The Office of Management and Budget published the Federal Cybersecurity Risk Determination Report and Action Plan in May. It’s an overview of the state of cyber risk in federal agencies, cyber gaps and needs, actions to improve federal cybersecurity and how to implement those actions.
The findings are based on an evaluation of 96 agency risk management assessment reports, and according to those assessments, two of the most significant areas of risk are the abundance of legacy IT and lack of experienced and capable cybersecurity personnel.
But what can federal agencies and their stakeholders take away from the report, and what do the results mean for the state of cyber risk and the future of national security? And ultimately, what needs to be done?
To break all this down, GovernmentCIO Media sat down with the former first federal chief information security officer and current president of Cyxtera Federal Group, Brig. Gen. Gregory Touhill. Touhill is a retired U.S. Air Force officer and combat veteran, and he was appointed to serve as CISO by former president Barack Obama in 2016.
Touhill believes the report is the “most accurate characterization [of cyber risk in government] we’ve had thus far,” he said, but as a nation, we’re still behind.
GovernmentCIO Media: Looking from the outside of government in, is the country where you would have hoped it would be in terms of cybersecurity?
Touhill: I think the answer is no, but then again, when I left the military and came into the federal government, I always thought we were about 10 years behind where we needed to be. I think we’re probably nine-and-a-half years now behind where we need to be. There’s several pockets of excellence out there but consistent excellence across the board is still elusive, and that’s why I think cybersecurity needs to be pushed up on top of the agenda.
GCIO Media: Why is that? What are the federal government’s top information and cyber challenges?
Touhill: First of all, you need to understand what type of information you have and protect based upon the risk of that information. Sadly, most departments and agencies don’t even really have a good data inventory. And as we learned from the Office of Personnel Management breach, simple nuggets of information that may appear to be mundane and unclassified when aggregated becomes strategically important.
Secondly, you have old, antique equipment and software, but we also have out-of-date personnel. We need to improve on all of them. I have a saying that I call Touhill’s law, where one human equals 25 computer years. If you take a look at people, processes and technology as the keystones of a good security program, you need to make sure you’re keeping up to date with the people, process and technology. So I think there’s a lot of work to be done to provide balance and keeping current.
The third thing is following through. I think we’re spending way too much and not getting what we need, so I much rather have people follow through rather than chasing the latest fad. Use what you have properly before you go graduate to the next thing.
The fourth and final thing is, I think we have really poor governance and oversight. Both the executive and the legislation branches of government are guilty of this. The executive branch isn’t necessarily doing a really good job of managing at the enterprise level, and the legislative branch isn’t doing a really good job of providing oversight to hold folks accountable. Or, they continuously shovel money in a problem without strategically looking at how we get a better handle on all that stuff.
GCIO media: Let’s talk about the results. The report determined that 71 of the 96 agencies assessed have cybersecurity programs that are either at risk or high risk. Does this surprise you, having left government only about a year or so ago?
Touhill: Nope, I’m not surprised at all. We’re never going to get risk to zero, ever. There’s not enough money to poor down the pit, to fill it in completely. So you have to take a risk-based approach. And understanding your risk, or risk factors, is critical. But all too often we had folks in the past who were not taking that risk-based approach, who were accepting risk whether they knew it or not, and it came back to bite us.
GCIO Media: OMB also found that agencies are not equipped to determine how threat actors seek to gain access to their information, and this lack of threat information is creating enterprise-wide gaps in network visibility. How do agencies even begin to tackle this?
Touhill: I don’t think we’re going to have enough qualified manpower to fill the need. I think we need to fundamentally rethink our architecture and how we deliver services. Right now, every department and agency owns their own. They are independently owned and operated franchises. We don’t see the private sector using that many fragmented organizations. They have a lot of unity, they use a lot of shared services. Our current architectures are based on those 1980s organizational charts where everybody does their own thing.
I’d like to see the federal CIO further empowered to bring things together from an IT standpoint. I’d like to see an IT agency for the federal civilian government. The military, we had Defense Information Systems Agency chartered years ago to handle that and we now have enterprise email in the military. Frankly, those were terrible bloody battles to get to that point, but we did it. We were able in the military to reduce our attack surface from an ungodly amount to a smaller amount. Federal government and civilian agencies, they need to do the same. I think it makes a lot of sense to do more shared services, to having an IT agency for the dot gov, and to leverage private sector, best-in-class capabilities on a competitive basis.
And, every device you have should have multi-factor authentication.
GCIO Media: OMB also found that 59 percent of agencies reported having processes in place to communicate cyber risks across their enterprises. What does this mean and what needs to be done to increase that number?
Touhill: We have found that the principle means of communicating cyber risk is email, where folks say “there’s a spearfishing thing coming out so don’t click.” Frankly, cyber threats come in a lot of different sizes, and it comes in an ill-trained workforce. When I was the National Cybersecurity and Communications Integration Center director, the official word was over 85 percent — I think it’s over 95 percent — of the incidents the U.S. Computer Emergency Readiness Team went out to address in the .gov space was caused by carelessness, negligence or indifference to policy.
