When thinking about securing the nation’s critical infrastructure, U.S. Chief Information Security Officer Grant Schneider says it’s important not to overlook the importance of a growing cloud computing environment, which supplies a crucial link in the chain.
“If a whole bunch of our energy companies are reliant on a web service or a cloud service for capabilities, then all of a sudden that cloud service also seems to come in as a piece of the critical infrastructure,” said Schneider, who’s also senior director for cybersecurity at the National Security Council (NSC).
Schneider joined CyberCast podcast hosts Kiersten Todt and Roger Cressey last month where Schneider addressed the outsized role social media platforms can play, the government’s policies on offensive cyber capabilities, cyber tools, and the need for streamlined procurement processes.
Cloud providers don’t fall into what the government generally thinks of as critical infrastructure, such as the power grids and other industries targeted earlier this year by Russian hackers. But the interconnected nature of IT systems, and infrastructure operators’ reliance on cloud computing for operations, make cloud an infrastructure concern.
Schneider also said government needs to have an open dialogue with the providers of social media outlets, because of the impact they can have on political and social discourse.
“People trying to influence elections is not new. People trying to influence lots of things is not new,” he said. “However, the scope and scale and speed at which that can happen due to the technology that we have today, and due to social media, has really heightened that. It has the potential to actually have far more impact than it has in the past.”
A comprehensive, nationwide effort on cyber defense would include those providers. “I think the government has to more directly engage with those industries,” he said. “We need an open dialogue on how do we deal with this, because it’s not a government problem, it’s a national challenge and I think we need to have an open dialogue on how to move forward along those lines.”
Tools of the Trade
That whole-of-nation type of approach also needs to include industry, which can help cybersecurity by producing tools that meet what Schneider said are his four criteria for cyber tools and capabilities:
- They have to be simple enough to be used without undue amounts of training.
- They must be agile enough to adapt to new developments as they arise, particularly because the time involved in the procurement process can render some tools obsolete by the time they get to the field.
- They need to be interoperable enough to be horizontally integrated with tools from other vendors, because the government will always have a mic of products.
- And they must be secure in and of themselves, and able to interoperate securely. “We want the functionality and the flexibility but it’s got to come out of the box in a very secure manner,” he said.
Another thorn in the side of both the government and vendors is the procurement process itself, which Cressey called a “dumpster fire,” particularly with regard to a protest process that can cause delays of six to 24 months and waste millions of dollars, often when there was no procurement violation to start with. Schneider agreed that the current structure leads to inefficiencies that costs the government in more ways than one.
“The acquisition timeline for us, it slows down everything,” Schneider said. “It slows down our ability to get security tools but it probably more so slows down our ability to modernize out IT.” He said Todt’s suggestion that protesters be required to put some “skin in the game”—to assume financial consequences for a making a protest—could help improve the process.
Cyber from the Inside Out
Schneider said he sees cyber defense as an ongoing process that got significant boosts from the release in September of the National Cyber Strategy and the release last year of Executive Order 13800 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure). Under EO 13800, the government has made significant strides with the Federal Cybersecurity Risk Determination Report and Action Plan, which helps track allocation of resources and identify where gaps in policy might exist.
The government also has made progress in terms of deterrence, he said, using sanctions and indictments, and “holding malicious actors accountable for their behavior in cyberspace.”
Within the federal sphere, the key to grading agency networks and security practices isn’t so much to assess blame for shortcomings, but to identify and fix vulnerabilities, as well as recognizing that no system will be perfect.
“I think we need to embrace some of the failures,” Schneider said. “Because, quite frankly, risk management means I prioritize some things higher than others. And if the failure or the incident happens at something that was lower on the priority list because we knew we could accept risk there, then we actually have to find a way to congratulate people for doing a good job on risk management, not beat them up because someone got into one of their websites that wasn’t that important in the first place.”
While much of the focus is on cyber defense, offensive cyber operations also are becoming more of a factor for the United States, with National Security Adviser John Bolton recently confirming that offensive cyber operations have been approved. But Schneider said it’s important to remember that cyber weaponry is just one more tool the government can use in pursuing its defense.
“It’s not that you fight cyber with cyber, necessarily,” he said. “Cyber is a tool that can be used in a variety of different forms. And a variety of other tools can be brought in for response or reaction to cyber activities as well.”