Faced with a talent gap in its cybersecurity workforce, NASA finds itself relying on tools that keep its in-demand IT professionals focused on high-value work.
“As the workforce continues to age, that gap continues to increase. That makes the auditability more labor-intensive, and it makes it more expensive to manage the operations of our organizations,” Pam Wolfe, the chief of the Enterprise Services Division in the NASA Shared services office, said Monday at the Association of Government Accountants’ Professional Development Training summit in Orlando, Florida.
Under initiatives like the President’s Management Agenda, the Trump administration continues to push for IT modernization not just a cybersecurity position, but also a cost savings perspective.
Agencies spend about 72 percent of the governmentwide IT budget on maintaining legacy IT systems, leaving a smaller margin for investment in innovation, as well as research and development. The private sector, by contrast, spends only about 30-35 percent of its IT budget on maintenance.
In addition, Wolfe said agencies like NASA, due to the unique nature of their missions, are more vulnerable to attack than the average private-sector company.
“We as a government agency store far more data than the typical private sector [company], and often it’s in older and more vulnerable systems. This further complicates the concerns for our employees and our citizens, because they want data readily available. We’re all in the ‘I want it now’ mode, and that, in itself, presents some issues for us.”
Phishing, ransomware and smarter hacking all threats
In addition to low-tech intrusion attempts such as phishing emails, agencies must also contend with a population of hackers who are getting more sophisticated with their attempts to breach their networks.
“What we’re seeing is that the profile of our cybersecurity criminals is changing dramatically, and we need to be prepared for the threats that that brings to our organizations,” Wolfe said.
Those threats include ransomware attacks, which can wreak havoc on both an agency’s front-line systems as well as its back-up drives, as well as vulnerable devices connected through the Internet of Things.
“Everyday devices that we all use are targeted by these cyber criminals,” Wolfe said.
But in addition to malicious external threats, NASA also faces a significant amount of vulnerability through its vendor community.
“When we introduce these third-party organizations, typically it increases our threat. And so, we need to make sure, through the statement of work, through the requirements of the contract, that they’ve got sufficient security concerns addressed to mitigate,” Wolfe said.
While NASA engages “considerably” with the Homeland Security Department to mitigate cyber vulnerabilities it relies on threat-sharing information with other agencies. Wolfe said NASA has increasingly turned to innovation to address security issues.
For example, Wolfe said the organization’s investment in robotics process automation has proven to be a major cybersecurity “game changer” for the agency.
Innovation reduces repeated tasks
In addition to using RPA to reduce the time to detect and respond to cyber incidents, Wolfe said the technology can save human employees from having to conduct rote tasks like password resets — which account for the greatest volume of calls of the help desk — system maintenance and data cleansing.
RPA tools not only handle these tasks more efficiently and accurately, but they also free up employees to handle more meaningful projects.
“One of the things that we’re seeing with robotic process automation is that it minimizes employee turnover, so it allows employees to focus on higher-value tasks,” Wolfe said.
Looking ahead, Wolfe said RPA could also help keep track of the inventory of applications across NASA.
“I know that we, on occasion, struggle with how many people have loaded this software on their system, and the IT community is unaware of it. This can give you opportunities to identify and correct those types of issues,” Wolfe said. “Even if it’s not an end-to-end approach, if you can automate a portion of your process, you can still achieve a considerable risk reduction and efficiencies just by doing that.”