The complexity of federal IT networks, along with the unprecedented pace of emerging threats and the lack of leadership continuity, are among the biggest challenges facing the federal government as it attempts to bolster cybersecurity.
That was the message offered Oct. 10 by a panel of former senior government IT officials, who appeared at a cybersecurity event sponsored by the Association for Federal Information Resources Management.
“If we did IT better in government, we would get manifold improvements in our security posture,” said Richard Spires, former CIO at the Department of Homeland Security, who left the department in May due to significant disagreements with senior leaders that resulted in DHS placing him on paid leave.
“We need to work with agencies to simplify their IT environments,” Spires said, arguing in a rare public appearance since leaving DHS that IT security managers are being asked to secure technology environments that are simply too complex.
Spires’ remarks were part of a lively discussion about the nature and role of compliance monitoring in an era when cyber-threats are constantly changing and response times are measured in milliseconds.
“There is no down time anymore,” said Karen Evans, national director of the U.S. Cyber Challenge and former administrator for e-government and information technology at the Office of Management and the Budget. “It’s 24/7. The traditional models don’t work anymore.”
But neither would Spires’ plan to simplify IT environments, Evans said. “The rules are different in government” than in the private sector, she said. Any attempt to simplify IT deployments in the federal government to a smaller group of select vendors would lead to a deluge of contract protests, she said.
“The complexity that we are dealing with is so significant . . . it is one of the biggest problems we are facing,” Spires said.
Earl Crane, former White House national security staff adviser for cybersecurity policy, agreed, adding the complexity of the IT environments coupled with the speed of cyber-attacks has rendered the old models of compliance ineffective. The check-the-box model of security compliance “is not achievable” in the current environment, Crane said. “Compliance is taking time away from addressing the actual threats,” he said.
That’s the main impetus behind the DHS’ $6 billion Continuous Diagnostics and Mitigation program, commonly referred to as continuous monitoring. The 2013 fiscal year budget authorized $185 million to kick-start the program. In August, DHS awarded 17 companies a spot on the contract to provide CDM technologies for civilian agencies across the federal government.
Spires said during his time in government, he found it difficult to keep people and organizations in line with the current compliance mandates. “It was difficult keeping people in compliance,” he said. “Most people just didn’t know better.”
Evans and Spires agreed, however, despite the changing threat landscape and the speed at which cyber-attacks can happen, compliance controls remain essential to the future of federal IT security.
“A certain amount of compliance is OK,” Evans said. “Compliance is not a bad word. You just have to do more than just compliance.”
Spires characterized compliance controls as “foundational” to security. But compared to even just five years ago, today “it’s compliance at network speed,” he said.
Another aspect of compliance Spires and Evans seemed to disagree on was the difficulty of achieving consistency in government. Spires said the government suffers from a “continuity [of leadership] problem” that makes it very difficult “to bring people along and affect change.”
Evans, however, said “the consistency comes from the audits” undertaken by the Government Accountability Office and the inspectors general from the different agencies. But rather than simply audit agencies against the various National Institute of Standards and Technology security controls, auditors will need to begin monitoring agency progress on their continuous monitoring efforts, she said.
Likewise, it would be helpful for auditors and improve the accuracy of the audits if cabinet secretaries spelled out the risk profile they are willing to accept.