For 23 years, he’s been a steady, even-handed overseer of cybersecurity as exercised by federal agencies. Now he’s decided to call it a career. For his perspective on a persistent topic, the director of information security issues at the Government Accountability Office, Greg Wilshusen spoke with the Federal Drive with Tom Temin.
Insight by Akamai: Learn how the Air Force and other services are embracing zero trust in this free webinar.
Tom Temin: So you decided to hang up those spurs after all these years.
Greg Wilshusen: I have. The time seems right. We’ve gone through a very effective transition from me and a succession plan. The work that I have been performing is now going to be conducted by some very talented directors at GAO.
Tom Temin: And cybersecurity has been an issue. I mean, they used to call it computer security at some point. And it was–could people beep and tweet their way–and tweet with a small “t”–their way into mainframes and use the telephone and so on. Now it’s a panoply of issues. You’re always positive. You’re always upbeat, even when you have a critique for an agency, knowing how horrible the danger is that you’ve been looking at all these years?Greg Wilshusen: Right? We try to stay upbeat, but we try to be very realistic and give a balanced view of what we find. And, you even mention about computer security and how far back it goes. When I started–and I am definitely dating myself–it was automatic data processing. And at that time, it was like back in the eighties, when I actually started doing this work at other agencies and the focus was on physical security in that. But now, as you mentioned, we try to give a very balanced view during our audits in our reports on how well agencies are doing and implementing certain aspects related cybersecurity. But at the same time, we need to be very objective and provide the results of our review and identify meaningful recommendations for the agency.
Tom Temin: It seems like there’s a culture at GAO of discussing the issues but studiously avoiding motivation, discussion or harsh critique. I mean, you look at the politicians, they never argue about policy. They argue about one another’s character and what it is they hope to do. Luckily, that doesn’t translate very far down into the bureaucracy, into the day-to-day operation of the government. I think that’s one of the strengths, don’t you?
Greg Wilshusen: Well, I think, certainly,within the federal government, one ofthe crown jewels, I believe, related to cybersecurity is the National Institutes of Standards and Technology. They put out some very strong and useful guidance and standards that agencies need to follow, and cybersecurity is not really a political issue. It’s more of an implementation execution issue when it comes to protecting agency information, and by extension, often the personally identifiable information of American citizens and other individuals. So it’s vitally important that agencies do it correctly, and we’re here to help them do that.
Tom Temin: And as you exit, is your assessment of that, in general, the agencies are safer than they were before?
Greg Wilshusen: I would say that they have made advancements in their ability to protect against certain types of threats and protecting the information. But I’d be hesitant to say that they are safer, primarily because the threats change, the technology changes, the business practices within agencies changes. All of those introduce risk, and as those risks continue to evolve and the threat actors are becoming more sophisticated, we believe in, as we’ve reported last year, that federal information security remains at high risk.
Tom Temin: And I guess, as you say, the threats do change. I mean, some of the threats could not be imagined a few years ago. Phishing, for example, has gotten so sophisticated that, in my own company working here, if I get an email that seems to be coming for the company I forward it to our ITguy, and I say, “Legit or phishing?” And he’ll say, “Yeah, that’s OK,” or “Yeah, you’re right. This is no good.” TikTok. I mean, all of these kinds of bizarre things no one dreamed about. So I guess maybe the issue for federal agencies is how to develop radar to: What’s the next thing to worry about?
Greg Wilshusen: That’s exactly right, and one of the key things that we have been reporting on and, indeed, included in our high-risk report is the need for the federal government to really ensure the security of these emerging technologies that are being introduced into the workspace, and to be ever vigilant against the changing and evolving threats to address those. You know, you mentioned phishing. It could be very sophisticated actors who use that in order to compel or encourage someone to click on a link or visit a corrupted, malicious website. And so they’re, in addition to providing really strong training to the staff, agencies also can try to implement other types of technical controls to help authenticate the veracity and source of these emails.
Tom Temin: We’re speaking with Greg Wilshusen,soon to be the retired director of information security issues at the Government Accountability Office. Let’s talk about Greg Wilshusen for a minute. GAO 23 years. But that’s not the entirety of your career by a longshot.
Greg Wilshusen: No, I actually I think I have kind of a unique career in that I have both private-sector and public-sector experience. Within the public sector, I’ve worked both at state government level as well as most of my career at the federal level. And within the federal level, I’ve worked at all three of the branches of government: The executive branch, where I worked for both the military and civilian organization, the judiciary, as well as the legislative branch, where, of course, I work now for GAO.
Tom Temin: Were you always a cyber person or do you have some other skills?
Greg Wilshusen:No, not always. Initially started out as a kind of an operational auditor with the Army Audit Agency, and conducting performance-related audits over the economy and efficiency of various different programs and then in the private sector, I did a lot of different types of work related to developing policies and procedures, related to accounting and auditing, and also examining the security controls at various different entities. And then, when I moved down to North Carolina, and became the controller of the state’s Department of Environment, Health and Natural Resources, which wasone of the largest state departments at that time. And then I’ve also worked, from then on, primarily with cybersecurity at the Department of Education to help implement and design thesecurityover one of its systems before coming to GAO and focusing on evaluating cyber security at federal agencies.
Tom Temin: And I guess, maybe, there’s a theme there, because developing financial controls, looking at the types of procedures to make sure those controls are auditable and so on–not that different from finance versus cybersecurity.
Greg Wilshusen: That’s absolutely correct. In cybersecurity controls, information systems controls are a key part of an organization’s internal control. And internal control is something that auditors and financial accountants are very familiar with and need to implement effectively in order to make sure that all the financial statements and the transactions are being adequately accounted for and recorded. So it’s part and parcel, in that cybersecurity is one element of internal control for an organization.
Tom Temin: Now, you have been a public servant for a long time, as you say at the state and federal level and throughout the federal government. Would you recommend to a graduate, let’s say, “Yes, public service is where you should head?”
Greg Wilshusen: Most definitely. I think it’s been one of the most rewarding endeavors of my life to work within the federal government, and particularly at GAO. Not only is it very rewarding from the type of work that we do,particularly in my area. The scope of work that we do is quite unique and we can assess cybersecurity at agencies across the entire federal government. We look to see how well the agencies are actually coordinating and working with the private-sector owners of our nation’s critical infrastructure, as well as looking at the privacy and how well they protect the privacy of personally identifiable information that they hold. It’s one that is vitally important to the American citizen. We collect a lot of information on them, and these systems that we’re examining can have a very tremendous impact on national security, our public health and safety, and our economic well-being. And so it gives a great deal of satisfaction to be able to help in some small way and helping the federal government work for the American people in a more accountable, efficient and effective way.
Tom Temin: And will you head to a think tank or a contractor or one of the nonprofit types of good government groups, or maybe just enjoy life a little bit?
Greg Wilshusen: I’m going to head to my wife and spend most of my time going forward with her. She already has along “honey, do” list, you know, as long as my leg, and I’m six-feet-four inches tall. So I have a long leg for me to do, and I have a lot of deferred maintenance that I need to do on our home. So I’m going to be really busy over the next couple years just doing that. But, right, it’s going to be enjoying life.
Tom Temin: Greg Wilshusen is director of information security issues at the Government Accountability Office, and your retirement is exactly when?
Greg Wilshusen: March 26th.
Tom Temin: All right. So we may get you on the air one more time before then. But in the meantime, thanks for joining me.
Greg Wilshusen: And thank you, Tom, for having me.