The federal government needs to rethink how it approaches cybersecurity, both from an IT perspective and in terms of how agencies plan to enhance cybersecurity through the budgeting process, according to federal officials.
The officials say that it is not that agencies lack the firewalls, software or threat detection systems to counter cyberattacks, but that the government as a whole needs to think about how it applies IT resources and builds its cybersecurity infrastructure.
A New Approach to Federal Cybersecurity IT
Ron Ross, a fellow at the National Institute of Standards and Technology (NIST) who leads the Federal Information Security Management Act Implementation Project, thinks the government needs to take a fundamentally new approach to cybersecurity.
According to Ross, the “only way” to effectively combat the cyber threats of the future is “to build more trustworthy secure components and systems.” Ross made his comments before the Commission on Enhancing National Cybersecurity during a meeting late last month in Minneapolis, according to FedScoop.
The Commission was established by executive order in February and includes key strategic, business and technical thinkers from outside of government. The Commission’s goal is to recommend actions that can be taken by the federal government and private sector over the next decade to enhance cybersecurity while protecting privacy, fostering development of new technologies and promoting cooperation between government and industry. The commission is preparing a report due Dec. 1.
Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Defense Department, the intelligence community, the Office of the Director of National Intelligence and the Committee on National Security Systems to create a unified information security framework for the government. Ross thinks the current framework is inadequate.
“As a nation,” Ross said, according to FedScoop, “we are spending more on cybersecurity today than at any time in our history, while simultaneously continuing to witness an increasing number of successful cyberattacks and breaches.”
Why is this the case? In Ross’s view, there are “inherent weaknesses in the software, firmware, and hardware components of the underlying systems and networks” the federal government uses, which are increasing the number of areas malicious actors can attack.
The more agencies try to fix vulnerabilities through new technology and patches, the more the number of unknown risks grows, as IT systems become more complex, he argued. Instead, Ross said, the government should focus on “building more trustworthy secure components and systems by applying well-defined security design principles in a life cycle-based systems engineering process,” and building in security and reliability from the start.
“Those highly assured and trustworthy solutions may not be appropriate in every situation, but they should be available to those entities that are critical to the economic and national security interests of the U.S.” like “the electric grid, manufacturing facilities, financial institutions, transportation vehicles, water treatment plants, and weapons system,” he said, FedScoop reported.
Ross said the new approach “will require a significant investment of resources and the involvement of essential partnership including government, industry, and the academic community,” adding that “the clock is ticking and time is short.
“We have an opportunity to do what is necessary to protect our national treasure and defend the country in the brave new world of cyberspace,” he said.
Tackling Budgeting and Organization Concerns
While Ross advocated for shifting how the government constructs cybersecurity IT, other officials have said recently that the problem is not the technology agencies use, but instead how it is provisioned and how agencies are organized.
“Structurally, from a budgeting perspective, we’re not set up for success” in terms of cybersecurity, said Thomas McDermott, deputy assistant secretary for cyber policy at the Department of Homeland Security, said during a panel discussion at FedScoop's seventh annual Lowering the Cost of Government with IT Summit, according to FCW.
“The way that the federal budgeting process works with one-year money, it makes it much harder to spend long term [on] upgrading infrastructure as opposed to continuing to patch old, sometimes indefensible IT systems,” he added.
“Cybersecurity is a key element of fiscal security,” he said. “We’ve seen that the costs of incidents are huge, both financially and reputationally.”
“If we’re saying cybersecurity is a key part of our national security … we need to be addressing it as such,” said Kiersten Todt, executive director of the commission, according to FCW.
She agreed that cybersecurity cannot be addressed on one-year budget cycles, which will be one of the messages of the commission’s report.
The government will likely need to pay for more cybersecurity IT up front to recoup costs in the long term, panelists argued. “I think strategically, if you can reduce the need to respond to [cyberattacks], you are saving a lot of resources — time, energy, money — and you’re better able to get your job done,” said Bob Gourley, partner at the technology consultancy Cognitio and former chief technology officer at the Defense Intelligence Agency.
Todt also said that the way agencies are structured in terms of IT governance is also a factor in how effective cybersecurity can be. “The way positions have power and the way they are effective is when they have budget authority, and when they have overall authority. And [the question is] how do we structure that in the government?” she said, according to FedScoop.
“One of the things we are hearing and learning is about responsibility, accountability and capability, and how do these three elements fit together in the government realm to ensure cybersecurity,” Todt added.