There’s a classic metaphor in cybersecurity where the security protocols and protections are compared to the walls and moat of a castle, and the data is what’s housed inside.
“In many circles of cybersecurity, this metaphor is considered to be old hat,” Rod Turk, chief information security officer for the Commerce Department, said during an Aug. 17 GovExec webinar on cybersecurity analytics. “The perimeter defenses we put in 10 years ago is not the complete story today in terms of cybersecurity and how we are to defend ourselves in this cybersecurity realm.”
That’s why Turk and other cybersecurity professionals at the Commerce Department want to redo their compliance and governance process.
“We have found in the department of Commerce that our compliance and governance process is stuck back in the early 2000s,” Turk said. “We’re looking at compliance activities to controls in the 800-53 process, and we think most of our bureaus actually have that pretty well in hand.”
Instead, he wants to make the process more collaborative, to the point where the department is actually providing a service to the various bureaus.
“One of the things that we’re looking at is being able to do assessments for cloud-based tools, productivity tools, things of that nature, third party services that are being provided that are not necessarily [Authorized to Operate] or FedRAMPed,” he said. “We intend to be looking at those kinds of products and tools very closely to make sure that they don’t present any cybersecurity risks for us.”
There is one way, however, the castle metaphor still holds, Turk said. In those days, there was a building in the castle, the keep, where all the prized jewels and possessions were kept. It was the most secure building. Now, it’s the most important data that’s kept under the most secure conditions. For Commerce, that means personally identifiable information from the U.S. Census Bureau and the Patent and Trademark Office.
Turk also said Commerce will be looking at products to help automate anti-phishing processes, and at how best to adapt to mobile devices.
“This is something that gives me gray hair, because in the cybersecurity world, we usually lag behind the technology,” Turk said.
He said that they’re evaluating ways to authenticate on mobile devices, including derived credentials, which are not level four credentials, but do provide the greatest security in mobile authentication, Turk said.
Another concern Turk has with mobile is the implementation of controls for apps, because most apps are not assessed in any significant way.
Overall, he’s trying to foster a cybersecurity culture in the department, ensuring that all employees have an understanding of basic cyber defense. The department is better off that way, he said.
He said he’s trying to ensure that cybersecurity is a main focus of the department at the beginning of projects, rather than an afterthought.
He compared it to the culture at NASA during the 1960s, when the agency was striving toward the moonshot. He told a story where President Kennedy visited NASA, and asked a janitor about his job.
“I’m helping put a man on the moon,” the janitor said.
That’s the kind of culture, of universal buy-in throughout the department that Turk is aiming for.
“It seems to me that we in the Department of Commerce and maybe the federal government at large should have that kind of cybersecurity culture where we think about cybersecurity in pretty much everything that we do, because frankly, the lions are at the gate,” Turk said.