Improving federal cybersecurity requires a radical mindset shift and a proactive approach to risk management, federal cyber leaders said this week.
Concepts and imperatives such as cyber incident reporting, DevSecOps and zero trust frame the recommended approach, but good cybersecurity ultimately comes down to culture, Army Software Factory Chief Product and Innovation Officer Hannah Hunt said at an ATARC webinar on Authority to Operate (ATO) modernization and DevSecOps Thursday.
“You can have a three-year ATO, and for a lot of organizations that means I won't look at my security environment for another three years,” Hunt said. “Talent management is a big piece to that. The focus on compliance over security is another big pain point that the Department [of Defense] faces. That all comes back to the talent management at the end of the day and not having that skill and knowledge to make those nuanced and risk-based decisions.”
The security of a product, such as a cloud application, must be evaluated from a holistic perspective, Hunt added.
“Some authorizing officials are better than others in that regard and really do want to provide that holistic risk picture as opposed to, ‘OK, I did my job I'll see you in two years,’” she said. “It's partly holding authorizing officials accountable to their mandate. It becomes a cultural thing. If we as a department want to champion the ATO as part of a risk management framework, that starts at the authorizing official level.”
In response to the rise in cybercrime, the White House’s Executive Order on Improving the Nation’s Cybersecurity mandates federal agencies adopt a zero trust approach to cybersecurity, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Iranga Kahangama, assistant secretary for Cyber, Infrastructure, Risk and Resilience Policy at the Department of Homeland Security’s Office of Strategy, Policy and Plans, said all organizations are susceptible to the “lowest common denominator” of cybersecurity, even something as simple as a cloud login.
“No matter how big an organization you are, the smallest vulnerability can be quite damaging,” he said at a House Homeland Security Committee hearing Tuesday.
“Big commercial software have massive vulnerabilities on them,” Hunt added. “Anytime we bring in commercial-off-the-shelf software, there's a requirement to review the source code or security posture of the software before it's brought into the environment.”
CISA Deputy Executive Assistant Director Matt Hartman said every organization should implement multi-factor authentication and a cyber incident response plan, establish encrypted data backups, test them to avoid paying ransoms for stolen data and report cyber incidents to CISA as soon as possible.
Each prong of Hartman’s recommended cyber strategy requires a cultural approach.
“It is absolutely paramount that cybersecurity start at the top of an organization, at the board level,” he said at the hearing Tuesday. “Organizations that are working to develop incident response plans on the fly are generally not successful.”
According to Varonis, a data security platform service, 66% of companies say compliance mandates are driving cyber spending, but more than 77% of organizations do not have a cyber incident response plan in place.
But leaning on compliance won’t produce an effective cybersecurity strategy, Hunt said, and buying software products to implement zero trust won’t necessarily move the needle on an organization’s cyber posture. Upskilling workers and changing mindsets is key.
“From a talent management perspective, there's not a significant amount of knowledge around cloud and platform engineering. … That increases the level of risk-aversion to operate in those environments,” she said. “Something I see oftentimes is an overemphasis on compliance rather than security, as in paperwork and making sure what's being delivered checks all the various boxes rather than [developing] a truly secure platform. Making something complaint doesn't necessarily make it secure.”