Now, more than ever, cybersecurity and zero trust are at the top of the U.S. government’s priorities. In today’s increasingly complex geopolitical environment — across all domains — protecting and fortifying data is the first and foremost focus for public and private sector leaders alike.
“Data is being used today to drive a lot of different assets and a lot of different facets of our environment,” Tom Sasala, chief data officer for the Department of the Navy, said in a panel discussion during the 3rd Annual CIO Summit. “But we have found, at least on the Navy side, that we are suboptimal in a lot of the IT investment and management processes.”
Top Navy officials are looking now at how to pull together the concept of business process reengineering with the larger concept of capability portfolio management. This will help the service draw a thread from the mission to the requirements and through to the desired outcome, all supported by data and a robust IT environment, Sasala said during the Potomac Officers Club event.
This reengineering effort will eliminate data redundancies and ultimately bolster cybersecurity.
“Whenever you have systems that all do the same things, they’re generating similar data, which is a duplication of data from my perspective, which introduces a lot of nuances and a lot of problems from a data management perspective,” explained Sasala. “It’s actually starting to affect us in terms of data security, protecting our data.”
Another factor affecting cybersecurity is the integrity of industry software and code. Pointing to cyber attacks like the SolarWinds hack in 2020, James Robinson, deputy chief information security officer for Netskope, said organizations must look to zero trust to ensure security.
“I think it is important that we work with our industry partners to understand the quality of code that they’re creating and that they have a secure code development process prior to us purchasing that and putting it in our environment,” Robinson said.
Public-private partnerships are not the only part of the solution though. Holes in the systems, and bad actors looking to exploit them, can still pose threats.
If these bad actors can “build a back door into the hypervisor or the server that provides this cloud based service, it’s much more critical — they can do a lot more damage to you and they can see everybody’s data,” explained Robinson. “So it is important that we continue down the zero trust path, and hopefully, we’ll be able to set up some trip wires to catch them.”
However, while zero trust principles are meant to keep the “bad guys” out, they might be hard to move through in situations where credentialed, vetted employees lose network access, moderator Denise Oberndorf, vice president at Capgemini, posed to the panelists.
To solve this, Dave McKeown, deputy CIO for cybersecurity and senior information security officer for the Department of Defense, said automation can be a powerful tool.
“We need to adopt robotic process automation, more self-service steps,” McKeown suggested. “There are a lot of humans in the loop right now, and we’ve got to get better at this and be able to let people go off on their own and recreate their own accounts and have all those automated validations built into the system.”
Cybersecurity is also an important aspect of 5G and its emerging successors like 6G and NextG. But recent developments in 5G have not prioritized security at the right layers, said James Bishop, CIO and CISO for the Department of the Air Force.
5G is “missing the mark” right now by “only addressing the transport components of security,” Bishop said. However, he continued, “I have seen good standards emerge at that data layer, that database layer, securing web services at that transactional application layer. That’s really where some of these attacks are gonna happen.”
Join the Potomac Officers Club for its next event, the 2022 CMMC Forum on May 18. Federal and industry leaders will come together to discuss what lies on the horizon for the CMMC program as the Defense Department locks its focus on cybersecurity.