Army Corps, CISA take distinct approaches to cyber priorities amid remote workforces

Coronavirus has changed much about the way federal agencies conduct business, but the need for better cybersecurity postures was already present – as well as the need for cyber talent.

Defense and national security tech leaders are trying to balance implications of mass telework with pre-existing cyber priorities, and fend off an unending onslaught of bad actors trying to exploit the – in some cases – woefully unprepared remote federal workforce.

Dovarius Peoples, chief information officer/G6 for USACE, noted that cyber is a high-demand, high-turnover industry and government is limited in how it can compete with the private sectors. As part of the “Telework in DoD and Fed: Security Strategies for the New Reality,” a webinar presented Thursday by SIGNAL Magazine and BeyondTrust, Peoples said the Corps is pushing training – virtual rather than in-person, due to the pandemic – not just certification, to retain cyber talent.

“In legacy context, we’ve always looked at the certification aspect. So now, instead of pushing certification heavy, how can we ensure that our employees have the skills?” he said. “Because the certification just shows you can take a test. But if you have the skills you’ll be empowered to be successful.”

Advertisement

Distance learning has gone over well for Corps HR personnel, he said. Meanwhile, the Army is also recoding thousands of positions and reskilling their workers as part of the Quantum Leap project.

At the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, leveraging the scholarship for service program has played a large part in recruiting or retaining cyber talent, according to John Simms, senior technical advisor in the Office of the Chief Technology Officer.

“We’ve hired a substantial number of our interns over the past seven or eight years and even going back further, that are now leading certain elements of our organization,” he said. “And we’ve recently established a cybersecurity curriculum program where .. we’re taking the fed VTE, which is the virtual training environment, and revising that whole platform, as well as establishing curriculum standards for K-12.”

Chris Hills, deputy chief technology officer at BeyondTrust, a privileged access and identity management company, said that most organizations lack the infrastructure to go remote on a mass scale. Offices are trying to balance normalcy with a strange and dynamic new work environment, and remote access is a prime vector for cyber attacks.

“You’re going to run into the issue where, you’re going to be giving admin rights to a lot of people as they work remotely,” he said. “Unfortunately, it’s just the way it is in order to maintain and continue doing business. So using a tool such as, let’s say, a bastion host or something to provide a secure remote access is key.”

In addition, Hills said using a traditional password access management solutions will help because they can check passwords or auto-inject them into a browser, into a session or into an application without those passwords leaving the environment.

When determining how to focus an agency’s cyber resources, speakers gave different answers and acknowledged it is not a one-size-fits-all matter.

At USACE, Peoples said the strategy has been to work from the outside in.

“Once the perimeter is secure, then you have the ability to look at a lot of other critical aspects. And we, again, use the deny-all-allow-by-exception [rule]. So if I block you at the gate, then I can parse out everything to see what goes,” he said.

Now the Corps can examine opportunities for divestment of unnecessary cybersecurity architecture, he said.

Hills added that BeyondTrust focuses more on protecting at the core. He said it’s important that an organization first ask itself whether its new cyber posture is in response to a failed audit or other leading factor forcing them into this stance. Or is the organization simply trying to join the game and mitigate risks?

“And so ideally you have to look at, do you want the quick wins first or are there risks that are out there that are potential to your organization that you need to mitigate? Maybe it’s a framework that you’re starting to follow?” he said.

For Simms, segmentation, or defense in-depth capabilities, is important.

“You look at the phishing attacks that are occurring – it’s usually done through email, which is going to bypass the firewall. They will exploit user privileges on user endpoints, which is something about configuration management and vulnerability management – making sure they’re patched.”