While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Trump administration has made cybersecurity a priority in terms of budgeting, but to truly get ahead of adversaries, the security professionals protecting federal networks will need to do something more: think like a hacker.
At least that’s the advice from Greg Touhill, the nation’s first federal CISO.
“We need to think like a hacker” to protect federal networks, Touhill, a retired Air Force brigadier general, said on March 30 at the Billington Cybersecurity Summit in Washington, D.C., according to FCW.
“We haven’t even been thinking like an accountant" when it comes to federal IT, he said. "We need to do a bit of both” to enhance both security and efficiency in federal cybersecurity spending, he added.
Touhill, who was appointed to the new CISO position by former President Barack Obama in September, stepped down on Jan. 17. He has been taking some time off and plans to begin a job search in April. Before he was named to the CISO role, he served as deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security.
The White House has not yet named a new permanent CISO, and Touhill’s former acting deputy, Grant Schneider, is serving in the CISO role for now. Touhill said that whoever holds the CISO role next, that person needs to articulate a clear and concise plan to protect federal IT assets, according to FCW. The next CISO must communicate well with senior-level agency managers about cybersecurity risks and spur more consolidation among agency IT capabilities.
“As federal CISO, rather than come out with the big lengthy strategy document that no one will read, I focused [on] defining the mission,” he said. “What is the cybersecurity mission of the federal government?”
The government also needs to be more efficient about how it buys cybersecurity IT, Touhill suggested. “‘Be calm and buy everything’ seems to be [the practice] when it comes to IT and cybersecurity in the federal government,” he said, according to FCW. “We go out and we buy every damn tool that's out there. But we don't read the instruction books and we don’t necessarily take the training … We don’t use the tools that we buy very well.”
One area that could use more funding? Touhill suggested additional money for “active hunt teams” that can find and block attackers. Cybersecurity response teams are good, but are often stuck “cleaning up on aisle six” while other threats could be attacking federal IT assets. “We need to do a better job” hunting down those threats, he said.
Touhill’s former colleagues at DHS are trying to be more proactive in their cybersecurity defenses by embracing automation technology, Federal News Radio reports.
DHS’s National Cybersecurity and Communications Integration Center is trying to be less reactive to cybersecurity threats, and is using automation tools to do so.
“We want to get ahead of the adversary,” said John Felker, NCCIC’s director, according to Federal News Radio. “And the thing that we can do to get ahead of them is to potentially stop them. But the second thing is even if we can’t stop them, we can make it more expensive, we can make it more resource intensive for bad guys to do what they want to do.”
The NCCIC is trying to prioritize which IT assets are the most valuable and worth protecting, the report noted. One way to help cybersecurity workers make decisions about how to defend those assets is to use automation tools like automated indicator sharing (AIS).
“The idea with AIS is when we come across something we think is an indicator of compromise that we have assessed is worth sharing, it gets plugged into the system and shared automatically on a machine-to-machine basis,” Felker said. “And those indicators can come from anywhere we’re connected to, and those indicators can provide potential actions for cyber defenders to take to defend their network. The big focus for us is operationalizing that and making it as useful as we can.”
There are roughly 140 partners across both the public and private sectors using AIS through continuous diagnostics and mitigation and DHS’s EINSTEIN program, Federal News Radio reported. Those partners share cybersecurity threat data and help build a larger database of threat indicators, malicious actors and their tactics.
However, Felker said, each of those partners needs to think through how they will respond to the indicators they receive through AIS.
“That is a big cultural move that is still formative — the idea that a machine is going to send you something, and your machines are going to automatically do something. And if you haven’t thought through that, there’s a potential there to upset your mission or business,” Felker said.
NCCIC wants those indicators to be properly scored so that cybersecurity personnel have the most reliable information and can make the best decisions about how to respond, Federal News Radio reported.
“We’re pursuing improvements across the board in automated analysis and threat hunting and the assessment systems,” Felker said. “I think those are coming together to be more effective than they were at the outset. At the NCCIC, we’re learning more about how to better use some of the information we get from those tools. And we’re also learning how to set up better interactions with our partners at agencies.”