Department of Homeland Security cyber leaders see President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity as the beginning of a “journey” to develop more comprehensive, consistent cybersecurity strategies at federal agencies.
This journey, they said, will help federal agencies deploy emerging technologies safely and securely to dramatically improve mission delivery.
The Office of Management and Budget is putting together a cloud security strategy “focused on zero trust that will probably be going out for public comment around the 90-day mark (of the executive order). All of this comes together to help guide agencies in a standard and consistent direction over the next couple years as we continue to make progress here,” said CISA Deputy Assistant Director of Cybersecurity Matt Hartman at an ACT-IAC Homeland Security Forum last week.
The 90-day mark of the executive order is Aug. 10. Iranga Kahangama, director of cyber incident response at the National Security Council, said the order was a “direct response” to the SolarWinds hack discovered in December 2020.
“Many of these EO tasks are sprints to develop architectures or roadmaps, and these are the initial milestones that will set additional milestones that will commence multi-year journeys,” Hartman said. “Many of the core issues being addressed will only be solved through years, literally years, of focus and investment.”
At DHS, CISO Kenneth Bible said he’s focused on creating consistent cyber “roadmaps” to bulwark the network against cyber threats.
“If I understand the control environment and can map that consistently, I can alleviate some of the risk to the organization and have a more seamless path to an [authority to operate],” he said during the forum. “What I'm talking about in terms of that framework is to understand the threat and how the threat maps to the controls and map the controls to my technical solution.”
Alethea Duhon, associate director for analysis at CISA's National Risk Management Center, said federal agencies also need to focus on securing their entire IT supply chains.
“Everything connects in the supply chain to how we acquire components. That's why it's so important for networks to be secure,” she said during the forum. “Data travels overseas. We're guided by three principles: risk management, stakeholder engagement and technical assistance. Everything connects.”
Carole House, director of cybersecurity and secure digital innovation at the National Security Council, said the Biden administration has “really been pushing” for a national security strategy for 5G to mitigate “significant national security risks posed by high-risk suppliers.”
But network decentralization at federal agencies is also a national security risk.
“On the paradigm shift to decentralization, there's a lot of potential benefits with networking and decentralized ledger techs, future identity management developments, financial access and inclusion, decentralization of payments has a lot of really great potential to facilitate peer-to peer-interactions,” House said at the forum. “There's great potential for innovation, but they can also be exploited, the way any tech or software can be used for good, can be used for bad, and the vulnerabilities that exist depend on how they're designed.”
As Bible pointed out, “The problem with [software as a service (SaaS)] isn't really SaaS,” it’s the components and suppliers that make SaaS. Federal agencies need to work on understanding their software supply chains and their network supply chains as they prepare for 5G.
“What I see here is there's no single stakeholder that can comprehensively manage systematic risk,” Duhon said. “It takes a village. We all have to build that trust. We have to collaborate.”