One of the biggest problems federal cybersecurity officials face is moving fast enough to keep up with hackers — adversaries famed for their agility and flexibility.
At the National Security Agency, they’re trying an Innovation Corps approach: More than a dozen teams of five to 10 people are bootstrapping new capabilities or products over a six-week period, then pitching the results to agency leaders — who choose a handful to take further.
NSA Information Assurance Director Curtis Dukes Thursday compared the agency’s “I-Corps” to the popular television show Shark Tank, where entrepreneurs pitch business ideas for seed funding to skeptical venture capitalists. Dukes said the corps is creating capabilities that have been used inside the agency’s nuclear command and control missions.
Dukes was one of a number of top federal government information security officers who outlined how they are driving new ways of thinking, novel techniques for cyber defense and better ways of filing the talent gaps in their ranks at the Security Through Innovation Summit — sponsored by Intel Security and produced by FedScoop.
Not all the innovations highlighted were from the bleeding edge of emerging tech. Marianne Bailey, principal director and deputy CIO for the Defense Department, said one of the biggest drivers of better cybersecurity has been focusing on getting the basics right, citing the department’s new cybersecurity scorecard. The initiative, which was initially disseminated in October, leans on stronger authentication practices for employees and reducing attack surfaces both internally and externally.
“If you look at all the intrusions over the last decade, you will find the overwhelming majority of those are due to poorly implemented cyber basics,” Bailey said.
Cyber practitioners say basic cyber hygiene eliminates many of the commodity attacks that would otherwise suck up the time of security responders and specialists.
“It may seem like a simple thing, but it’s actually been pretty amazing to see the impact it has had,” Bailey concluded.
Yet even as these agencies are driving new ways of thinking, they are struggling with recruiting and retaining the talent needed to keep up with malicious threats.
Sherrill Nicely, chief information security officer for the CIA, said while they are recruiting all the time, new forms of technology mean that even seasoned cybersecurity professionals need to keep acquiring new skills. She described the efforts within the CIA as a “combination of training and support,” including purchasing vouchers for training classes through an outside training company.
When staffing up a cybersecurity organization, added Rod Turk, CISO of the Commerce Department, in addition to technical specialists, “I also need people who understand budgets, people who know how to communicate, people who can write.”
“At the end of the day I want people working for me to be able to put that [IT proposal] in a business case … to explain that in layman’s terms to financial people to senior executives and if I’m unable to do that because I’m too far in the weeds in the technology, the tendency is you don’t get the money,” Turk said.
Emery Csulak, CISO for the Centers for Medicaid and Medicare Services, said while he always searching for security talent, he also needs people who know how to bridge the knowledge gap between various offices.
“What I do have is a shortage of people who can bring pieces together. That’s what I put a lot more energy into,” he said. “You’ve left the burden of integrating these various acquisitions into these stovepipes. What we are doing is focusing on operations and security together and saying “let’s get out of the hands of programs and bring the right people together,’ so you don’t worry on the architecture and infrastructure, you are focused on turning [technology] into a tangible product.”
Whether it’s inside or outside an agency, officials are open to anything that helps them keep up with a rapidly growing problem.
“I don’t care what range you are, if you are civilian or military, if you have a good idea, bring it forward,” Dukes said.
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.