White House Signals New Focus on Reducing Cyber Risks to Federal Networks
Government agencies have been given a message from a former premier hacker: You need to be more aggressive about addressing cybersecurity risks on your networks.
The former hacker happens to be Rob Joyce, the White House’s cybersecurity coordinator, who was named to that position in March. Joyce formerly ran the National Security Agency’s Tailored Access Operations unit, the NSA’s hacking unit.
Speaking last month in the wake of President Donald Trump’s signing of his long-awaited executive order on cybersecurity, Joyce essentially put agencies on notice that they need to step up their efforts to protect federal networks. He also suggested that the Trump administration would be forceful in pushing agencies to address what may be weak links, such as antiquated software, which could increase vulnerabilities. And he suggested that agencies’ security might be better enhanced by moving data to the cloud.
“We operate those networks. In some places, they’re antiquated, they’re indefensible,” Joyce told a May 18 meeting of the President's National Security Telecommunications Advisory Committee, according to FCW.
Moving to the Cloud Could Enhance Cybersecurity
During his appearance, Joyce said the executive order gives federal officials license to take action and pursue innovation in how they buy and use IT.
The order states that it is the policy of the executive branch “to build and maintain a modern, secure, and more resilient executive branch IT architecture.” Agency heads are now required to prefer, in their IT procurement, shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.
Joyce said he wants to accelerate agencies’ shift to cloud architectures and “take individual departments and agencies and bring them under the umbrellas of larger managed service providers who can do this at scale.”
As an example, according to FCW, Joyce cited the Bureau of Reclamation, a component of the Interior Department, noting that even though it has a small IT budget, the water management agency is responsible for protecting important data about the nation’s water supply.
“They are not going to have the MIT, Carnegie Mellon or Stanford recruits” coming to their offices, he said, because the private sector can offer more money and other agencies, like the NSA or Department of Homeland Security, are also competing for top cybersecurity recruits.
“If we allow individual departments and agencies to fend for themselves, we will often get the lowest common denominator as our weakest link in what is an interlinked federal network,” Joyce said.
Outdated Software Poses a Security Risk
Joyce noted that some agencies still use Microsoft’s Windows XP system, which Microsoft stopped providing regular, free security patches for in April 2014. Many agencies have already moved to Windows 10, a much more secure platform.
The government was spared in the WannaCry ransomware attack that swept the globe in mid-May (a fact that Joyce said he was “amazed” by at a separate appearance in May in Boston). Joyce credited “federal policies requiring relatively swift installation of critical software patches with helping to defend against the malware,” the Boston Business Journal reported.
Analysts at Kaspersky Lab found that roughly 98 percent of the computers affected by WannaCry were running Windows 7. Nonetheless, Nextgov reports, Joyce said the administration wants to “pinpoint where those outdated or risky systems exist, to make governmentwide decisions about whether those risks are acceptable and to reallocate money to update those systems when the risk is unacceptable.”
Joyce cited Windows XP as an example of an operating system “that should no longer be in our inventory,” according to FCW.
Agencies are choosing to rely on outdated systems, he said — it’s not merely inertia. “Whether that decision is driven by budget or driven by inattention, it’s something we've got to identify and drive out,” Joyce said.