In what would become a familiar theme at the 10th annual Billington CyberSecurity Summit, the current and former US Federal CISOs cast their institutional role in terms of risk management.
Speaking during a panel held on September 4th, 2019, Grant Schneider, currently the US Federal Chief Information Security Officer, working from the Office of Management and Budget, explained that while his organization does have oversight responsibility, he sees it essentially as a “support structure” designed to enable sound cyber practices throughout the Federal Government. Schneider's predecessor and co-presenter, Brigadier General (retired) Greg Touhill (now president of Cyxtera Federal), said that his own views shifted over the course of his service. At one time he would have attributed most incidents to “careless, negligent, and indifferent people.” But he eventually came to add "overtasked," and that may be the most important risk factor. Learning how to manage risk under these conditions is a challenge, and Government personnel need to fully understand the new reality: “If you use a computer or a mobile phone, you are a cyber operator, and a target.”
The panel was moderated by Dr. Phyllis Schneck, who observed that compliance is the baseline, and that adversaries are aware of this. Schneider agreed that “compliance is certainly not enough,” but said that we’re not even there yet. He added that all the major breaches he sees are the result of known vulnerabilities, and implementing best practices could have prevented them. The goal, he said, is to force the adversary to be more creative and make it more challenging for them by raising the bar.
When both current and former Federal CISOs were asked what keeps them up at night, Touhill pointed to the exposure of critical infrastructure to attacks against industrial control systems. As the Internet-of-things expands, risk exposure grows, and the cost of entry to threat actors declines. Schneider answered, "China." That country, he said, has displayed both its intent and capability to conduct espionage and intellectual property theft.