Though former Brig. Gen. Gregory Touhill served only about four months as the first Federal Chief Information Security Officer, he has some suggestions for improving cyber in the new administration.
“Frankly, I thought I’d still be standing up here as the Federal CISO, but that didn’t happen,” Touhill said Monday at the 2017 ICIT Winter Summit in Arlington, Va. “There’s a couple of issues that I think that are very noteworthy that collectively all of us have to be concerned about as we try to meet our mutual goal of supporting an open and transparent government that protects the people’s information while preserving privacy, civil rights, and civil liberties.”
Double Down on CDM
According to Touhill, enacting Continuous Diagnostics and Mitigation (CDM) provides many of the capabilities that the government is deficient on.
According to the Department of Homeland Security website, “CDM provides Federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
“Frankly I believe that we are late to need on these capabilities. They should have been built in from the start,” said Touhill, explaining that government systems should be designed with security and a means of monitoring that security.
“In the new administration, I strongly encourage them and every department and agency to field these capabilities as fast as they can. Otherwise we are not in a position to meet our mission objectives,” he said.
Fix the Architecture
“Every single department and agency is doing their own thing,” said Touhill, explaining that funding allocation from Congress is often based on an organization chart that resembles designs from the ’80s, making it difficult to apply that funding to the IT spaces where it is needed.
Follow the Flight Plan
As CISO, Touhill said that one of his objectives was to implement cyber training and exercises for everyone, especially senior leadership in government.
“I submit that everyone is on the cyber frontlines and everyone is an endpoint,” said Touhill, explaining that the next administration should seek to improve and increase training exercises to train their workforce, because the one-and-done philosophy is “unacceptable.”
Touhill added that the Cybersecurity National Action Plan (CNAP) evaluations enacted in the previous administration “were a good place to start” in evaluating and improving national cybersecurity that the next administration should build off of. He added that the government should strive to not only use practice to make perfect, but rather practice perfectly.
“Doing the right things the right way is more than just cyber hygiene. It’s practicing perfect, getting closer to perfect each and every time. We need to beef up the number of exercises we do and we need senior leaders and senior managers to play,” he said.
Touhill also applauded the last administration’s efforts to modernize IT systems, introducing a rule called “Touhill’s Law,” which argues that, just like there are seven dog years to one human year, there are 25 computer years to one human year.
“I contend that Microsoft and other companies like it, American companies, will come out with a groundbreaking, evolutionary leap forward every three years or so,” he explained, adding that the average human life span is around 75 years. “Therefore, under Touhill’s Law, I submit that every human year is 25 computer years. I further contend that under Touhill’s Law there are a bunch of computers in the Federal government that are over 2,000 years old.”
Because of this, Touhill said, the Federal government should strive to both innovate and actively retire old systems. In addition, IT workers should make a concerted effort to make sure that their senior administrators get the seriousness of certain cyber risks.
“As the new administration moves forward, I strongly encourage them to continue the momentum that we’ve been building to get those risk decisions through the governance structure to the right level,” Touhill said.
“I was a bit miffed, dismayed, and amused all at the same time when I saw a press report talking about my quietly resigning and the fact that I had not published substantive policies during my time as the Federal CISO,” Touhill joked. “Let me tell you, we have too many policies.”
He explained that it’s easy for Congress or the executive branch to simply tell agencies what they need to do, but that meeting those requirements is only an aspect of effective security.
“We need to focus on best practices, not just compliance,” Touhill said, adding that best practices will always lead to compliance with policies but that compliance does not always lead to best practices.
Therefore, Touhill said, it is important for the new administration to enable the execution of the policies already in place, rather than piling on new policies.