MeriTalk recently connected with Cisco’s Will Ash, Senior Director of Security Sales, and Peter Romness, Cybersecurity Solutions Lead, U.S. Public Sector CTO Office, on the current cyber threat landscape, how Zero Trust plays into agencies’ evolving cyber defense plans, and the importance of public-private sector collaboration.
MeriTalk: What is the biggest threat to Federal cybersecurity today? How can agencies mitigate evolving threats now and in the future?
Will: If we look inside, there are two threats that we’re watching carefully and they’re more internal and market type threats. The first is the complexity of cyber defense capabilities and how that is making defenders’ jobs more difficult. It’s making detection of, and response to, breaches more difficult and less effective. The second piece of this is specific to the Federal government – it’s the ability to direct attention, expedite certification requirements, and prioritize budget. Currently, the Federal government is focused on continuously detecting threats and verifying trust. That is a very effective approach, both for now and in the future. Continuous monitoring for threats and verification has to be manageable. It’s up to companies like Cisco to provide technology to prioritize and automate response to common threats, better allowing the scarce defenders in the Federal government to address the really bad threats, and the really different and interesting ones.
MeriTalk: What lessons can the private sector share with the public sector?
Will: The public sector is open now, more so than they have been, to this very question. They’re open to learning from the private sector and forming public-private partnerships – not only formal partnerships, but also informal collaboration. One of the leading points that we see is the notion of being able to be agile and having the ability to approve and consume new technologies. It’s important to be smart about what certifications, controls, and framework requirements to use. The private sector naturally is a little more agile, but we are seeing the public sector, and the Federal government in particular, open to being more agile.
Peter: And we’re also seeing the private sector learn from the public sector. The NIST cybersecurity framework is a good example of that. We’ve seen many private sector organizations latch onto the framework as the way that they’re going to determine whether they’re making the proper risk-based decisions.
MeriTalk: Do you think agencies are ready for Zero Trust? If not, what do they need for a successful roll out?
Peter: All agencies are ready for Zero Trust – it is not an end state, but rather a way of thinking and looking at your environment. It’s a guide to help you make decisions. If an agency hasn’t done anything with Zero Trust yet, they should start with learning about it, doing research. NIST recently released a draft on Zero Trust, SP800-207. There are very few organizations that are able to just implement Zero Trust, it’s a journey rather than a destination, but everyone is capable of doing it.
MeriTalk: How does Zero Trust support existing cybersecurity efforts like CDM, EINSTEIN, and more?
Peter: NIST 800-207 specifically addresses CDM, EINSTEIN, RMF, FICAM, and a few others. Zero Trust helped augment all of these programs. The CDM program was already down the path of Zero Trust, looking at the phases: phase one – who is on the network, phase two – what is on the network, phase three – what’s happening on the network, phase four – how is data protected. That is a very similar path you would take if you are doing a clean Zero Trust implementation. In Zero Trust, the whole idea is that nobody and no device gets access to any resource unless they have proven their trust first. When you start in the Zero Trust way of thinking, the first thing you need to know is who and what is on my network and how are they communicating. Then, you start setting up policies around it, you manage your network, and the whole environment, in as granular a method as you can, allowing trust as granularly as possible.
Will: In terms of Zero Trust and CDM, we look at terms that map back to one another. We look at protecting the workforce and protecting the workload. The workforce in terms of the who and the workload with regards to the data and applications.
MeriTalk: Emerging technologies such as AI/ML and quantum computing bring insurmountable benefit to Federal IT, but they also present significant opportunities for cyber attacks. How can agencies balance the benefits of emerging technologies and the cyber threats associated with them?
Peter: Often times in the industry, we’re seeing AI and ML and all of the different terms for emerging tech as buzzwords. One significant issue is that people throw technology at something that it may not make sense for, or they deploy a product that provides too much, more than you can deal with. As an example of the way Cisco is working to make technology manageable, we are building ML into most of our security technology, but we’re doing it fairly transparently to our users. We’re taking the burden of managing AI or ML away from the customers. That way they receive the many benefits without the headaches that go along with it.
Will: Some of the key areas of improving cyber efficacy are becoming automated and integrated. AI and ML help defenders with automation and release the workforce to focus on higher value activities. We want to continue to make the bad guys innovate, because innovation costs money. We together can leverage these advanced technologies, forcing the bad actors to innovate. That will continue to give us an advantage, and that comes out of public-private partnerships and collaboration.
MeriTalk: What advice would you share with public sector leaders who are considering implementation of emerging technologies but fear the security implications?
Peter: With proper security technology, technology leaders can do more. They can create new programs that they never could have before due to security implications. As advanced capabilities are unrolled, they should be easier to execute.
Will: With the mindset that security is being built into everything more and more, technology providers are helping the government modernize. Emerging technologies have cyber controls built into them and are open, integrated, and automated more than ever before, so they’re bringing them advanced capabilities from a mission perspective. All these advanced capabilities are easier to manage so that the creative people in an organization can spend their time thinking about the next new thing, instead of defending what they already have.
MeriTalk: Agencies are constantly looking to future-proof their strategies. What do you see as the future of cybersecurity? What will be the biggest cybersecurity challenge in the next five years?
Will: The future is about really moving along this open, integrated, automated platform that’s becoming less dependent on big-iron hardware, and more dependent on an ecosystem, with partnerships and open API’s, with the ability for that complex environment to act as one platform. Why that’s relevant in the context of future proofing is with agility. Defenders are able to more easily update their capabilities and take advantage of advances in the marketplace and private partnerships. It is and will continue to be critical to be continuously aware of threat intelligence and continuous threat verification. One of the biggest threats is the risk that quantum computing will present to the world of cyber defense. It’s almost incomprehensible. It’s more than five years out, it’s very expensive and only certain types of entities can invest in its development, but it’s a matter of time until quantum changes the game – not only for defenders but also for bad actors.
MeriTalk: As agencies continue to explore ways to modernize legacy systems, how can the “never trust, always verify” ideology of Zero Trust security model bolster cybersecurity during the transitionary period?
Peter: Every agency has some of the building blocks of Zero Trust already. Cisco has been building Zero Trust capabilities into switches and other solutions for the last eight to ten years at least, and many of those capabilities aren’t always being used. What we recommend is that organizations take this journey with a plan. Don’t just throw everything out and buy new, look at what you have, determine what’s needed and methodically build from there with a long-term plan.