Make Cybersecurity a Key Ingredient of Modernization

By: Tom Guarente, vice president of external and government affairs, Armis

Recently, I was privileged to sit down with a high-ranking member of a key oversight committee who asked me what actions I thought Congress should take to address some of the country’s biggest cybersecurity challenges. I suggested they should begin by conducting a hearing that would publicly bring many of these challenges to light.

I was somewhat taken aback – but not necessarily surprised – by the response. I was told the committee had an IT modernization hearing scheduled next, but would hold a cybersecurity hearing in the months ahead.

That exchange captured the essence of the challenge we face in improving cybersecurity within the federal government. By viewing cybersecurity issues as separate from technology modernization, we are missing an opportunity to address the issue more effectively by integrating the two.

The federal government needs a new mindset to ensure that IT modernization proceeds with cybersecurity as a key ingredient, not an afterthought. Agencies must think beyond IT and bake cybersecurity into their program requirements from the onset. The government cannot continue down yesterday’s path of addressing modernization with cybersecurity merely being an afterthought or “check box” item.

Solicitations from many agencies at times may bake cybersecurity into their modernization programs, but tend to address yesterday’s needs and requirements, leaving out the critical nature of a growing threat surface with converged technologies.

The upcoming program to modernize the National Air Traffic Control System and improve and secure the nation’s airport/transportation infrastructure can serve as a model for this new approach. The Federal Aviation Administration (FAA) should ensure that cybersecurity is integrated into its overall modernization plans from the start. This involves ensuring the security of an infrastructure that goes well beyond traditional managed assets, such as IT, and now includes a myriad of devices (cameras, scanners, automated doors, etc.).

Doing so is critical given the urgency of ensuring safe air travel, and failure to do so could literally result in the loss of life. Here are four steps the government can take to move in this direction:

• Start thinking beyond IT: The FAA initiative encompasses nearly all aspects of its operation, including communications, surveillance, automation, and facilities. The agency must look beyond IT to ensure cyber protection for all assets associated with these operations, with complete visibility and control into IT, operational technology (OT), the internet of things (IoT), and unmanaged assets to address traditionally overlooked security blind spots.

• Ensure real-time capabilities: Within any acquisition, cybersecurity must be viewed as a critical element and not a separate component. We’ve already seen examples of federal government initiatives that aim to bridge this gap, including the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) for defense contractors and various Software Bill of Materials (SBOM) efforts to secure the modern software supply chain. Every decision made for a new procurement should take into account how it will deploy tools to identify and monitor threats in real time, in terms of how those tools interact in the environment.

• Promote solutions that create cyber awareness: Agencies should deploy capabilities to identify anomalies in the behavior of assets within their environment. This means tools to measure modernization efforts through quantifiable risk reduction metrics; passive/active discovery and integration with existing security infrastructure; and asset discovery for maintaining an accurate inventory of systems and components.

• Encourage a mindset for making quick decisions: Today, the alerts and complexities of the government’s growing threat surface call for integrating AI functionality that gives personnel relevant, real-time information on which they can take action. Integrating new technologies can often introduce unfamiliar skill sets and more complexity. Consequently, agencies should embrace a holistic and outcomes-based approach to remediating vulnerabilities that incorporates and supports human decision-making, all the while narrowing the decision window where action is required.

Government modernization should proceed with cybersecurity as a key ingredient, not an afterthought. The FAA and other agencies have an opportunity to serve as an example on how to do this correctly by thinking beyond IT and baking cybersecurity into their program requirements with real-time solutions that quickly identify and counter risks to their environments.