Federal cyber leaders at the Defense Department and the FBI outlined some of their biggest challenges addressing a fast-changing cyber environment, and that includes a lack of cyber talent, bloated bureaucracy and budgetary constraints as a few of their biggest concerns.
“In my view, cybersecurity equals national security,” said FBI Deputy Assistant Director for Cyber Herbert Stapleton at FCW’s Elevating the Cybersecurity Discussion event this week. “What we need to do is continue to evolve our own approach and strategy to meet those demands, which is a really difficult thing for a government bureaucracy to do, but it's something we have made intentional and focused effort to try to do.”
Stapleton also announced his support for mandatory breach reporting. Sen. Mark Warner, chairman of the Senate Intelligence Committee, introduced a bill this summer requiring private companies and federal agencies to report cybersecurity breaches to the Cybersecurity and Infrastructure Security Agency (CISA).
“If we can effectively centralize that breach notification and provide transparent and unfettered access to that info to the FBI and others, that reduces some of the friction burden points in encouraging the reporting of cyber incidents,” Stapleton said.
The cybersecurity workforce shortage and slow-moving bureaucratic processes are major weaknesses in the current cyber landscape. When cyber attacks pummel federal agencies repeatedly in the space of milliseconds, cyber leaders need numerous agile defenders and strategies that can pivot on a moment’s notice.
Sudha Vyas, chief cyber architect at DOD, said the department is looking for “novel, innovative ways” to attract cyber talent.
“[We’re] partnering with [the Department of Homeland Security] and the [National Security Agency] and other federal agencies to look within academia and figure out how we can pull that into DOD,” she said at the FCW event. “With zero trust, we've seen a change in regard to the type of skillset required to meet our mission.”
Vyas said DOD needs to collect and analyze data on its cyber programs in order to determine cyber priorities, develop nimble strategies for addressing new cyber threats, and then use that data to ask Congress for the appropriate funding.
“We need to understand where those dollars are going and what they're for so when we do have to pivot, what gives?” Vyas said. “Right now, we're almost in that reactionary phase sometimes.”
Terry Mitchell, principal cyber advisor in the Office of the Undersecretary of the Army, said every DOD component as well as other federal agencies need to think about cybersecurity “as a partnership.” To address the cybersecurity workforce shortage, for example, NSA is considering offering more competitive salaries for cyber professionals to draw them away from government contractors and other private companies.
“The biggest problem is there's a lack of urgency to serve,” Mitchell said. “The world has changed. I would suggest the competition is really with people sitting in this room [government contractors] with the [military] services.”
Because cyber permeates so much of IT and IT operations, keeping track of cyber dollars can be challenging, which then complicates requests for cyber funding.
“You've got cybersecurity, you've got cyber operations, and you've got R&D,” Mitchell said. “Those three areas, what are we putting in those three areas? The CIO has a team to dissect that so we can understand what's in each one of those bins. When I took the job, I was asked to look at the 2022 budget. There's 25 buckets in the Army where cyber is found. [We need to understand] how that money is being used, so we can make the right requirements.”
Aside from budgetary complications and workforce struggles, Stapleton believes federal agencies, including DOD, can get a better handle on their cybersecurity if they adjust their cyber mindset.
“At the end of the day, cyber risk is business risk,” he said. “Getting to space where everybody takes responsibility for our cyber intrusions. The complexity of the type of attacks we see today … we can't use the defense techniques of 10 years ago to protect against the threats of today. It's just not feasible. It's not something that's going to be effective. We have to evolve those defensive strategies as well.”