Federal CISO Christopher DeRusha said today that new IT modernization and security funding streams stemming from the American Rescue Plan Act represent a “down payment” on extensive work that needs to be done to improve Federal agency network security.
“We are at a crossroads for our nation’s cybersecurity,” DeRusha testified at a Senate Homeland Security and Governmental Affairs Committee hearing looking into the SolarWinds Orion and Microsoft Exchange hacks. He said the exploits revealed “gaps in our ability to manage critical risks,” and that the exploits should “serve as a wakeup call and a galvanizing event.”
In his role as Federal CISO – which falls under the Office of Management and Budget (OMB) – DeRusha said OMB is continuing to work with Federal intelligence and law enforcement agencies on sorting out the two hacking incidents, and looking at “capability and resourcing gaps” that will help affected agencies recover. Nine Federal agencies were breached in the SolarWinds exploit, White House officials have said.
“We are committed to investing in infrastructure, systems, and people to build back better,” the Federal CISO said, adding that the $2 billion of funding from the American Rescue Plan Act devoted to IT modernization and security improvements “has laid the foundation for this.”
“It is a just a down payment,” DeRusha said on the amount of work that needs to be done. “We have decades of technical debt to pay off.”
The $650 million of new funding for the Cybersecurity and Infrastructure Security Agency (CISA), will help to fund “enhanced monitoring” of networks and faster response times to incidents, he said, while the $1 billion of new funding authorized for the Technology Modernization Fund (TMF) also will help government agencies deal with cybersecurity problems. “We look forward to demonstrating what else it can achieve,” DeRusha added.
Offering further hints on his thinking toward security funding, DeRusha told senators that he is taking a “top-down look” at Federal systems, and that “we have a lot of work planned going forward to working with CISA to work across all of the agencies.”
Part of that work includes considering additional funding for Federal agencies for security through the annual appropriations process, as well as development of managed security services, DeRusha indicated.
DeRusha said he is working to make sure that Federal agency budgets are aligned with the increased needs for security, and reminded that “security is expensive when done properly, but more expensive” when it is not.
He also testified about the need to move Federal agency security closer toward zero trust concepts, which “moves us away from protecting the perimeter,” and places a much greater emphasis on constantly re-authenticating users, and ultimately in blocking suspicious network activity. That evolution, he said will require a considerable “shift in mindset and focus” at Federal agencies.
Finally, DeRusha said he will be working with new Federal CIO Clare Martorana on plans to boost technical skills in the Federal workforce. “We will be developing new initiatives to make sure the current workforce is reskilled and ready to face these challenges,” he pledged. The Federal CISO also said that expanded funding for the U.S. Digital Service and the General Services Administration’s Technology Transformation Services organization will help get more highly skilled people into government.
Committee Chairman Sen. Gary Peters, D-Mich., told DeRusha, “I have every confidence that you are up to the task.”