You can hear the clatter from the White House as it hammers out the details of a long-awaited national cyber security strategy. But, the Department of Defense (DoD) cyber policy strategists are writing out advice to keep Federal agencies safe from hackers’ webs today.
Katherine Charlet, director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace, who most recently served as the acting deputy assistant secretary of defense for cyber policy, released a primer Government in the Crosshairs: Recommendations for Federal Cybersecurity. The paper outlines nine actions the Federal government and Congress can take to shore up the nation’s cyber defense.
The top of the list is more funding for IT modernization.
Congress must appropriate meaningful funds to IT modernization in FY 2019. The passage of the Modernizing Government Act was an important foundation for addressing the government’s legacy information technology problem. While it’s a good pilot step, the $100 million appropriated for FY 2018 is a drop in the bucket of what is needed, Charlet said.
“It was probably difficult to get that $100 million because of the really constrained resource environment in Congress. I certainly wouldn’t underutilize the utility of getting that pilot fund going,” Charlet told MeriTalk. However, “the scale of the challenge means that there is a lot more to do,” Charlet said. Agency managers can start building support in Congress now for more meaningful funding in FY 2019, Charlet noted.
Another recommendation calls for steady movement toward shared services and efforts to hold agencies accountable for basic cyber hygiene.
All agencies should maintain momentum on baseline initiatives like adopting shared services and commercial technology. Steady progress makes a difference. Charlet underlines that all agencies should continue pushing to strengthen recent initiatives such as the adoption of shared services and commercial technology, consolidation of commodity information technology functions, and efforts to hold agencies accountable on basic hygiene. She stressed the importance of the progression of the Department of Homeland Security’s capabilities to detect threats and vulnerabilities in agency networks.
The 30-day cybersecurity sprint launched in 2015 after the Office of Personnel Management data breaches which instructed all agencies to review and tighten their security stance serves as a useful model going forward, Charlet noted. Measures implemented were modest, but successful. The cybersecurity sprint demonstrated that “when you rally the Federal government and set achievable, discreet milestones for [agencies], it can be an effective way to address progress.”
She underlined that agency managers need a keen sense of mission and a better understanding of the infrastructure supporting their agency’s mission.
The White House should increasingly evolve agency risk assessments to focus less on systems and assets and more on missions and functions. Federal agencies have focused on identifying and protecting high-value assets. This is useful, but it misses the fact that disrupting networks or systems that aren’t individually considered high-value could still disrupt an agency from performing a key function.
“I would like to see a greater emphasis on each agency having a keen sense of what their core missions and functions are, and then studying what are the systems and networks that support them in implementing those core missions and functions,” Charlet said.
To that end, the National Security Council and the Office of Management and Budget should direct each agency to first identify its core missions and functions, second identify the network infrastructure that supports those functions, and finally develop risk mitigation measures to ensure continuation of the core function even if that infrastructure were subject to cyberattack.
Charlet’s other recommendations include the establishment of benchmarks for securing Federal functions from cyberattacks, better use of risk-based decision-making tools, and implementing programs to recruit and retain a skilled cyber workforce. Further, she stressed the need to promote procurement policies and staffing to better incorporate cybersecurity considerations, and develop a strategy for automation in Federal cybersecurity.
In the book, Charlet’s words in the web keep Wilbur from slaughter. Heads up, she’s writing fund, share, and evolve.