Donna Bennett, enterprise chief information security officer of the State Department, said that safeguarding information is the organization’s “top priority” and it has undertaken a “monumental effort” to fortify its cyber defenses and consolidate its array of networks to keep pace with the increasingly digital threat environment.
Bennett, who delivered a keynote address Thursday at the Potomac Officers Club’s Enhancing Cybersecurity for Critical Civilian Infrastructure Forum, noted zero trust as one area the State Department is focused on as it moves toward a more modern cybersecurity approach.
“While the concept of zero trust has been around since the nineties, it has only recently gained more prevalence and become more of a construct for all of us to follow. With the rise of mobile platforms, clouds and threat surfaces, the network has risen exponentially,” said Bennett.
“On the other hand, the means and motivation of potential adversaries to infiltrate and exfiltrate data from networks has also grown over the years,” she added.
One way the State Department is addressing these evolving threats is by looking more closely at cyber supply chain risk management, Bennett said. She cited the 2020 SolarWinds hack, in which the data of thousands of public and private sector organizations was compromised, as the catalyst for strengthening supply chain focus.
“I am a firm believer of trusting but verifying,” Bennett said. “We trust our vendors, and they tell us their product is secure, but we also have to verify it.”
To successfully verify an offering, she explained, the State Department must maintain a close relationship with its vendors and understand how they are developing products within their environment.
“When we sit down and look at modernization and systems coming into the inventory, we are expecting the system to be designed securely – not riddled with all kinds of vulnerabilities,” said Bennett.
An aspect of this approach, she said, is the expectation that the scans and procedures necessary to identify any vulnerabilities are completed during the design process, and that suppliers “plug all of the holes” before a product is deployed.
This concept goes hand in hand with the department’s method for adopting Internet of Things technologies, which, Bennett said, has previously overlooked the vulnerabilities that this type of connectivity can bring.
“We have our building maintenance team, and when they are focused on automating, implementing and deploying these tools, they do not necessarily think about the information technology and security side of it,” she elaborated.
Bennett said that to patch these gaps, there is a need to educate all involved parties on secure ways to create and install these tools to prevent vulnerabilities and decrease opportunities for adversaries to strike.
“It really is a community effort. If we are not coming together with industry, government and academia with the same goal and purpose of becoming more secure, we are only hurting each other – and communication is critical in that flow,” she said.
Any technology initiative, said Bennett, must “tie to the mission.”
“At the end of the day, it’s a balancing act. You are balancing the mission, you are balancing security, and you do not want the network to be locked down to the point where no one can actually execute their mission,” she said.
For additional insight into federal cybersecurity priorities, the Potomac Officers Club is hosting its 2023 Cyber Summit on June 8. The event will connect numerous public and private sector cybersecurity specialists to discuss cyber capabilities and threats in the evolving domain. To learn more and register to attend, please visit the Potomac Officers Club events page.
