Billington Cybersecurity Summit 2019
02 October 2019

5 Forward-Leaning Cyber Priorities for CIOs and CISOs from Cyber Davos

Mark Kuhr

IT Modernization, a priority for most federal CIO/CISOs, costs the United States federal government $95 billion annually. As part of this move towards IT modernization, we will spend roughly $17.4 billion on federal cybersecurity. Are these huge expenditures moving the needle in making our country more secure? That was the elephant in the room and a main focal point at this year’s Billington CyberSecurity Summit, a cybersecurity Davos-like forum for the public and private sector leaders to come together to discuss the state of cybersecurity in our nation’s capital.

The Billington Summit hosted a panel called “Top Government Cyber Priorities – A Call to Action” with a number of respected leaders from government and commercial groups. Panelists agreed that there are five priorities going forward that can help solve the scale problem including the importance of security testing on a continuous cadence, the vital role of technical controls, considering ROI rather than just risk management, the role of AI in security, and avoiding “irrational exuberance” over technology that can’t help agencies scale.

Billington Panel 2019

1. Continuous Cadence
In the words of Rebecca McHale, CIO of Booz Allen Hamilton, “We try to drink our own champagne and use security on a continuous basis.” Given that digital assets are dynamic (not static) and cyber attackers are relentless in looking to exploit security flaws, security needs to be continuous to keep up. There was a great example of this during a recent test by the Synack Red Team on an F-15 fighter jet system at DEF CON in partnership with Defense Digital Service and Air Force. This was the Air Force’s second test on the same asset, and the Synack Red Team researchers were able to uncover both new and persistent vulnerabilities. One always needs to be prodding and poking valuable assets, and as Rebecca states, even simulating attacks on a continuous basis: “We use the same methods we preach, so not just using metrics to identify our risk posture but also building more simulated intrusion into our strategy to give a more complete picture.”

2. Technical Controls
The “ruthless annihilation of legacy systems” is needed to move forward, especially when dealing with critical assets, according to Sean Roche, the Associate Deputy Director for Digital Innovation at the CIA. It is not enough to wait another 20 years until employees retire to replace old infrastructure. In Mr. Roche’s words, a 16-year-old child should not be driving the old station wagon sitting in the garage. Instead, it is ideal to invest in a brand-spanking-new car because the safety features on a new car outweigh that old car. The additional peace of mind, controls, and features make all the difference. It’s the same with how we secure our critical assets, or “crown jewels” as referred by Ms. McHale. We need to invest in security products, specifically ones that provide safety and controls, to make sure we are keeping Americans and their personal information safe.

3. ROI over Risk Management
Some CIOs/CISOs view security programs solely through a risk management framework instead of thinking about the ROI of their security solutions. In the words of Dept. of Energy CISO Emery Csulak, “How do we change risk management to capture ROI? For instance, with Crowdsourced Penetration Testing, the way I think about it is, what did we defer by finding those high-value critical vulnerabilities?” As we have seen with the recent extension of the national state of emergency regarding U.S. elections ( E.O. 13848), when sensitive data is involved, it can take a serious toll when high value vulnerabilities are exploited. Avoiding a breach of critical assets should be a top priority for any CIO or CISO.

4. Artificial Intelligence
As said by Dr. Zangardi, “We are looking at AI and how we can use it across the organization. However, we can’t fully take humans out of the loop.” Dr. Zangardi is correct that humans will always be essential. We have experienced first hand the need for human researchers. On average, >50% of valid vulnerabilities surfaced by our Red Team are missed by a traditional vulnerability scanner. Great talent is also vital and there are some great hiring practices such as those deployed by Mr. Csulak at DOE that are targeting veterans and others who might be underserved by the current hiring process. With a cyber talent gap of 3.5M unfilled positions expected in the next couple of years, however, we cannot scale humans to the magnitude of the threat. Augmenting humans with AI will be critical to getting to a proactive position in security. According to survey results, 39% of executives think China will take over as the AI leader. In order to scale our cybersecurity defenses, the U.S. needs to invest more in competitive, US-based companies with talent and AI technology that can be deployed at scale. This leads into my next point about the importance of investing in security programs that can successfully be deployed across organizations.

5. Strategic Scale, rather than Irrational Exuberance
Dr. John Zangardi, CIO of the Department of Homeland Security, also honed in on the importance of scale. He warned CIO/CISO leaders to be cognizant of moving technology pilots to deployment at scale before agreeing to work with new technology. In security, this is especially important as large enterprises receive as much as > 10,000 security alerts monthly with 52% as false positives. While some small programs may work well, the focus should be “deploying at scale” not “irrational exuberance,” a term used by Federal Reserve chairman, Alan Greenspan, to describe the dot-com bubble of the 1990s. Too many vendors and alerts can be distracting from the original intent of securing our nation.

This sound advice comes from some of the best and brightest minds in the United States Government as well as defense companies protecting federal assets. The only thing I would add is that there needs to be a mentality shift within the government when it comes to failure in cybersecurity. If we don’t know where we are weak, we can’t take steps to improve. At the end of my panel I asked all the CIOs/CISOs to name one project that had failed to help reinforce that even some of our greatest cybersecurity leaders have moments when their organization’s security is not where it should be. Unfortunately, we were short on time and they didn’t have a chance to answer my question, but I’d encourage all agencies to spend time discussing what failed in order to encourage a culture that embraces innovation, improves security, and keeps Americans safe.