In one of his first public appearances since being officially named CIO at the Department of Energy, Robert Brese called for greater efforts to develop a skilled cybersecurity workforce, and stressed the importance of responding to cyber threats, not merely being prepared to prevent and recover from them.
In a series of wide-ranging remarks on the state of cybersecurity in the federal government, Brese highlighted six factors shaping the evolution of federal cybersecurity policy, but concluded that despite many challenges, the federal government is “doing a better job than a majority of the private sector” in defending its networks.
Speaking at a Government Technology Research Alliance (GTRA) forum June 24, Brese based his assessment in part on reports emanating from across the Department of Energy, which operates a wide range of educational, national research laboratory, nuclear portfolio and other IT networks. Brese, who officially assumes his new duties July 1, had served as deputy CIO for the National Nuclear Security Administration before becoming deputy CIO for the entire Energy Department in 2010.
Brese warned that many federal agencies are “still stuck in a prevent-and-recover mind-set. We keep buying higher and thicker fences,” he said. Instead, he argued, agency officials need to be better prepared to pursue a “prevent-recover-respond” strategy that poses genuine risks to those who attack federal networks, and “do things that are more consequential to our adversaries,” he said.
Brese acknowledged, “It is still critically important” that such measures stay “within legal and diplomatic boundaries.” He predicted, however, that the push toward continuous monitoring of networks “is going to go up exponentially,” moving well beyond merely patching vulnerabilities, and that the need for to train cyber specialist remains crucial to the future of network protection.
He reinforced calls to create a system of cyber interns, the way the medical community grooms doctors through medical residencies, allowing them five to seven years of experience before they are allowed to practice. The challenge, he said, is “How do we find those MDs of cybersecurity and put them with the best and brightest in the business?”
Even then, he said, “If you apply every cybersecurity control, you won’t necessarily be more secure. The people who have to accept the risk aren’t the CIOs and CISOs, it’s the people who rely on the systems every day,” he said.
A second factor shaping cybersecurity is Obama Administration policies that make the “operational emphasis” of coordinating and responding to cyber threats the responsibility of the Department of Homeland Security and separate from the Department of Defense. One of the common risks DHS and all agencies needs to address, he said, is inherent risks in the supply chain of IT products that invariably are manufactured outside the U.S. He encouraged the audience to make supply chain management “part of your risk management process.”
A third factor, he said, was the growing speed of technology changes. “All of these innovations,” such as cloud computing and the mobile revolution, “are pushing the cybersecurity and records management challenges we have today,” he said. He added, “If it wasn’t for the rules we put in place years ago, we wouldn’t be using any of this technology,” the way it is being used today, he said.
Another factor impacting cybersecurity is the difficulty in working with Congress in order to achieve more comprehensive and cohesive cybersecurity legislation. Despite many efforts within Congress on the part of many lawmakers, and by the Obama Administration itself, which submitted legislation more than a year ago, a divided Congress has stalled even the best cyber proposals and means there is little likelihood for meaningful cybersecurity laws during the remainder of the year, Brese said.
Perhaps another equally vexing factor, he said, is the challenge of improving controls in the private sector, especially applying new policies around critical infrastructure. He challenged the logic that allows Internet service providers to protect their own networks, but prevents them from taking action against threatening content moving across their networks. He likened the situation to permitting bombs to be delivered through the U.S. postal system, saying the laws haven’t kept up with the technology.
Finally, agencies also need to better understand what missions their systems support, in the event that those systems fail. Brese posed the question of what agencies might do if, unlike in a natural disaster, where resources can be moved in relative anticipation, “23 states started asking for help” in the midst of a massive denial of service.
“We don’t have that level of resources,” to cope with that, he said. Moreover, while some agencies “may know which missions are essential, you may not know which systems are tied to those missions.”
Brese concluded that regardless of who wins the White House in November, the level of concern about cyber security is so serious, “I don’t see anything that will change this country’s focus on cyber security – unlike energy or health policies, he said.