Federal agencies have made positive strides in how they approach protecting information systems in the past few years, experts said Tuesday at a D.C. CyberWeek event, but the government’s cybersecurity efforts have room for improvement in several areas.
The conversation at Georgetown University was a wide-ranging examination of the current state of public-private partnerships in cybersecurity by Meredith Burkart, a program manager at the FBI and assistant professor at Georgetown; David Fahrenkrug, director of strategic planning at Northrop Grumman and adjunct professor at Georgetown; and John Wood, CEO of the Telos Corporation.
There were five main takeaways that the panelists kept coming back to:
The federal government should devote more funds to protecting the nation’s cybersecurity. Wood argued that the military should consider cyber to be a domain alongside the likes of air, land, sea and space, and be treated as such from a budgeting perspective. President Donald Trump has moved in this direction with his August announcement that U.S. Cyber Command will be elevated to a unified combatant command.
Later in the panel Wood spoke about how IT modernization goes hand in hand with better security potential — a common theme among government technology stakeholders these days.
The federal government needs better cybersecurity leadership, with more buy-in on the issue. “We need much better leadership at the federal level and the state level,” Wood said.
But this goes both ways, other members of the panel suggested — the jargon-filled nature of many conversations and reports on cybersecurity can serve to keep it an insular field, Burkart said.
The federal government needs more cybersecurity talent. Wood advocated for both encouraging college students to study cybersecurity and similar topics, and making sure people already in the workforce can get access to short-term trainings like bootcamps.
Fahrenkrug, meanwhile, argued that education should focus on a holistic view of how information technology systems fit together — teaching software developers to see both their own piece of code and the broader whole. “Many times programmers … don’t actually understand the larger systems that the software is plugging into,” he said. But if they did, he suggested, those larger systems could be made more secure.
The federal government needs to demystify attribution for attacks. Burkart introduced the idea that the mystery surrounding the question of who perpetrates cyberattacks leads to further public confusion on the matter.
Even long after the authorities have a precise answer on the responsible party, rumors can still abound. Burkart urged a more streamline, controlled process.
The federal government needs to focus on issuing best practices and guidelines as opposed to regulation. The panelists all said that regulation moves too slowly for the constantly-changing world of cybersecurity.
Instead of regulation, the panelists supported the work of government agencies like the National Institute of Standards and Technology in providing comprehensive information on best practices that can help the private sector in its efforts to keep information secure.
Binding rules on industry can be useful, Wood said, “but if we think that’s going to solve all the problems then we’re expecting too much from regulation.”