Federal government cybersecurity leaders told House members today that the government has made very significant progress in executing the Biden administration’s cybersecurity executive order (EO) issued a year ago, but also reminded lawmakers that funding is key to continued success in implementing crucial tenets of the order.
Testifying before the House Homeland Security Committee’s subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Federal Chief Information Security Officer (CISO) Chris DeRusha ran down the high points of the past year’s worth of accomplishments for the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and Federal agencies in undertaking the foundational work to execute on the EO’s requirements.
[DeRusha is also keynoting MeriTalk’s Cyber Central in-person conference on May 19.]
“The bottom line here is we can no longer rely on the outdated, perimeter-based approach to digital walls that we’ve used to keep sophisticated actors from gaining unauthorized access to our systems,” DeRusha told the subcommittee.
“We really need to aggressively invest in making our systems more defensible by employing zero trust principles to better detect and contain our adversaries, replace ineffective deterrence like passwords with multifactor authentication and encryption, continuously identify and remediate vulnerabilities, and transform our workplace culture by adopting a secure-aware mindset,” he said. “This paradigm shift is really our best opportunity to change our adversaries’ decision calculus” on launching cyberattacks, he added.
“We feel we’ve made tremendous progress over this first year” in implementing the cyber EO, DeRusha said.
Among those successes have been issuing zero trust strategies with firm deadlines for agency progress and marching orders for zero trust migration planning through the end of fiscal year 2024, along with initial steps on actions to improve software security, he said.
On the latter point, he said that agencies “are taking a phased approach to initially focus on standalone, on-prem software that perform critical security functions.” He continued, “when this first phase is complete, we will ensure that government services function not only as intended, but also in a manner that is secure by design.”
DeRusha also talked about success in enabling continuously monitored, government-wide endpoint detection and response systems, which he said “will improve our ability to quickly address malicious activity on Federal systems,” and logging retention requirements that are crucial to preserving the “digital fingerprints” necessary to detect, investigate, and remediate cyber incidents.
At the bottom line, DeRusha said that the “vast amount” of actions called for in the cyber EO “are now established policies and are being implemented.” And he pledged, “the security of our nation will be drastically improved when the goals of the EO have been met.”
At the same time, the Federal CISO cautioned that more time and funding are necessary to reap the benefits of the cyber EO.
“We appreciate the recent investment that was made in the critical technology funds, like the $1 billion appropriation to the Technology Modernization Fund,” which DeRusha said “has already expanded our opportunities to address cybersecurity challenges.”
“But this is just the beginning,” he said. “We recognize that large-scale transformation does not happen in a year by launching new programs. It requires a commitment, cultural change, tireless implementation, and continued investment.”
Also testifying at the hearing, Eric Goldstein, executive assistant director for cybersecurity at CISA, recounted his agency’s central role in helping to execute on the cyber EO’s requirements, while also giving credit to Federal agency CIOs and CISOs, along with private sector partners, for their efforts.
“I’m proud to report that CISA met each of our assigned efforts under the EO by the deadlines enumerated therein,” he said.
“But deadlines matter less than outcomes,” Goldstein continued. “Our focus needs to be on ensuring that the cybersecurity that we expect across Federal civilian agencies is present across every department, every agency, every time.”
“Our goal is simply to reduce the prevalence and impact of cybersecurity intrusions targeting Federal agencies, ensure that intrusions are detected more quickly, and that Federal agencies are using modern secure technology that reduce the likelihood of intrusions by design,” he said.
Clarke Shouts Out CDM, NCPS Programs
During today’s hearing, subcommittee Chairwoman Yvette Clarke, D-N.Y., applauded the cyber EO as “a landmark effort to transform Federal cybersecurity by modernizing Federal agency cyber practices, strengthening supply chain security, and improving incident response and information sharing, among many other necessary enhancements.”
Rep. Clarke also cautioned, however, that past efforts by the Federal government have lost steam over time, and emphasized that the United States cannot afford to let that happen again. She recalled that Congress mandated Federal agencies take such steps as implementing multi-factor authentication and data encryption following the OMB data breach in 2015, but not all agencies ended up doing so.
“We must ensure that we do not lose focus and momentum this time,” she said. “I’m confident that the Biden administration shares my commitment to ensuring we continue to accelerate our efforts to protect Federal networks,” she said.
Further, Rep. Clarke acknowledged the continued investment that the government needs to make to follow through on implementation of the cyber EO, particularly in the case of CISA with the variety of programs it runs to boost Federal agency security. She called the increased funding for cyber to date “a down payment on a much-needed sustained investment in Federal cybersecurity.”
“We must continue to build on it by ensuring CISA has the necessary resources to modernize its National Cybersecurity Protection System (NCPS) and continue to mature its Continuous Diagnostics and Mitigation (CDM) program,” Rep. Clarke said. The NCPS covers a range of security programs and efforts at CISA including its EINSTEIN intrusion detection and prevention program.
Rep. Andrew Garbarino, R-N.Y., ranking member of the subcommittee, also spoke appreciatively of CISA’s central role in helping Federal agencies implement the cyber EO and take steps to improve security, develop standards for critical software, and develop cyber incident reporting requirements.
“I have long maintained that CISA is uniquely equipped to lead the Federal government on cybersecurity measures, and I am pleased to see its potential recognized,” the congressman said.