturity that we are measuring.”

Such accountability is also encouraging collaboration, another participant said. “There are some efforts going on now where several of the departments are coming together at the CISO level to actually sit down and talk about common ways that we can solve some of these problems,” he said.

“There are varying levels of security maturity when you look at some of these initiatives,” the executive added. “Those agencies that are more mature have some significant lessons on how they do this. I want to see what they are because, frankly, I don’t want to have to relearn them. And on the converse, if somebody else needs the ideas that we’ve already worked through, we’re more than happy to share those.”

Another participant said the different initiatives — IT modernization, the president’s management agenda, data center optimization and other cross-agency priority goals — are increasingly coming together as a coherent set of components for the broader mission of cybersecurity.

“I like the idea that we’re getting all levels of input on this,” he said. “I think it does raise the level and turns up the heat a little bit for the CISOs and the CIOs. But the benefit to that is that you get the interest level from the top.”

Making the budget case

Buy-in, however, is not the same as actually having the dollars with which to buy. “This is the question of the ages,” one participant said. “What is the value of one more dollar of cybersecurity spend?”

He added that “it’s almost like proving the negative, trying to defend your cybersecurity dollar. It’s an insurance policy, and trying to sell that insurance policy is often very, very difficult.”

“I don’t think everything’s a dollar-based decision anyway in this world,” another participant said. “That’s part of the challenge. A lot of these risks that we see could be existential to your organization, and there’s no amount of insurance that you can purchase to thwart that risk.”

Another participant, however, cited economic research that suggests a 1 percent increase in new IT spending generally results in a 5 percent decrease in security breaches. “So you can communicate that pretty easily to your CFO without having to reinvent those metrics,” she said.

And with IT modernization still an unfunded aspiration, improved security is going to have to be paid for by the programs themselves, participants agreed.

“I think you don’t have a choice,” one executive said. “Whatever assessment you need to do at the end of the day, you budget for that right upfront in the program. If you’re doing agile development, you create standards of what you want to be doing, and you hold the program accountable to the standards.”

Such an approach not only sources dollars, he said, but also saves them while incorporating security at the beginning, where it belongs. “You’re paying for it right upfront in the program, and it’s not an add-on so you don’t have to go back later,” he added. “It’s done and it’s completed — and it’s a lot cheaper.”

The need for speed

As those last points suggest, the group viewed DevOps as a critical tool for breaking the cycle of outdated and insecure systems.

“There’s been a lot of good strategy with respect to what you can do for cybersecurity,” one participant said, “but the speed of implementing has been so, so slow that as a result, the risk changes before you can get that strategy in.”

“Somehow we forgot that time is important in the work we do,” another executive said. “We built in these delays thinking we were gaining assurance when we actually are reducing the reliability of the system.”

“You need to be able to identify vulnerabilities at the system level,” another participant said, “and be able to remediate and push out that patch in hours or minutes — not days or weeks…. There are big legacy systems out there with known vulnerabilities for years. That kind of cycle time is just unacceptable.”

That participant also argued that cloud services — and especially platform-as-a-service offerings — can dramatically improve an agency’s security posture.

“If you’re looking at FedRAMP solutions, they’re already meeting the FISMA compliance burdens,” she said. “So that replicability and automation [are] built into the process.” Agencies can push those activities onto the cloud service provider and focus on mission-specific security “rather than everything under the sun.”

A different take on the workforce challenge?

Finally, a handful of the participants argued that the executive order’s biggest impact might actually involve the workforce.

One executive said that “until now, there had been the sense that the workforce is important, but not nearly as important as this, this, this and this. Now that we have the reality that the cybersecurity workforce is not necessarily up to the standards of other either friendly or competitor nations, that puts it into the context of national security.”

Another said that although the order doesn’t say so explicitly, it “suggests that an awareness of cybersecurity careers is becoming more of a requirement for the public to know about it.”

A third argued that the real challenge is not growing the pipeline of cyber specialists to bolt on solutions at the end but rather instilling the technology creators with cyber awareness. “Until the designers and the developers get into that mode, we’re always going to be behind,” he said.

A fourth participant, meanwhile, pointed to a very different workforce challenge. “Everybody complains about how we don’t have cybersecurity technical people,” he said. “But I submit to you that if you don’t have a couple people in your organization who know how to speak, know how to write, know how to do finances, you’re going to lose.”

He added that “the typical cybersecurity scientist is going to be talking in bits and bytes. Put them in front of the CFO — forget about it. The CFO is not going to have a clue, and you’re not going to get your money.”