Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The White House recently released the first National Cybersecurity Strategy in 15 years. Now top tech leaders in the administration seek to put some force behind it.
Grant Schneider, the federal chief information security officer, said Tuesday at a Palo Alto Networks summit in Washington that the National Security Council is running an “implementation plan development process.”
“It’s not going to be a glossy that’s going to be posted on the website for a couple reasons,” Schneider said. “Most importantly, we don’t want our adversaries to know what our implementation strategy is. Secondarily, we want to leverage things that are already in flight.”
For all the IT changes in the past decade-and-a-half, a trio of the administration’s top technology leaders says the new playbook on how to deal with cyber threats still focuses on some key fundamentals.
Rob Joyce, the National Security Agency senior adviser for cybersecurity strategy, said the latest National Cybersecurity Strategy still boils down to effective management.
“Cybersecurity is not a technology problem, it’s a leadership problem. It is the attention, the resources, the focus of leaders to do that accountability, but to set the ethos. When you look at where we fail in cybersecurity today, most of the time it’s the failure to do something that was known and understood that we have to do, but it either wasn’t resourced or it wasn’t a priority.
Schneider added that holding cyber leaders accountable for results plays a key role in ensuring success.
“The first element of that is understanding what good and bad behavior are — what am I holding people accountable to. I think we have the opportunity. We certainly have leadership that wants to be held accountable, that wants to hold people accountable,” Schneider said, adding that the President’s Management Council has helped provide that accountability.
But unlike one of President Donald Trump’s more notable catchphrases, Schneider said accountability doesn’t mean telling the heads of cyber offices that ‘You’re fired.’
“The challenge is that, I think, is when people say ‘hold accountable,’ they’re waiting for the public firings. And quite frankly, those don’t happen in industry very often, and they happen less often in government,” Schneider said. “And so there are lots of ways to hold people accountable that aren’t necessarily going to make headlines. I think it is more of a culture shift, though, and a behavior shift to ‘What am I doing, but also what is my leadership doing to hold each other accountable?'”
From ‘policy and process’ to ‘action and accountability’
If the latest National Cybersecurity Strategy looks similar to the previous one, Schneider said there’s a reason for that. He added the latest version refocuses on some of the key fundamental to protecting agency networks and data.
“A lot of the initiatives of things we need to do are carryovers from previous administrations because in my mind, a lot of what we need to do in cybersecurity is doing the basic things — doing them very well, doing them day in and day out,” Schneider said. “There aren’t necessarily shiny solutions to cybersecurity. What I think is different about this strategy is really a movement from policy and process to one of action and accountability.”
One of the things that has changed in the last 15 years is the sharing of cyber threat information.
Jeanette Manfra, the assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security, said working more closely with industry and other partners is a key takeaway of the new strategy.
“This is really about shared risk — that consumers, individuals, companies, governments, not just the United States government, other governments — we’re all actors in a shared environment that is vulnerable. So we have a shared risk and we have a responsibility to defend it and create a more secure environment.
Over the summer, DHS launched the National Risk Management Center. It’s a one-stop shop for the agency to share cyber threat intelligence with industries that control large parts of the national infrastructure. DHS has also refocused its efforts on supply chain risk management.
Earlier this year, DHS, along with agencies like the Defense and Energy Departments have released their own cybersecurity strategies. But to understand where DHS stands in relation to the national strategy, Manfra said her agency should act as the “risk manager” for the rest of government and for industry.
When it comes to getting agencies on board with the National Cybersecurity Strategy, Manfra said limited budgets remain a sticking point.
“This is not an IT problem, this is a mission problem. It’s not the CISOs or CIOs don’t want to do these things, but they don’t have the resources or they don’t have the support,” she said.