In the wake of a major cybersecurity incident last week, federal information officials on Wednesday said the balancing act between cyber hygiene compliance and workforce morale remains an ongoing problem.
While the panel of federal IT executives speaking at a FedInsider cybersecurity conference neither confirmed nor denied whether government systems were affected by the massive global ransomware attack on May 12, officials did say that there is much progress to be made in managing the human element of cybersecurity.
Sally Holcomb, the deputy chief information officer at the National Security Agency, said that in the years following the leaks of classified information by NSA contractor Edward Snowden, the intelligence agency’s workforce still has not recovered from the hit in morale.
“One of the unintended, but unfortunately expected consequences of our post-Snowden mitigations was a feeling by much of the workforce that we didn’t trust them — that one bad apple had ruined everything for them, and that they weren’t valued. And we haven’t overcome that, and this is very, very difficult, because how do you do [cyber] security, discipline and hygiene without conveying this thought that, ‘Yeah, you’re a person that we can’t assume is intending good things?’ And that is a very difficult problem,” Holcomb said at Wednesday’s panel at the International Spy Museum.
While the intelligence community scored highly on the Partnership for Public Service’s latest Best Places to Work in the Federal Government survey, ranking as the third best large agency, governmentwide cybersecurity awareness beyond the Office of the CIO remains an ongoing challenge.
Mark Kneidinger, the director of the federal network resilience division of the Department of Homeland Security’s Office of Cybersecurity and Communications, said DHS has been working to educate agencies about the “soft cyber threat” of employees who don’t realize the value of the data they’re protecting.
“You see a lot of folks that are joining the workforce focused on the here-and-now versus the future,” Kneidinger said. “When you think about the information that’s in front of you now, you want to share it, without necessarily understanding the implications it has. … Well, where is that information stored? What’s that connected to?”
Looking back at her 30-year career at NSA, Holcomb said she’s seen a “significant difference” in the workplace culture back from when she began working there.
“It was a culture of security back then … and it just seems to be a different focus now, and I’m not going to blame it on a generational thing, but I will say that technology has opened the world significantly, and the approach to information exchange, good or bad, intended or otherwise, is totally different now than it was before. And you have to change your security approach at the same time,” Holcomb said.
While Kneidinger said DHS has seen more awareness from federal civilian agencies about the bigger picture on cyber risks, he added that it’s an ongoing effort to keep federal workers from “being able to open a door for a cyber threat.”
“We all owe a responsibility for keeping that door closed,” he said.
For Leslie Perkins, the deputy chief technology officer for the Air Force’s Information Dominance and CIO (SAF/CIO A6) office, the insider threat problem comes down to keeping agency information security without making the workforce feel undervalued. Part of the solution, she said, is putting more accountability in place for workers who aren’t following cyber hygiene protocol.
“People will do what they’re rewarded to do. People will also not do what they’ve either experienced as a hand slap or seen others get punished for. Cybersecurity is everybody’s problem, everybody’s concern, everyone’s issue, but until we act on it as an organization, as an agency, we’ll have endless amounts of training with no ramification immediately seen,” Perkins said.
At DHS, Kneidinger has played a role in briefing the Trump administration’s incoming political appointees, the mission owners within agencies, particularly the deputy secretaries, since they control the bulk of the IT spend at their agencies.
“Cybersecurity is more than just the CIO and [Chief Information Security Officer]’s responsibility. It’s everybody’s responsibility,” he said.