Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
It took 8,000 words to do it but the Biden administration’s executive order on cybersecurity, the latest in a long list of similar executive orders, makes cybersecurity improvement a central element in IT modernization. Chris Kubic, the former chief information security officer at the National Security Agency, said a shared or a centralized cyber service could help get this job done faster. He is now with Fidelis Cybersecurity, and he joined Federal Drive with Tom Temin for more discussion.
Chris Kubic: Good morning, Tom, it’s a pleasure to be with you again today.
Tom Temin: And you have read this executive order twice, cover to cover, and I congratulate you on your intestinal fortitude. But some themes and some ways ahead actually do emerge from it. And tell us what you took away in reading it.
Chris Kubic: It certainly was quite the read. And there’s a lot in there. So it took two passes through it to really kind of get to the full gist of what they were after. And really, there’s – takes a little reading between the lines here and there. But having worked in the government for many, many years, I was initially kind of skeptical about whether they’d be able to make progress this go round. This isn’t the first executive order that’s come out addressing cyber, but on a second read and kind of stepping back from a little bit, I think there’s some key elements of it that I saw that’s kind of game-changing elements. The first being is pretty comprehensive. Past executive orders focused a lot on kind of the cyber hygiene aspects of it, of better patching across the government. But this is much more comprehensive. They include that, the cyber hygiene – improving that – but they really kind of roll out this active defense set of capabilities. They talk about deploying endpoint detection response capabilities across government. Another key theme there is being able to collect the data from across government agencies and centralize the collection of that data so that they can do centralized, kind of monitoring and analysis of that data. And that, in my mind is a game changer. And then they also focused a lot on the incident response aspects of its trying to automate and improve incident response so that the government can respond much more quickly to an incident, should we have another major incident, which I would expect that we would given the pace at which we’ve been having incidents pop up.
Tom Temin: Yeah, probably tomorrow. But I guess the question then becomes can centralized approaches work for both, say, the Commerce Department, with its however many tens of thousands of employees, and the Marine Mammal Commission that has 13 employees?
Chris Kubic: Well, certainly be interesting to see how this plays out. And historically, each government agency has kind of had the authority and autonomy to manage their own security, monitor their own environments. So there will certainly be some challenges just to sorting out the authorities for this. But I think, where I see it as a game changer is, as you pointed out, there’s a lot of different levels of cybersecurity maturity across the government. Agencies who are all different sizes, some have very well-staffed security teams, some have hardly any security teams in place. So I think the centralization will help to kind of level set across the government and really help out those smaller agencies that just don’t have the resources or the expertise to adequately monitor their infrastructures against these sophisticated attacks.
Tom Temin: And should that type of centralized service to do this, should it be located at CISA, the Cybersecurity and Infrastructure Security Agency? Should it be at your old place, the NSA has a lot to offer here. It could be any one of a number of hosts, where do you see it best being laid down?
Chris Kubic: Yes, that’s an interesting question and we’ll have to wait to see how that sorts out as well. You know, I think it’s gonna come down to some of the authority discussions. And I think even if the government is able to fully centralize, I think even centralizing around a couple of different large organizations or groups of organizations would be an improvement over where things stand today. So you know, they certainly talked in the executive order about maybe rolling up all the national security systems and having those be kind of managed and monitored collectively. And, maybe that’s a role for NSA, since they’re the national manager for national security systems. I would expect that, DoD will continue to centralize and manage their own systems, and certainly an intelligence community has a whole different set of challenges with the different levels of networks they have. So I would see them having a role in trying to centralize, but kind of where I would see CISA fitting in is, across the Executive Branch and being able to centralize all of those agencies, and that’s where you get into the cats and dogs that you mentioned earlier. Lots of small organizations were having somebody to, kind of centralize and take control, that would be a good thing.
Tom Temin: We’re speaking with Chris Kubic, chief information security officer at Fidelis Cybersecurity and former NSA CISO. And do you think that the experience so far in Homeland Security in particular, with the Einstein program and the continuous diagnostics and mitigation (CDM) program, continuous monitoring programs where they have deployed and tried to get specific tool sets out to the agencies – is there any learning from that whole process, which goes back now, probably a dozen years in some cases that could apply to this centralized approach for information gathering and mitigation?
Chris Kubic: Yeah, no, I think there’s certainly lessons to be learned from past approaches. But I think the key for this is really to sort out those authorities do that early on, and also kind of address accountability within the government, kind of holding the different agencies departments accountable to actually implementing the requirements and agreeing to share their data in a centralized manner. So I think that’ll be key there. And then also, I’ve been, kind of give the thumbs up to the administration, they’ve really pulled together an all-star team with Anne Neuberger and with Chris Inglis and Jen Easterly. I mean, these are folks that truly understand cybersecurity, from lots of different dimensions, they have lots of experience working across the government on how to affect change within the government. So I think they can help to drive some of these requirements and kind of change the way business is done in the government from the past?
Tom Temin: And do you envision such centralized services, regardless of who manages them? And even owns them? Should they be in a commercial cloud, or should they be in a federal data center? Should they be somewhere in DISA or wherever?
Chris Kubic: That’s it – that’s a good question as well. I mean, I think operating at scale across the government, if you start bringing a lot of this data together, it will be a large data set. So you certainly will need a very scalable approach about how to bring this all together, you’ll need a platform to be able to process that data and, kind of churn through it and make the right correlations to be able to monitor and detect these stealthy attacks. So that could certainly be done in the cloud, it can be done lots of different ways. The challenge will be once again, back to the authorities, actually getting the authorities to bring all this data together. I think the actual platform itself, the technology issues there are pretty well understood and I think that can be sorted out.
Tom Temin: And just a thought occurred to me, do you see blockchain having a role here in securing this large data set, that you wouldn’t want the bad guys to get their mitts on?
Chris Kubic: Security for that data set will certainly be important. I’m not sure that blockchain is the right technology there. But there are certainly lots of technologies out there for securing large data sets. And once again, we’ll have to wait and see kind of what solutions. I think you kind of talked a little bit about it, whether this is a government function or pulling in the industry, and kind of leveraging their expertise, and maybe even looking to industry to do some of the detection response capabilities. There are service providers out there that do manage to text response at scale for large corporations today. And then those could certainly be brought to bear to help define this centralized model and to kind of backfill the government expertise on this overall monitoring approach.
Tom Temin: Chris Kubic is chief information security officer at Fidelis Cybersecurity and formerly had the same job at the NSA. Thanks so much for joining me.