An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.
Top takeaways from a summer in government: How can we bridge the gap between Silicon Valley & DC?
This summer, I was fortunate to have been able to better understand the nuances of cybersecurity from a federal level at the Cybersecurity and Infrastructure Security Agency (CISA). What does it take to secure a nation's infrastructure? What is the private sector's role as opposed to private sector vendors and product developers? How interconnected are the two spaces and how can we trace down where the gaps lie?
From my vantage point, here are the top lessons/takeaways I've had, taking a look "behind the curtains" on how the US government carries out diplomacy in cybersecurity, challenges faced, and some potential innovation that could bridge the gaps.
1. The United States does a lot of capacity building, bilateral projects that are humanitarian and diplomatic in developing countries. These partnerships are based on formalized foreign policy statements (through a strong partnership with State Department). These are actioned by IAAs, or inter-agency agreements with State Department that come with funds to carry out international projects.
- It is a huge challenge, at any given time, to prioritize which requests from different countries to intake. More specifically, we do not have visibility into just how interconnected we truly are with countries (which countries depend on which for supply chain demands? Which countries have geopolitical tensions with which countries?), which could better inform our prioritization model.
2. Everything is a team effort across CISA, FBI, DOJ, and all other agency counterparts. For instance, public attribution of cybercriminal activity to specific groups is a total team effort: some organizations may decide it is more beneficial to publicly attribute so that private companies can defend better, while others still believe it would be better to operate in stealth. Sometimes, this decision is vetoed, but most of the time, unanimous decision has to be received. To achieve this communication tango, there are "liaisons," or individuals who sit within agencies like the NSA who are from CISA, and vice versa.
- Additionally, another key is that CISA is not an intelligence agency and doesn't have legal authority to collect intelligence information. Thus, we need foreign intelligence partners like NSA on the international side to help understand what threats are facing our partnering countries.
- In the context of election security, within the mis, dis, and mal-information (MDM) team within CISA, we also did not have capability to look at social media ourselves for any first-hand reporting of trends or cases of MDM observed.
3. Let's talk about the differences between red-teaming versus pen-testing. The differences between a red-team assessment and a penetration test weren't as clear to me before assisting with a Risk and Vulnerability Assessment (RVA) assessment on behalf of CISA this summer. Pen testing can look like:
- Typically given a list of users to phish
- Takes less of the “audit” role in order to prevent stepping on toes
- Rarely find zero-day vulnerabilities
- Do not truly know if the company implements changes: “Kick the sandcastle and leave”
4. One special thing I noticed with this highly-wired group was that there were a lot of innovative ideas that came out of need during crunch-time. While lots of open-sourced tools for penetration testers are out there (and were used in our pen test!), lots of ideas also come to life on red-team assessments. For instance:
- There is no shared database for hashes and passwords seen consistently across red teams assessments
- There could be use for a computer vision tool for red teams to quickly understand and interpret the kinds of sensitive data on pictures on file servers accessed
- SIEM monitoring frequently misses "edge devices" (e.g. case of a threat actor utilizing mobile phones in a botnet)
- Decentralizing your cybersecurity is not a "fix all" solution--majority of companies place too much reliance on third-party cybersecurity vendors for monitoring, detection, and response.
And interestingly--the issues we see across networks root in human error. They rooted in building stronger password (or rather, passphrase) policies and a culture of good cybersecurity hygiene (do not use common words and number combinations in passwords, follow principle of least privilege when setting up networks, don't keep passwords saved in a file saved as ''passwords.txt', don't save passwords in your browser either, as these can be easily decrypted!). This underscores the critical role of education in
5. Moreover, some skills that I observed that may be good to have to make the job in cyber easier include: Data Analysis (Python, R), Excel, Writing and Analysis, and the ability to calmly and reasonably de-conflict and de-escalate crises. Also, at a large agency like CISA, it also helps to get to know the organization chart a bit better. I promise--people will start asking if you know anyone from the XYZ team as soon as they hear you've been carrying out coffee chats! Even as an intern, grasp onto the different sections and teams that fall under each section are.
6. At any cyber conference or event, there are large discussions about increasing and diversifying the talent pool in cybersecurity. In fact, globally, the Cyber Security workforce gap sits at more than 2.7 million.  In order to increase retention into public-service roles, we must make competitive offers to meet the needs of the next generation adequately, and make the transition of private-sector workers seamless into public sector. To do this, various recommendations may help ease the process, such as:
- A system to easily track the status of your recruitment faster, including a tracker of where you are at in the background check process and how many steps remain, your fed Point of Contact (POC), and their contact information at any point during the process.
- More guidance from HR teams on when you should begin the recruiting timeline if you are seeking a summer employment, given the (start as early as possible when you receive the tentative offer letter!). This might look like more marketing materials or informational sessions once you receive the tentative offer!
- Support the transition of workers to the DC area if it is required for the full learning experience. Encourage happy hours by teams (even if they work remote)
- Include support for at least one educational experience to enrich the internship experience (e.g. DefCon, red team on-sites at a company)
- It's truly the little things: "spruce" up the workplace with natural lighting, make spaces (where you can based on classification level of information shared in the setting) more collaborative and open. Add in some snacks to encourage brain breaks and prevent early burnout.
- We must reduce as many barriers to entry to federal roles as possible! This includes making the 'jargon' of cyber more accessible. Check out Bits N' Bytes' other blog post for a whole list of acronyms and definitions from the cyber-sphere: https://www.bitsnbytes.us.com/cyber-security/top-five-takeaways-working-gov/.