Former White House official says agencies are in the midst of a “culture change” when it comes to cybersecurity.
The federal government’s ongoing shift to cloud computing has brought cybersecurity benefits, but it’s also added complexity for cyber defenders.
That’s according to Mitch Herckis, who served as branch director for federal cybersecurity in the White House Office of the Federal Chief Information Officer. Herckis left that post this spring to join Wiz as global head of government affairs.
“The cloud provides a huge amount of predictability and ability to configure in such a way that there’s lots of documentation,” Herckis said during Federal News Network’s Cloud Exchange 2024. “There are APIs, there are configurations that make it very easy to understand and make it much more uniform around what you do in the cloud. However, there is complexity and speed that comes with that.”
During the height of the COVID-19 pandemic, agencies were able to spin up cloud workloads quickly to continue carrying out their missions and delivering services to the public.
“So there’s that flexibility and adaptability,” Herckis said. “[But] maintaining visibility and being able to understand the risk that comes with those changes is very unique. Especially as you add more complexity, you mesh these services together and create new relationships within the cloud that the security teams, the development teams, the underlying service provider and the users need to keep up with.”
Herckis said President Joe Biden’s May 2021 cybersecurity executive order and the subsequent 2022 federal zero trust strategy set a baseline for agencies, starting them “on the right path in the cloud.” Agencies are moving to adopt key cybersecurity practices, such as multifactor authentication and data encryption, across their enterprises.
“We have a real culture change going on within the federal government to really push us into that zero trust environment,” Herckis said. “And I think it’s really a testament to the folks who are there with how far we’ve gotten in such a short period of time. There’s more to be done, obviously.”
Herckis advocates for maintaining visibility into cyber risks within the changing network environment — which spans from on-premises data centers to various cloud services.
“How do we democratize security to ensure that the development team understands how those changes might affect the risk to the cloud, and the security operations centers and the security teams can also understand the business cases and use cases without having to continuously reach back to the development team?” he said. “It has to be a team effort. And there has to be a unified approach to creating that visibility and understanding potential attack patterns that come from this continuous change.”
The imperative to understand cybersecurity risks has only heightened with agencies’ exploration of artificial intelligence and machine learning.
“This is an entirely new feature that is essentially often getting spun up in the cloud alone,” Herckis said. “That creates new risks that we’re not used to managing. And we don’t have a playbook that’s been around for a decade. So agencies need to be really thinking about the security posture of these and working with people both in the public sector and private sector to understand the best practices around that.”
Under the Biden administration’s AI approach, the Cybersecurity and Infrastructure Security Agency wants to ensure AI systems are protected from cyber-based threats.
“We’ve had some threat researchers find some extraordinarily unique ways of breaking out of isolated environments by injecting into one large language model some nefarious information, which seemed to be through legitimate purposes, and then being able to access others that are supposedly isolated,” Herckis said. “There’s a lot of unique ways to essentially poison those environments or change it and create new attack vectors.”
Discover more articles and videos now on Federal News Network’s Cloud Exchange event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED