Open-source software and offensive cyber tactics played a role in the Russia-Ukraine war, which contributed to the development of the new National Cybersecurity Strategy released March 2.
One of the goals of the strategy is to create a sense of urgency around cybersecurity and incentivize long-term investment in strong cybersecurity practices, according to Assistant National Cyber Director for Technology Security Anjana Rajan.
"Cybersecurity is everybody’s job” and needs to be both “a top-down and bottom-up thing,” said Department of State Director of Strategy, Planning, and Budget Kenneth Rogers.
Industry and federal agencies need open-source software to maintain competitiveness but software developers need to be held accountable for poorly developed code that results in security breaches, said White House's Rajan.
Stacy Bostjanick with the Defense Department discussed how the Defense Industrial Base (DIB) needs to do more to protect sensitive government data in hybrid cloud environments. Bostjanick leads implementation of the Defense Department's Cybersecurity Maturity Model Certification (CMMC), which evaluates DIB companies' cybersecurity practices to ensure compliance with DOD requirements.
CISA Cybersecurity Advisor Jason Burt said more collaboration is key to advance strategic priorities for fiscal year 2023 and defend against more formidable threat actors, especially with regard to election security and protecting critical infrastructure.
The “Race to the Cloud” program aims to get data to the right place at the right time so the Air Force can “go from any place we exist today to someplace we don’t know we need to be tomorrow,” said Department of the Air Force CISO Aaron Bishop.
NASA uses the cloud to share data beyond the agency's walls, but adversaries can use that to their advantage to take time and resources away from agency personnel. "We have about 60 petabytes of data that's in the cloud today that we make open and available to the public for free," said NASA Cloud Computing Program Manager Joe Foster. "We do have state actors that go into NASA's public data repos and try to download the entire thing every day, and we have to go in and throttle them."
Joe Foster at NASA highlighted two National Institute of Standards & Technology (NIST) programs his agency uses to secure hybrid cloud environments: the NIST Risk Management Framework and Open-Source Control Assessment Language (OSCAL). "We're going to bake in all the compliance checks as part of the Rev 5 transition by using OSCAL so it will no longer be a PDF system security plan, but will actually give people a Gitlab area [to] go write your controls in this OSCAL markup language," Foster said.
DISA focuses on building automation into cloud applications to prevent shadow IT and move at the speed of mission. “War doesn’t have a time zone, so we have to make our applications available and configurable anytime,” DISA HaCC Technical Director Korie Seville said.