Federal Chief Information Security Officer Grant Schneider, speaking Thursday at the Cybersecurity and Infrastructure Security Agency’s summit, said agencies have “come a long way” on cybersecurity.
He pointed to overall higher Federal Information Security Management Act, and Federal Information Technology Acquisition Reform Act scores as evidence that government has turned a corner on cyber.
“I think we’re all far more operationally focused with agencies,” Schneider said. “We’re able to hold agencies accountable, or at least highlight where they’re at on metrics and really get a lot of the basic stuff done and done well.”
Jeanette Manfra, the assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said less time spent enforcing basic cyber hygiene standards allows CISA to play more of a cyber oversight role, providing “operational implementation guidance” of polices and setting standards.
Through two of its signature programs – Continuous Diagnostics and Mitigation, and its cyber hygiene program – Manfra said CISA has made it easier for agencies to show tangible progress in meeting their cybersecurity goals.
“What I think we’ve done well is find ways to identify indicators of success. If you don’t have an incident response plan, you probably are not doing very well. If you don’t have a patch continuous management process and policy, there are probably some problems in your organization,” she said. “There’s well understood, in the community, key indicators of success — that you can evaluate an organization just at a high level and say, ‘OK, well, you probably want to work on these things.”
That evolution in roles, she said, plays into CISA’s mission statement of “securing today and defending tomorrow.”
But if cybersecurity is a team sport, questions still remain about bringing one former player back onto the field: The federal cybersecurity coordinator.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) urged Trump’s new National Security Adviser Robert O’Brien to bring back the cybersecurity coordinator, and argued the White House “has done little to address the vacuum left behind” when former adviser John Bolton eliminated the position last year.
“With cyber threats becoming more sophisticated and growing by the day, including the persistent threat to our election systems, there is no reason that the White House should have allowed this position to be eliminated,” Thompson said in a statement Thursday.
CISA Director Chris Krebs said the cybersecurity coordinator, when the position was created about a decade ago, focused on “blocking and tackling,” and helping DHS engage with public and private partners. But now with CISA in place, Krebs said the agency and its partners have taken on more of that role as a coordinator.
“Now, 10 years later, we’re in a spot where a coordinator has a different job. It’s not blocking and tackling. It’s ensuring that we’re most effective coordinating policy and implementation across the interagency,” Krebs told reporters.
“There is coordination, so don’t take the lack of a coordinator for a lack of coordination,” he added.
Krebs said he has yet to meet with O’Brien, but said he would make cybersecurity a top priority at their first meeting. And if the White House brings back the coordinator role, Krebs said he would take all the help he can get.
“I think there’s space. I will take anybody in a federal agency that wants to play in this game. We will do an all-hands approach. So if a federal cybersecurity coordinator is in our future, then I really look forward to working with him,” he said.
While agencies have shown measurable progress on cybersecurity compared to where they were a decade ago, Schneider said IT modernization plays a major role in mitigating cyber vulnerabilities.
“We don’t want to build the next decade’s legacy systems tomorrow,” Schneider said. “We instead want to move to shared services and try to get agencies out of the business of doing some things that that they need not be in the business of.”
Short-term cyber goals for agencies, he said, include establishing a “federal baseline for cybersecurity,” while longer-term goals include a move toward security as a shared service, as outlined in the Office of Management and Budget’s Quality Services Management Offices memo.
But cyber readiness remains a moving target, and measuring the criteria for what makes an effective strategy can be an elusive goal.
“Can you be totally green across your scorecard and get [hacked] tomorrow by a nation-state? Absolutely,” Schneider said. “It’s an amount of, are you doing what you need to do to be as protected as possible, but it doesn’t get you to someplace that’s ‘safe.'”
Looking ahead at the next wave of cyber vulnerabilities, Donna Dodson, the National Institute of Standards and Technology’s chief cybersecurity adviser, said her agency is doubling down on efforts to build security into internet of things devices, and ensure that industry is building the right software into devices to ensure confidence devices are secure, and not circling back “after the fact” on cybersecurity.
“As we look around in our networks and in our infrastructure, we see IoT in places and spaces across the federal government and with industry. It’s almost like the IT days, we really didn’t realize it was there,” Dodson said, adding that zero trust and identity management needs to play a role.
NIST held a workshop last month seeking feedback from industry partners following the release of an IoT internal report in June and a roadmap released in April that laid out areas where NIST could further advance its cybersecurity framework.
Dodson said NIST plans to hold a workshop next week that will look at “AI from a trust perspective.” The agency will also host a workshop looking for feedback on the “human factors” of IoT “smart home” devices.