The U.S. government is locking down its focus on cybersecurity and looking toward data and zero trust as key tools in the effort. In January, the Office of Management and Budget released a federal strategy that guides the government’s widespread adoption of zero trust approaches. The Intelligence Community is also drafting a new data strategy for the first time since 2017.
Now, federal leaders are working through workforce and cultural challenges as they implement cybersecurity best practices within their organizations.
James Wolff, chief information officer for the Department of Energy’s National Nuclear Security Administration, said the main hurdle he encounters — aside from the sheer size of the DOE’s “vast” operational environment — is being able to educate employees on cybersecurity.
Though Wolff primarily classifies cybersecurity gaps as a data science problem, he said, “in the end, in any of these circumstances, it is still a person acting on a machine.”
“So somehow we have to understand the behavior of a person,” Wolff said during the Potomac Officers Club’s Reframing Cyber Posture Around Data Collection, Analysis and Action Forum. “We must also coach and develop that person, the customer of our systems on what are good practices and not good practices, so that they operate more effectively with their systems and at a reduced risk.”
A concentrated focus on workforce development is critical not only because more educated users can lead to better operational outcomes, but also because users who don’t have a solid understanding of cybersecurity are finding ways to circumvent the measures put in place.
Often, there is a disconnect between the cybersecurity teams and the end users that are expected to adhere to security measures, according to Gerald Caron, CIO and assistant inspector general of information technology for the Office of the Inspector General within the Department of Health and Human Services.
As employees get more and more familiar with telework and remote work, Caron is bringing these users into the cybersecurity development process and viewing them as an essential part of the team.
Caron is now asking users, “What’s working for them? What’s good? What’s not working? What would they like to do better? What data do they need access to? When do they need access to that data? How do they want to be able to access that data?”
“That way we’re building it into our security as part of the requirements, rather than just doing security,” he explained. Caron said that after users have given their input and better understand the need, he’s found that cybersecurity measures are more adoptable and widely accepted by the users affected.
But Wolff warned that this effort must not come at the expense of a constant focus on strengthening cybersecurity capabilities.
“We have to do what we can to develop the entire workforce around cybersecurity, but then we have to be really building our capabilities to understand data at a much deeper and stronger level so that we can find those anomalies around behavior or anomalies in the data traffic that we see,” he explained.
Other issues federal executives encounter include security measures that are put in difficult locations, or ones that may just not be compatible with a certain system.
Specifically, Mike Toecker, cybersecurity program manager for the DOE’s Cybersecurity, Energy Security and Emergency Response office, said security tools like Multi-Factor Authentication can’t always be implemented for every system.
“There are many systems within an OT environment that really just can’t take an MFA piece,” he revealed. “So a lot of this comes down to, ‘Okay, what risks, what threats are we attempting to counter here with this MFA control?’”
Toecker said in order to build a risk-informed, threat-informed cybersecurity strategy, organizations should look at where their OT systems are right now and where leaders want their security posture to be in five years, and then strategically place controls in a way that makes sense and is cost-effective.
“When it comes down to it, you also want to avoid trying to put too many controls in places where they’ve never been before,” he advised.
To learn more about cybersecurity, and how data affects it, join our sister platform, GovCon Wire Events, for its Second Annual Data Innovation Forum on June 9.
Marie Falkowski, director of artificial intelligence and data analytics within the Digital Innovation Directorate of the CIA, will serve as keynote speaker. Register here.