A threat pops up, something that people should know about right away, and email continues to be the number one means of getting it out. So, how many folks are waiting by their email for that to pop up? I think we need to be more innovative in how we get that out. There’s lots of different alerting software.
And our people aren’t stupid, sometimes they’re ignorant to these things because we haven’t taught them. We need to do a better job at teaching folks how things work and why. You don’t have to be the technician, but you do need to know how your actions will have an impact.
GCIO Media: Can we ever really fully trust humans? Even with training?
Touhill: No, and that’s why I embrace a zero trust model. Because good people do make mistakes. I don’t always know who is operating the WiFi that you’re connected to. Frankly, all of our devices are like that, so we really have to adopt that zero trust model in dealing with protecting your information. So I am a huge fan of encryption, and encryption relies on mathematics. I think we need to make America’s math great again.
But everything is interconnected, you can’t control everything. What you can control is your particular information. I encourage everybody to adopt a zero trust model, leverage 21st century security, like software-defined parameters, and don’t trust anybody.
GCIO Media: So install capabilities that help make up for human error?
Touhill: Yeah, and right now, for example, we’re still relying on 1990s technology that were based on late 80s ideas. So the firewalls that we have in place, they are great but they’re congested, like somebody who's been eating triple cheeseburgers everyday and getting no exercise. Virtual private networks, they were great in 1996 when they came out, along with firewalls, but 1996 was how many years ago? You go into a Defense Department firewall, how many rules do they have? Tens of thousands of rules. And pretty soon, it’s like cholesterol in your arteries. So that’s where that software-defined perimeter technology comes in. Lets reinvest well, let’s not buy the same old stuff.
GCIO Media: So, the report shows that agencies are also having trouble detecting when large amounts of information leave their networks, and then they have low incident response rates. Is this a technology problem? Do we not have the software in place?
Touhill: I think this gets back to several different factors. One is we have some people who are making decisions who don’t know what’s within the state of the possible. Data loss prevention tools are out there, digital rights management tools are out there, and sadly, across the federal government, they have not been universally promoted or implemented.
A lot of people don’t understand the value of information we have. There are tools that can help them, but I think frankly, it’s not understanding the value of the information, being overloaded with tools, and there are a lot of CIOs who are not getting enough resources to do all the taskings that they have.
GCIO Media: OMB included four planned actions that it considers essential to addressing these cybersecurity risk management challenges: implement the Cybersecurity Threat Framework, standardize IT capabilities and tools, consolidate Secure Operations Center operations, and drive accountability for cybersecurity risk management across the enterprise. Is there anything you’d add?
Touhill: How many times have we heard those before? Let’s have some specific action plans, and that’s what I was a little bit disappointed in. I think that we ought to have some very specific and actionable goals, and we need to follow through. And one of the first ones is, we need to adopt multi-factor authentication uniformly across the federal government. We’re right on track for its original implementation by the end of 2008.
Adversaries are going after these username and passwords. That’s how they got into OPM. So, that might be a good actionable thing. Let’s do the basic blocking and tackling, control access. Frankly, username and password was state-of-the-art on Sept. 6, 1979, when I enlisted as an airmen. Some people are still using it, and it’s almost 40 years later (if applying Touhill’s law of one human year equals 25 computer years, that’s nearly 1,000 years old).
GCIO Media: What are the critical factors for maintaining or ensuring national security, beyond a strong cybersecurity program?
Touhill: The National Cybersecurity Framework; identify, protect, detect, respond and recover. We have the risk framework, let’s use it. Are we really taking an enterprise view or are we still taking a franchise view? At this point, I’m not convinced that we’ve got past franchise. And when we do, I think we’ll deliver results better.
GCIO Media: In your opinion, what are the greatest threats to the nation and its citizens if these cyber gaps aren’t resolved?
Touhill: I think national prosperity and national security are at risk. If I were to take out, through an electromagnetic pulse, or something catastrophic, if I was able to take out all the electronic devices, society would ground to a halt. And we don’t practice for a really bad day, and I’m not convinced that our contingency plans are good enough across the board. So you can have the greatest, coolest tool, but if you don’t plan for it not being there, then the day it’s time, it’s going to be the worst day you ever did not imagine.
Architect for success. Really bad days are going to happen, your architecture needs to be resilient.
GCIO Media: So that was a lot to take in. Can we go over the key takeaways?
Touhill: I think we’re spending too much and not getting enough, we’re running at high risk. I thought Josh (Joshua Moses, OMB's director of federal cybersecurity performance) did a really good job on the report. We’ve got a long way to go, and were still about nine-and-a-half years behind schedule.
And the biggest risk still is careless, negligence and indifference to policy, a poorly trained workforce, and lack of management attention. When was the last time you heard someone get fired because they made a big mistake in cyber? Accountability is key, and oversight is really important too.
Editor's note: Responses have been edited for clarity.