The federal government has to bring more innovative processes to its acquisition of tools and capabilities to more quickly respond to the pace and continuing evolution of cybersecurity threats, two of the Biden administration’s leading cybersecurity officials said on Thursday.
“We need to look at more nimble programmatics that will allow us to adapt our cybersecurity approaches as the threat and risk environment evolves,” said Brandon Wales, acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Chris DeRusha, the federal chief information security officer, said that the federal government needs to keep trying to “act like an enterprise,” which means minimizing “unique requirements” and adopting innovative acquisition approaches to purchase “things faster.”
DeRusha and Wales respectively were the opening and closing speakers for the Billington Cybersecurity Defense Summit, which was held virtually. The types of acquisition mechanisms and tools that need to be examined more closely for federal cybersecurity purchases include Other Transaction Authority, the DHS Procurement Innovation Lab, the use of acquisition innovation advocates, and the Pentagon’s Defense Innovation Unit, which is focused on accelerating the adoption of commercial technology for defense needs, DeRusha said.
The goals are to “reduce barriers” and “shorten times to award,” DeRusha said, adding that he is also “taking a good hard look at outcome-oriented” approaches.
Another aspect to improving the speed and efficiency of how government agencies acquire cybersecurity products and services is to make sure that federal contracting officers understand the existing authorities they have toward these ends and then make use of them, he said.
Wales highlighted the need to be agile.
“When you think about how large-scale government programs operate, they’re hard to get into and they’re even harder to get out of, and we need better ways of being able to be flexible, be adaptable, and make sure that the work that we’re doing, the technology that we’re deploying can keep pace with very aggressive efforts by our adversaries to compromise our networks,” he said.
Wales said that one change CISA needs to make is a willingness to divest “programs” and activities” that aren’t as relevant for the current threat landscape based on their cost. One example is the DHS National Cybersecurity Protection System (NCPS), a key element of which is the EINSTEIN program that detects and prevents cyber threats at the perimeter of federal networks.
But the recent software supply chain hack committed by a Russian intelligence agency that first compromised software upgrades developed by software vendor SolarWinds to gain access into nine federal agency and about 100 private sector networks bypassed the perimeter protection products such as EINSTEIN.
Wales said there are “parts” of the NCPS “that are growing stale and are not providing value added. We need to be willing to walk away from those and put in place the right kind of protections that can deal with modern threats and with the ways that U.S. government systems and communication systems are architected. We need to have that willingness to say, ‘You know, what is old is not working anymore and we need to identify what is going to work and how do we put in place those new programs, those new tools, those new processes.’”
There needs to be more of this openness across government about these challenges and the willingness to change, Wales said. These conversations are already underway in CISA and elsewhere in the government, he added.