Among the “major themes” that have surfaced as a result of an ongoing review of the federal government’s cyber security needs is that overall there are baseline capabilities in place but complete protection is lacking, a Department of Homeland Security (DHS) official said last week.
“In looking at our assessment of where we are, from a gaps and vulnerabilities perspective, there’s been a lot of discussion that we’re years behind the power curve,” Martin Gross, director of the Office of Cybersecurity and Communications, said Oct. 19 at a DHS industry day. “That’s not what we’re finding. What we’re finding is we have the basics in place that are necessary for us to provide cyber protection but are not sufficient to provide full protection.”
The themes that Gross discussed have arisen from reports federal agencies are delivering to the White House, and in some cases DHS, as directed by an executive order signed by President Donald Trump in May aimed at improving the nation’s cyber security. He listed several “major themes that we’re seeing as we are working through implementation of the executive order.”
The existing partial protections come from things like intrusion detect, intrusion prevention, and other tools to help find and manage threats but the government is lacking “end-to-end” capabilities to for “data level protection,” Gross said at the third annual DHS Strategic Industry Conversation in Washington, D.C.
Another key theme that Gross mentioned is a need for a “consistent understanding of threats and vulnerabilities, risks and gaps.” He alluded to the need for agreed definitions of these challenges and for an “analytical framework” to better understand the gaps “and what we have to do to protect our environment.”
Gross also described the need to understand better the “key mission threads that are national assets” that are common across the public and private sectors. He said these threads have to be protected from both cyber and infrastructure protection “perspective.”
There are two “critical technology gaps” where there needs to be more attention, Gross said. One, which the Trump administration is already working on at the White House Office of Management and Budget, is for digital identities to replace Social Security Numbers.
Social Security Numbers aren’t secure and “There needs to be some way for an individual to control information about themselves so there’s some kind of digital identity,” Gross said. Still, digital identities also pose risks and questions that need to be addressed, he said.
Rob Joyce, who is responsible for coordinating cyber security issues for the Trump administration, said earlier this month that he strongly believes Social Security Numbers have “outlived” their usefulness.
The need for end-to-end data protection is also a gap that needs to be addressed, Gross said.
“We still don’t have a consistent solution for how we protect data through its complete life-cycle and watch where it goes and how to protect it,” he said.
The “criteria” for prioritizing what needs to be protected also needs a “relook,” Gross said, adding that not all threats can be detected “every time at the same level.” He also said that current “approaches” to cyber security don’t scale.
“We don’t have the processes and the people to scale out what we’re doing right now for e/b so we’re going to have to once again figure out, prioritize, and how do we leverage our resources to actually scale,” Gross said.
Gross also said that partnerships between the public and private sectors have to be maintained and that the need for talent requires “a pipeline of skilled people” for the government and commercial industry.
At the end of this week Trump is expected to approve a final report on modernization of federal information technology (IT) networks, Gross said. The report was initially completed at the end of August and publicly released, but Gross said the White House wanted to public input before finalizing it, he said.
The IT modernization report was required as part of the cyber executive order with a goal to strengthen the cyber posture of the federal government. Gross outline three “key areas” in the roughly 60-page report, including network consolidation and how the network can be protected.
Shared services are another focus area of the report, particularly “from a cyber protection perspective,” he said. The report also looks at security operations centers as a service to organizations that need help here, he said.
Finally, the report examines the need to change how acquisition and financing are done for IT modernization “for us to effectively deal with the delivery of cyber security capabilities,” Gross said.