In the era of the Internet of Things (IoT), Federal agencies need to change the way they think of cybersecurity, according to Microsoft Federal CTO Susie Adams.
“If you look at where we’re going with Internet of Things, this is going to become more important than ever before,” Adams said in an interview with MeriTalk. “We used to think of things as a secure network of devices, and the network was kind of that security boundary. We need to flip that upside down and say, ‘really it’s a network of secure devices.’ Those devices become really important.”
Adams noted that Federal employees increasingly need to use more devices, all of which connect with secure agency networks. This use of devices means that the device itself has to be secured along with the network.
“People need to work like this,” Adams said of the ability to both use a myriad of devices, and to work outside the agency office. “If you’re going to allow people to work remotely, on any device, those devices are now your boundary.”
Part of the problem is an old-fashioned IT mentality that doesn’t adequately account for new devices.
“Usually what would happen is, if they found a security breach in their system, they would just unplug the Internet,” Adams joked. “I go into buildings now and they make me take off my Fitbit. DHS made me take every wire out of my bag the other day; I mean, they made me empty my entire bag.”
Though some Federal agencies are embracing Bring Your Own Device policies, it is by and large difficult for agency employees to work with the same efficiency and freedom as their private sector counterparts. And the agencies themselves are struggling to keep up.
“They’re having a hard time managing them,” Adams said. “There’s technology out there to do this, and many of the agencies already own that technology. It’s just a matter of getting the policies up to date for implementing that technology, and then implementing the policies around it. A friend of mine works for an agency and the paperwork to telework is amazing.”
Adams said that she has found the overall mentality of Federal agencies surrounding IoT and cybersecurity to be out of date.
“Most people are still thinking old school, and most of that is because of the support ecosystem that’s still in place today,” she said. “They think, ‘I’m going to have this big five-year program to redo this,’ or ‘it’s going to take me three years to write this app.’ They’ve really got to turn that upside down and think differently.”
Much of that different thinking involves working on shorter cybersecurity sprints that can evaluate critical holes in networks and devices, then patch them quickly enough to allow employees to keep working effectively.
“I don’t think we can wait six years for cybersecurity implementation to become mainstream,” Adams said. “They’re really going to have to lean forward in their way of thinking, probably more so than they’re used to doing.”
Talk on the Hill surrounding cybersecurity has lately centered on the outdated IT systems still in use by many Federal agencies. Though some agency heads have downplayed the effects that outdated systems can have, Adams has found that this is one of the most important issues to be resolved.
“When you’re running Cobalt systems still, it’s hard to make the argument that you don’t need to modernize,” said Adams. “If you’re still running unpatched operating systems, and systems that are 10 years old, you’ve got a problem.”
However, she also said that agencies have to first “assume compromise” before they update their systems: “I think many agencies have been breached and they just don’t know it.”
She warned that if agencies act without this assumed breach mentality, they will just be stuck with a nicer, but still compromised system.
“If you modernize something that’s been compromised already, the bad guy’s still in there. It’s kind of like coming home and there’s an intruder in there, and he’s still hiding in your closet, and you lock all the doors,” Adams explained, suggesting that agencies work more with third parties to evaluate the security of their systems. “They don’t know what they don’t know, and everyone’s used to the old mind-set. One quick way to get a different view is to use some of the funds they have now to do these studies to better understand what their environment looks like.”
Adams noted that agencies are headed in the right direction, pointing to a recent Federal cyber sprint and the leadership of Federal CIO Tony Scott as beneficial advances.
“The Federal CIO and OMB are setting a good example. They’re rolling up their sleeves and actively trying to set a good example and aggressively doing things, which you wouldn’t expect to see right now as we go into summer and an election year,” Adams said.
Therein lies much of the worry, for both agencies and private partners. Because this is an election year, the beginnings of increased cyber hygiene and awareness may fall by the wayside.
“We might see a big exodus happen,” Adams said. “I think everyone’s a bit more nervous than normal about the changing of the guard this time.”
However, Adams also thinks that there is strong potential for the government and private companies to collaborate to keep cyber momentum going.
“There’s a lot of different things that we can see, and we want to share that information,” she said. “We recognize that we are not the only people in the space, and we can never be the only people in the space.”