A Prepared Workforce is Key to Cyber Resiliency

Federal agencies are increasingly investing in the cybersecurity workforce to support ongoing zero trust and continuous monitoring goals.

One of the biggest issues is how to ensure the workforce can remain vigilant against persistent threats. Environmental Protection Agency (EPA) Office of Information Security and Privacy Deputy Director Mark Bacharach said building a resilient enterprise starts by training and preparing employees to know what to look for in cyberattacks.

“We have to really help them break down potentially complex ideas to simple things, so they don’t have to know all the technology, but they just have to be aware of those risks and then make good decisions,” Bacharach said during a GovCIO Media & Research GovFocus panel.

The EPA has taken on a returning to “cybersecurity basics” approach and removed unauthorized user accounts within the enterprise that could pose security threats, he said. Using a zero trust strategy, the EPA evaluates threats at every level and assesses the maturity levels of the agency.

“We’re taking those things that we need to implement, to comply with a zero trust maturity model or to meet it. And then we regularly routinely assess it to determine what’s working, what’s not,” Bacharach said. “Our plan in general is to reinforce success.”

Continuous monitoring enables the agency to focus on new threats from bad actors and empowers the workforce to report cybersecurity incidents, based on CISA’s guide co-released with FEMA in January.

“Almost in the rearview mirror are the days when our employees are falling for free Amazon gift cards or AirPods,” Bacharach said. “The practices that are being used today are becoming harder and more complex. We have to train like we’re going to fight and use the methods and techniques that are applied against us internally to simulate the environment.”

The Department of Energy has also partnered with CISA following cyberattacks within the electrical grid in 2022. By mid-2023, CISA said it has alerted 60 entities within energy, health care, water/wastewater and others about potential cyber and physical risks. Sharing information and data about potential or current cyber risks with partners has ensured there is bidirectional sharing and up-to-date threat information.

Emerging technology is showing promise for enabling agencies to be nimble while keeping systems secure. The State Department plans to use emerging technologies like AI and virtual reality for cybersecurity. Bureau of Global Talent Management CTO Don Bauer has been advocating for using AI to monitor threats in order to allow the workforce to focus on mission objectives.

“I have a staff of five on my security team. … We cannot monitor every single log entry,” Bauer said at the GITEC conference in Charlottesville, Virginia. “These are opportunities for AI to really start to add benefit, if nothing else, to point out things that just don’t look right.”

Bacharach said EPA is working to update policies based on President Biden’s AI executive order to prepare the workforce to assess and report cyberattacks.

“We’re working to put together some updated policy so that we can both comply with [the executive order] and make that those capabilities available,” Bacharach said. “But at the same time put together some guardrails, whether it’s some updated training materials, so employees understand what are the potential pitfalls and how they can perform appropriate due diligence [or guidance on] using them safely and securely.”