The federal government is a sprawling entity, and not every agency has the resources of the Defense Department. Providing effective cybersecurity to all agencies — especially smaller, non-CFO Act agencies — will require investment in shared services for IT security.
Grant Schneider, the acting federal CISO, said that smaller agencies often do not have the resources or personnel to effectively provide cybersecurity on their own, certainly not compared to a behemoth agency. “We’re never — certainly in government and also in industry — going to be able to get the workforce we need … to defend all of these different systems,” Schneider said. “Quite frankly, we just end up stealing each other's employees.”
Both Schneider and Michael Daniel, former cybersecurity coordinator in the Obama administration and now the president of the Cyber Threat Alliance, said that shared services can help ensure that agencies without the adequate funding or resources can still provide effective cybersecurity.
Use Shared Services to Address Cybersecurity
The Trump administration has been promoting shared services as a way to deliver IT in a more cost-effective manner. Shared services consolidate common government operations such as IT management, finance, human resources and other functions into centralized service providers.
The Trump administration’s draft report on IT modernization, which was released at the end of August, notes that the General Services Administration’s $50 billion Enterprise Infrastructure Solutions telecommunications contract is designed to “address all aspects of agency telecommunications and network infrastructure requirements while also leveraging the bulk purchasing power” of the government.
EIS, the report says, “can be leveraged to help address some of the unique challenges faced by small agencies, a community that typically lags behind the large agencies in terms of cybersecurity capabilities.”
Smaller and non-CFO Act agencies often struggle to attract and retain top information security personnel and lack the expertise to fully manage their IT security programs, which hurts the government’s ability to gain a full understanding of the risk to federal networks. “EIS can be leveraged to consolidate acquisition activities and other security services for small agency networks,” the report says.
Michael Daniel, right, the former Obama administration cybersecurity coordinator, speaks at the 2017 Symantec Government Symposium.
Schneider said that a final version of the report that incorporates feedback from industry will be released soon. A key goal of the report and the administration’s efforts on IT modernization and shared services, Schneider said, is to not force smaller agencies to procure all of their IT and cybersecurity products and services.
“We have got to shrink the places where we really need to be focused,” he said. “We have to get some parts of the government out of the business of doing that defense on their own, because we don’t know if they will be able to do that.”
Schneider said, “I don’t think we’re where we need to be” on shared services, but he said the government needs to look at IT modernization and shared services holistically. “We need to bring those two things together,” he added. “From an IT operations standpoint, it’s hard to separate IT operations and cybersecurity.”
Let Agencies Focus on IT Core to Their Mission
Daniel said “cybersecurity is hard” because it is not merely a technical issue, and involves economic incentives, human psychology and risk management. Additionally, Daniel said, cyberspace plays by different rules than the physical world, and there is no way for government to be inserted between citizens and malicious cyber actors without fundamentally changing the way the internet works and removing many of its benefits. Finally, cybersecurity policy is still new and evolving, Daniel added.
To get around these issues, Daniel recommended two approaches. One is to rethink intelligence and information sharing. Businesses and agencies are not experts at producing and sharing threat intelligence the way a Symantec or other cybersecurity firms are, Daniel said. Therefore, they should share threat intelligence related to their mission and operations.
Secondly, in government, Daniel said, “we have used the approach of ‘every tub on its own bottom,’” meaning that every agency is an independent entity responsible for its own management and funding.
“We treated each agency as if it were a self-contained vessel,” treating the DOD the same as the Marine Mammal Commission, and having every agency responsible for its cybersecurity from soup to nuts, according to Daniel.
“That is the wrong way to think about it,” Daniel said. “For most federal agencies, that is not a core part of their mission.” Smaller agencies need to have access to cross-government cybersecurity services.
That doesn’t mean there should be a “department of federal IT,” Daniel said, which, he joked, would be “like the DMV times four.” Instead, agencies should focus on the IT that is core to their mission. The government should “enable a more centralized function for the transport layer and other pieces of the IT technology stack are much more amenable to both centralized security and provisioning.”