"Strategic and tactical cyber actions the new Administration needs to get right."
By The CyberWire Staff
Apr 3, 2017

"Strategic and tactical cyber actions the new Administration needs to get right."

The topic was about advice to the current Administration, but the discussion was mostly budgets and agency equities. Chaired by Greg Touhill (former US Federal CISO), the panel included Peter Kim (CISO, US Air Force), Roopangi Kadakia (Chief Cloud Strategist, US Department of Veterans Affairs), and Chris Wlaschin (CISO, US Department of Health and Human Services).

Plans and equities.

Wlaschin did announce some interesting plans, describing Health and Human Services' interest in standing up an HHS analogue to the Department of Homeland Security's National Cybersecurity and Communications Center (better known by its acronym, NCCIC). The proposed organization would do for the communities and sectors HHS oversees and serves roughly what the NCCIC is intended to do for incident response across the Federal Government: share information in a timely way that facilitates incident response and emergency remediation.

Kadakia described the extent of the VA's IT resources ("vast") and how the Department is trying to become a cloud-first organization, with an emphasis on security and shared services.

In his opening remarks, Kim spoke about the CISO's role in the US Air Force, and about the Service's decision to take a more comprehensive approach to cybersecurity, moving beyond a compliance-based mindset.

Budgets and staffing.

Touhill asked the panel about the Administration's determination to cut budgets. How would a 20% cut affect each of their departments?

Of course, the Department of Defense isn't concerned about cuts as present, so the Air Force's Kim deferred to his colleagues. But Kadakia said that actually, the VA was also not in line for cuts.

The situation at Health and Human Services is different. Wlaschin said that the Department is in line for cuts, and is working hard to run "lean," focusing on essential, core assets the Centers for Disease Control and the National Institutes of Health. One area the Department will emphasize is control of financial fraud, which would include grant fraud, loss of intellectual property, and so forth. Each use case presents own distinctive challenges.

A major aspect of new budget controls is the current civilian hiring freeze. Touhill asked how this was affecting organizations.

Wladschin saw the challenge, fundamentally, as being about creating an organizational culture sufficiently attractive to bring in the talent the Department needs. The competition for talent is tough—not only against the private sector, but against other agencies as well. To a question about whether exceptions to the hiring freeze were available, Wladschin said they were, but that credentials and background checks remained significant obstacles to hiring.

In the VA, which can't compete on salary (especially for scarce skill sets) Kadakia said that recruitment is all about the mission. Kim said the Air Force faces similar challenges, even though it's less affected than other agencies by the hiring freeze.

Consolidation and other efficiencies (which come with their own risks).

With much current talk of consolidating data centers and working to achieve other economies, Touhill asked if there were any hopes for or concerns about the prospect of "consolidating the attack surface." Kim thought reduction of the attack surface extremely important, but he also said that getting Major Commands to give up their data centers and other organic IT assets was proving a major challenge.

Kadakia thought the cloud will help reduce the attack surface. "We must look at different governance models, especially in continuous monitoring and disaster recovery. Automation will help reduce attack surfaces, and above all we don't want to build "silos of excellence."

Agreeing that the attack surface should be reduced, Wladschin cautioned that we should consolidate where it makes sense to do so, and not as a matter of blind principle. He thought in particular that much work remained to be done on identity and credentialing. Credentialing, and monitoring both users and devices, belong in smarter networks. "Put these with the network, not with the users."

The panelists generally agreed that automation and intelligent use of scarce talent represented the way forward for their agencies. Their users continue to need education, and their security staffs need more hunters.

Summary: from technology to information.

Touhill summarized for the panel. In his view, we're moving from a technology focus to an information focus, and so far the Government hasn't done very well here. Most Federal information should be open and transparent, while preserving privacy, civil rights and civil liberties. The challenge is to protect the data while making the information available to the public.

He also called for a concerted public-private educational and vocational training effort, to go hand-in-hand with a public awareness campaign that could inspire the general public to better, safer behavior online. In response to a question, he said he'd like to see a Woodsy Owl kind of character that could inspire children to pursue careers in science, technology, math, and engineering. (Johnny Horizon was unavailable for comment.)