Federal agencies are taking cues from industry for some of their most pressing cybersecurity challenges.
One challenge for the Cybersecurity and Infrastructure Security Agency's National Risk Management Center includes the threat model that has shifted in the past few years.
“There’s just more action right now in probing, trying to figure out things," said the center's assistant director, Bob Kolasky. "There’s more learning, and the adversary is getting better.”
As one of the newest components of DHS, CISA is a leader in protecting the nation’s critical infrastructure. The National Risk Management Center within the agency focuses on tackling sources of strategic risk by “studying trends and taking in information around all technology, around convergence, around where the [adversarial] actors are looking to do things,” Kolasky said while speaking on a panel at MeriTalk's Cyber Strong Brainstorm event.
“We are applying those to our understanding of the most critical functions that our infrastructure produces and then working together with industry and other parts of government to make progress to close some of those gaps,” he added.
Working to keep up with a shifting threat model is not an issue foreign to the Defense Department, neither is the use of legacy systems. Yet both still present their own set of challenges.
Referencing a Government Accountability Office report regarding DOD’s use of Windows XP, DOD Director of Cyberspace Mission Assurance and Deterrence Daryl Haegley said, “That shouldn’t be any news to anybody.”
Part of the greater challenge, however, is, “Who is ready to fork up the money to pay to get all [of the systems] to the latest versions?” he added.
To help agencies such as DOD with their cyber challenges, U.S. Cyber Command in partnership with the Maryland Innovation & Security Institute created DreamPort, a cyber innovation, collaboration and prototyping facility right outside Washington, D.C. Much of the work DreamPort does is efficacy testing, modeling and evaluation with regard to cyber aspects of the Defense Industrial Base.
Overseeing DreamPort's operations is Director Armando Seay, who addressed the critical need for U.S. supply chains in order to mitigate risk.
“If we want to reduce the amount of threat vectors there are," he explained, the solution "is to start manufacturing the things that are the most critical to our critical infrastructure back in the U.S., where we control the supply chain, where we can put our rules and regulations on it, rather than hunting for the adversary under every couch cushion.”
Although Seay has already seen a lot from industry, he would like to see more in terms of “awareness of the problem set,” he said. “There’s definitely a huge shortfall. ... One of the best ways to begin to prepare to defend against something is to understand the threat, understand how it exists and where it exists.”
As for DOD, Haegley would like to see industry using its own products. He explained that in meetings he will often ask if companies are using the solutions they bring to government to manage their "own building systems in [their] headquarters” — they don't.
Nonetheless, he is appreciative of the impact industry can have on implementing positive change.
“It took industry to communicate to Congress to put together, in NDAA language,” said Haegley, referring to section 1650 of the National Defense Authorization Act for fiscal year 2019, which grants “pilot program authority to enhance cybersecurity and resiliency of critical infrastructure.”
“That did not happen on our own, and I’m very thankful for that,” said Haegley. “Because now over the next two years, we are sending teams out. We are looking at our critical infrastructure of our most important bases and systems, and once we get through that assessment, we will need mitigation. We will need solutions.”