A data breach that was disclosed last summer by the Office of Personnel Management (OPM) due to a successful cyber hack galvanized the federal government in a number of ways to improve cyber security, a Department of Homeland Security (DHS) official said the week of June 20.
Beyond the initial “cyber sprint” to improve the cyber health of federal networks immediately following the OPM disclosure and congressional approval in December 2015 of a cyber security information sharing bill, the hack also began to break stovepipes that limited cooperation among departments and agencies, Mark Kneidinger, director of Federal Network Resilience with DHS, said at the annual AFCEA Homeland Security Conference on June 21.
Last summer…was the first time that basically a number of CIOs across agencies had sort of broken out of their individual interest as CIOs for their respective agencies and looked across and said, ‘How can we collectively be able to address some very difficult and complex cyber issues,’” he said.
One meeting including more than 60 federal CIOs to address some of the most complex and difficult issues they were facing regarding cyber security had a “domino effect” that led to a number of activities as well as passage of the Cybersecurity and Information Sharing Act, Kneidinger said.
This increased cooperation had the benefit of further entrenching this collaborative effort, Kneidinger said during a panel discussion about the follow-up activities to the OPM hack. This cultural shift toward cooperation and collaboration is continuing and moving beyond CIOs and chief information security officers to include “deputy secretaries and mission executives,” he said. “Because cyber security is being understood as being owned by all.”
The Cyber Sprint helped officials “think in a unified way” and to “quickly” come up with “actionable” initiatives, Kneidinger said.
Some of these initiatives include the Cybersecurity Implementation Plan that put due dates and responsibilities in place to focus attention and resources. This plan spawned identifying high value assets, how they are defended, who has access, and critical vulnerabilities, he said.
DHS Secretary Jeh Johnson also issued a Binding Operational Directive to federal civilian agencies directing them to quickly address critical vulnerabilities. Kneidinger said a number of agencies thanked DHS for the directive, which gave deputy secretaries responsibility for the follow up activities. This means the deputy secretaries asked “a lot of questions to their” CIOs and CISOs, he said. “It opened up this venue of communication that was at best soft” before the directive.
This new communication channel to the deputy secretaries let them know that CIOs needed more authorities, funding, and capabilities to work across “federated component agencies,” Kneidinger said.