No cybersecurity measure is 100% reliable. That’s why agencies need a dose of resilience — the ability to get back to normal — if a cyber attack were to succeed. For how to get more resilient, a group of smart thinkers got together in Washington. The Federal Drive with Tom Temin spoke with one of them: Tony Scott, a former federal chief information officer.
Tom Temin And tell us what happened that you came up with a good list of ways that agencies can become more resilient. What was the methodology for getting out this list?
Tony Scott Well, we had a series of discussions, ultimately, that resulted in a roundtable, one in Washington, D.C. and the other in Rome, attended by a number of people who have a stake in the game or an interest in the outcome in terms of government and institutional resilience. And of course, it was Chatham House rules. But if you look at the report published by the IBM Institute for Business Value, you’ll see the participants and you’ll see the set of recommendations. My role in this was to attend both of the sessions, one in person and one virtually. Obviously, the Rome one virtually. And then to summarize the conclusions and to summarize the discussion among the participants found it to be a very robust and interesting conversation.
Tom Temin Well, notwithstanding that you got the in-person and by Zoom mixed up, because I would have definitely gone to Rome and done Washington by remote. But nevertheless, maybe quickly define what you meant by resilience in the ensuing report.
Tony Scott Well, I think broadly speaking, it means building mechanisms and resources so that in the face of cyber issues, no matter what they are, you can recover and resume operations to the fullest extent possible, and do that in a reasonable time. The problem with a lot of our infrastructure and even institutions is they’ve been built over decades. And when harmed, depending on the degree of harm, you don’t have decades to rebuild. You need to recover pretty quickly. And that’s especially true of the digital infrastructure that I think everyone’s most concerned about. But there are other aspects of it as well, because all of the digital manifest itself in some form of physical presence as well.
Tom Temin Is it possible to know in advance or to measure? Are there any metrics for resilience, until you actually have to invoke it?
Tony Scott I think there’s exercises that you can do and practices that you can engage in. And this was, obviously, talked about a lot in the report, and it’s also been very valuable from my experience. The analogy you may have heard me use is, you don’t get to Carnegie Hall after your first violin lesson. And practice, in this particular case, makes you better. And so one of the recommendations that we spent some time talking about was making sure that all the relevant institutions and organizations and stakeholders have multiple practice opportunities to recover from many different kinds of events that might possibly occur.
Tom Temin We’re speaking with Tony Scott. He is currently the CEO of Intrusion and was federal CIO during the Obama administration. And you’ve listed in your after action report here, from these roundtables, several steps that agencies can take to start to build in what is needed for resiliency, given how potent attacks have become. A review for us, some of the other things they should be doing now.
Tony Scott Well, one of the foremost things is the talent problem, and this was number one on our list. I think all institutions globally have realized that the amount of resources and the skills of the resources that are available today are insufficient, really, to do the things that we aspired to do, in terms of being resilient. So first and foremost, it’s increasing the cyber talent pool of resources that it’s available. And some of the recommendations included educating people earlier in cyber and making it a part of K through 12 curriculum. For example, expanding apprenticeship programs. In some cases waiving the requirement for a four-year-degree for some of the roles that people can perform, and a number of other recommendations like that to try to scale the cyber talent resource base above and beyond what’s occurring today.
Tom Temin And one of the other recommendations was to improve organizational collaboration for faster response. And if you take that and the personnel question together, I guess my question is, is the government going too far in centralizing all of the knowledge and authority in CISA, the Cybersecurity Infrastructure Security Agency? Or should it remain diffuse the ability to respond? In other words, could you build up CISA too much and atrophy some of the resilience that might be needed locally agency by agency?
Tony Scott Well, I think actually, and this was part of the discussion we had, you need both. You do need some center. Everyone basically agrees to coordinate strategy and to do some of the things that, frankly, only government is in a position to do. But you also need to have a lot of resource and activity at a very local level, and make sure that it’s adequate for the risks that are exposed at a local level. And so, I think the recommendation very strongly is you really need both. I would never say at this point, that we’re over concentrating or we have too much resource in the cyber battle. Because the reality is every day we’re still seeing attacks and successful compromises and those kinds of things. And I wouldn’t claim that we’re winning the battle at all, at the moment.
Tom Temin Right. It seems like most of the damage that has occurred has been at the nonfederal governmental level. School districts, health care systems that might be publicly operated and just government agencies at the municipal and state level.
Tony Scott Yeah, I think that’s right. And what we’ve seen is that the Cyberattackers have decided to go where the money is easiest to get, which is some of these more mid-sized and lower sized organizations that may not have the resources or the skills to properly defend against some of these attacks, and in fact, may be more willing to pay a ransom to get out of an unfavorable situation. And so the level of attacks for those kinds of institutions has gone up. But I think that trend also still emphasizes the need for coordination across a broader scale, because many of these institutions can’t afford to mount the kind of defenses that would be needed in collaboration with government and other resources, in both, educate them and also help them defend when these attacks occur.
Tom Temin And the other axis is aligning public and private sector cybersecurity priorities. And for many years, the federal government has had this kind of reporting relationship with different elements in the private sector. Different parts of [Department of Homeland Security (DHS)] and other agencies have their private, I guess, counterparts in industry. What more needs to be done on that front?
Tony Scott Well, I think this is an interesting tie-in in some respects, the questions an interesting tie-in to the new federal cybersecurity strategy that came out after these discussions had taken place. But, it has to do with shifting some of the responsibility and some of the resources that are needed to fight cybercrime and cyber criminals to those organizations that are best prepared to have an impact. So making software companies more responsible, making telecom carriers more responsible, and then prioritizing all of that work, both from a law enforcement perspective as well as, legally and governance wise I think are all big steps towards aligning our priorities and getting everyone on the same page, in terms of what our policies are, how we’re going to respond, who to call, all of those kinds of things have been a bit confusing. And if the public and the private sector a lot more highly aligned around what action we’re going to take, who’s responsible, what the pecking order is. All of that’s good news if we can pull it off.
Tom Temin Yeah, cyber is never a set and forget, is it?
Tony Scott Hasn’t been, at least in my experience, that’s for sure.