The Trump administration is working to determine the lead agency to coordinate information sharing for IT-related supply chain risks.
Federal Chief Information Security Officer Grant Schneider said Tuesday at Nextgov/Defense One’s Cyber Summit in Washington that the administration is in the process of composing the executive branch information-sharing team and determining how it will work with the to-be-named coordinating agency.
One goal is for the government to learn more about how it collects and shares IT-related supply chain information among and outside of executive branch agencies, he said.
“If an agency decides not to buy something for really good reasons, then we want to be sure that we understand those reasons and we know what risk we’re constantly accepting elsewhere in the enterprise,” Schneider said.
The government’s efforts follow from the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act, which created an interagency security council charged with defining requirements for agencies’ IT supply chain risk management programs, and with developing criteria for sharing such risk information across executive agencies and “non-federal entities,” according to the bill text.
President Donald Trump signed the SECURE Technology Act into law on Dec. 21, 2018.
The government is also looking at how it could provide a shared service to combat potential supply chain threats, Schneider said.
“We have agencies at the Department of Defense and the Department of Homeland Security that may have lots of resources and ability to do supply chain risk management,” he said. “We have a lot of small agencies that are never going to have those capabilities. So can we move towards more of a shared service in some way, shape or form?”
Schneider also noted the law’s requirement for the council to establish criteria and procedures for removal orders and exclusion orders, the latter of which he said the government will dedicate more focus to.
“We’d rather tell someone you can’t buy stuff than to have to rip out things that we’ve already bought,” he said.
One of the biggest barriers to cyber-related information sharing, both within the government and between the government and outside groups, is that there is a stigma in some arenas associated with being the victim of breaches, said Mark Bristow, director of DHS’s National Cybersecurity and Communications Integration Center Hunt and Incident Response Team.
Bristow’s team is trying to create an ecosystem that makes people comfortable with sharing information, he said.
“If one of you gets hit with a phishing email that’s new and unique, if we share our information fast enough and we close the loop faster than the adversary, and everyone else gets that piece of information, the bad guy can’t reuse that code,” Bristow said during the conference Tuesday. “We can close that loop tighter, faster than they can redeploy it. Now, their cost goes way up.”
“Everyone gets breached,” he continued. “We need to kind of get over that as a culture, just so we can start talking frankly about that. It’s not bad on you for being breached. It’s going to happen. … Let’s talk about how together we can share lessons learned, ways to defend it, ways to protect, get better, and also ways to put the pain back on the bad guy. That’s how we can win this battle in the long run.”