With just one month under his belt, the country’s first federal chief information security officer says he’s launching a one-stop-shop for cybersecurity guidance and good ideas.
Cyber.gov will be a repository for best practices, said retired Brig. Gen. Greg Touhill, the federal CISO, during an Oct. 11 AFCEA chapter Cybersecurity Summit in Washington, D.C.
“We have to focus on implementing best practices throughout our organizations,” Touhill said. “I want to emphasize that I don’t believe that compliance is … always the right approach, because compliance doesn’t bring you best practices, but best practices bring you compliance.”
Touhill, who was named to his post in September, said there are a number of dated policies still in use, and just because an agency is following an existing policy from 2003, doesn’t mean that’s the best way to fight cyber threats.
“Sadly, nearly every single cyber incident that our [Industrial Control Systems Cyber Emergency Response Team] responds to could be prevented,” Touhill said. “Failure to keep systems properly patched and configured, a compromised username and password when multifactor authentication is available, antique and unsupported equipment and execution of of unauthorized malicious code, are common and preventable issues that lead to what many of you have pointed out are really epic failures. I believe a contributing factor to these epic failures is risk not being properly managed.”
That’s where Cyber.gov can help.
“We’re going to be partnering across the federal government with such organizations as NIST, DHS and others, so that we have an easy, one-stop-shop for cyber information that talks the goal, the strategy, strategic implementation, best practices, community of interest and the like,” Touhill said. “That’s still a work in progress, that’s one of the things we’re going to be reaching out across the CISO Council and with our partners across the federal government to build that capability out.”
The site will launch in a couple of weeks, and Touhill said his staff is working on setting up basic guidance on the site.
Touhill said he would also like to establish a CISO advisory council comprised of state and local government representative as well as private sector representatives, “to help us infuse some good ideas for absolutely free. I’m not going to pay for folks, this would all be a volunteer type of thing.”
Taking a holistic approach
Cyber hygiene or best practices are just part of the multipronged approach to effective cybersecurity, Touhill said. Along with innovation and investment, it’s also important to treat information as an asset, and maintain an educated and well-trained workforce.
Touhill said that in closing gaps in the cyber workforce, one of the first things to realize is that the employees are not only part of the front line, they are also the government’s weakest link.
That’s why in 2017 new education and training techniques are being introduced.
Touhill said cybersecurity training can no longer be just an annual review of a computer program. He said supervisors will need to be specific in their training of employees.
“Also working some of the softer issues, where supervisors need to be working with their employees to identify their key information and then how to protect it,” Touhill said. “We focus too much on the technology and the keyboard stuff.”
Touhill said protecting information could be as simple as shredding paper or not discussing certain information over the phone.
“We’re going to take a holistic approach to hardening our workforce and we’re going to train and we’re going to exercise,” Touhill said. “It’s not going to be just an annual approach, we need to make this a continuous, cultural event, and we need to make it interesting and engaging and provide feedback to the employees.”
Touhill said he’s already thinking of ways to encourage that engagement.
He suggested having a friendly competition among government agencies to produce the best video based on the cyber curriculum of the CISO council, similar to the Super Bowl commercial competition sponsored by Doritos. The winner gets their video posted to YouTube.
“We need to do that so it’s not just on the federal level, but everybody in the country can focus on the cybersecurity awareness and understand how to better manage their risk,” he said.
Touhill said he’s already been in contact with the Department of Education to talk about getting elementary students — the next generation of federal cyber recruits — to participate in a nationwide competition to come up with a cybersecurity version of Smoky the Bear and McGruff the Crime Dog.
“Wouldn’t it be cool if the school kids in America got their energy and their enthusiasm and their creativity and helped us define something that will be an enduring reminder of the importance of cybersecurity in our society?” Touhill asked. “It would be a great way I think to also help motivate boys and girls to join us in the cybersecurity professions.”