Though new initiatives like the Cybersecurity Executive Order cover many of the same issues tackled by past administrations, the focus on IT modernization will make a big difference in actually improving cybersecurity, according to Barry West, senior adviser and senior accountable official for risk management at the Department of Homeland Security.
“The last administration made a lot of great progress with cyber, but it was really hard to get that traction,” West said at a Digital Government Institute event on Sept. 6.
“And what we’re seeing here with this new administration is they’re saying ‘OK, we’re going to continue to do cyber, but we’re also going to add in some really key points in moving the ball forward around our legacy systems.’ That is a broken record across every government agency out there, and the administration has seen that and brought in some really smart people at the White House to look at this who have spent time in government and industry. And what they’re doing is pushing the envelope with IT modernization.”
According to West, groups like the White House’s American Technology Council are vital in ensuring that the most modern technology is considered in cybersecurity decisions. The council recently placed greater emphasis on IT modernization through a report released last week that prioritizes the movement to cloud and shared services.
“This order is mandating every agency head to be accountable for their cyber in their agencies,” said West. “All of our procurement folks are going to be asked the question: Why couldn’t you do this in the cloud? And they’re going to be held accountable. And you’re going to see that relationship between the CIO, the chief procurement officer, and the CFO continue to forge and even become closer as we move forward. The president is also holding his Cabinet and agency heads accountable for managing the cyber risk with this order.”
Government and industry experts said that this accountability will help motivate those leaders to keep their agencies moving forward.
“I think it’s been proven that if you are measured on something, you’re going to focus your attention on it and try to improve upon that,” said Ken Durbin, unified security strategist at Symantec.
According to Ron Ross, fellow at the National Institute of Standards and Technology, it’s the combination of accountability and modernized technologies that will make the difference.
“I think what’s been lacking is, you can tell someone they’re accountable and they’re responsible till the cows come home, but you have to give them the appropriate tools, processes, and techniques to be successful,” said Ross. “That’s what I think you’re going to see different coming out of the executive order. The heads of agencies have been responsible and accountable for security since FISMA [Federal Information Security Management Act] started back in 2003, so there’s really nothing new there. It’s being re-emphasized in the executive order, in a good way, and, more importantly, it’s being tied to modernization.”
Ross also applauded the order’s emphasis on shared services, which he said will not only save the government money but also make its systems easier to defend.
“Instead of every Federal agency building their own system we have a lot of things that are common, like a payroll system or things like email,” said Ross, explaining that each system requires investments in purchase, authorization, maintenance, and reauthorization. “If you have a shared service, you do that one time. Reducing complexity is going to save us money, No. 1, it’s going to give us a smaller target to defend, and we can apply our best practices in cybersecurity on that smaller target, and then we can save all of our high-value assets, we can keep them within the Federal boundary.”
“At the end of the day, we all have the same problems and a lot of it’s not about the technology,” said West. “It’s about people, and the processes, and getting those in line, and good documentation and good process.”
He added that, despite recent focus of congressional budgeting, political discord, and natural disasters, he hopes agency leads will be able to stay on track for upcoming dates under the executive order. According to West, government should be especially focused on cybersecurity when facing natural disasters.
“From a bad guy perspective, a country that wants to do damage, what better time to do something than when we’re actually focused on these major natural disasters?” said West, who worked at the Federal Emergency Management Agency (FEMA) during Hurricane Katrina in 2005. According to West, FEMA systems were infected with a virus during relief efforts, and his office was luckily able to stop it before damage was done.
“We have to be on guard even more so during these types of natural disasters,” said West.