This content is sponsored by Microsoft Federal.
With the recent cybersecurity executive order and the critical infrastructure control systems memo, President Joe Biden’s administration is making cybersecurity a top priority. Federal News Network sat down with Jason Payne, chief technology officer for Microsoft Federal, and Steve Faehl, chief technology officer of security for Microsoft Federal, to dig deeper into these recent moves, what makes them important and how federal agencies can partner with industry to achieve their goals.
Federal News Network: How can private sector be good partners to the federal government when tackling both specific threats to critical infrastructure and broader security challenges? And what can government do on its part to collaborate with industry and apply best practices?
Jason Payne: The key word in this journey is collaboration. I think government really operates in a realm where they can establish the foundations, such as clarity through terminology and definitions, which then enable these partnerships to flourish. One of the things that the memo established is around threat intelligence sharing from the government back to industry. Service and technology providers don’t always get to see all of the details of attacks that are happening in the wild. And so the government acting as a collection point to then give industry those insights back is incredibly helpful for driving security innovation, and to ensure that modernization is truly addressing the most critical challenges for this infrastructure.
Steve Faehl: Keeping those lines of communication open and expanding them based on different critical infrastructure areas would be key to ensuring that private industry is ready to respond. While I’ll note that this is inherently a quiet and closed community, voluntary forums give individual providers an opportunity to bolster their security, posture, presence and awareness based on some of the sharing, which in turn, can improve economic and national security.
Federal News Network: The private sector has been looking for certain protections to be codified by Congress in order to help lower the barriers of consequences and liability, and thereby increase incentives for threat sharing. What other barriers exist and what else can be done to lower them?
Steve Faehl: The first one that comes to mind is culture. When it comes to a lot of cybersecurity postures at times, it may seem that quiet is better. However, not sharing inherently creates a level of false security, particularly in the commercial market, where there might be liability. Transparent sharing with the government, maybe through some levels of specific obfuscation, allows us to show that critical infrastructure providers aren’t alone in the challenges that they face. It gives providers an opportunity to look at creative solutions to mitigate their most serious risks that might be being performed in other markets or other critical infrastructure sectors. The attack patterns are often the same, regardless of sector. The mitigation strategies could follow a similar pattern as well.
Jason Payne: One of the ways that we’ve undergone this mindset shift is we don’t look at cybersecurity as something that is addressed on a company-by-company basis. We collaborate regularly with competitors when it comes to cyber defense. The right question would be ‘how are we going to defend against these threats as an industry, not private company silos, but really the government bringing us together to say, what are the threats that we face as an industry? And how are we going to combat them?’ When those collaboration paths and relationships are established, we can start to change the culture to an industry level defense, as opposed to just an individual company.
Federal News Network: When standing up the President’s Industrial Control Systems Cybersecurity Initiative, as detailed in the memo, what does the government need to keep in mind? And are there any best practices, requirements or common pitfalls?
Steve Faehl: What the government is doing is spot on, with opening up threat sharing data, trying to establish principles of collaboration and sharing and overall mitigation strategies. I think as they look forward, you see elements of this expanding within the memo. That’s the right approach for the government to take as well, one by which they go through a learning process, and one where we can learn from a lot of the failures that we have. The other thing to keep in mind is that oftentimes, industry looks for best practice guidance from the government.
Jason Payne: It’s always beneficial when the government avoids overly specific implementation details and focuses on the outcomes. Obviously, there needs to be some level of implementation requirements but overly specific ones can discourage innovation and the desire to apply new technologies and mechanisms to solve pre-existing problems.
Industry is already having difficulty mapping, matrixing and understanding all the various requirements for compliance that are levied on organizations as they create new technologies or operate existing technologies within regulatory frameworks. Snapping to existing regulatory and implementation frameworks or standards guidance that’s been provided by bodies such as [the National Institute of Standards and Technology] or [the International Organization for Standardization] helps industry to have a cohesive effort for compliance, as opposed to a fragmented one.
Federal News Network: How would you gauge the progress that agencies are making in areas such as zero trust, and what needs to be done to accelerate?
Jason Payne: We’re seeing some really great planning cycles as we’re collaborating with agencies now, especially around the cybersecurity executive order that requires zero trust planning to be in place. Realizing it is a journey, and that we need to move faster, partnering with private industry experience can help get agencies over the line, not just with technology, but also with the people/process aspects of zero trust. We’re definitely seeing an increase in velocity.
One challenge that agencies need to overcome is the weight and burden of legacy software. Taking that first best step of ‘modernization is security’ and moving to a cloud evergreen model is the right approach.
Steve Faehl: I think there needs to be a recognition in industry and in the government in that moving away from those legacy software platforms to PDF on-premises or others really eliminates technical debt in their environments. Eliminating technical debt should free up the resources and the investments needed to continually make zero trust architecture investments, and improvements in their overall service security, operational processes, the way that they do threat, mitigation, incident response, etc.
Federal News Network: How do these executive orders and memos help build a framework for a more secure baseline for long term cyber leadership? And are there any areas that have not yet been addressed that you guys see as critical to success?
Steve Faehl: A lot of these approaches are somewhat mandatory within the government, but voluntary within the private sector to-date. I think that’s the right path for the government to take. But as the government looks forward to what I suspect will be future executive orders or memoranda on these continuing topics, I think an orchestration and integration of them will be very important. For areas that haven’t been addressed yet, I think there’s a balance there where the government may need to step in versus where industry needs to continue to innovate and protect itself.
Jason Payne: Having the right foundations and a shared understanding of the effort is really the starting point that, if we don’t get right, will continue to lag in cyber security efforts. Innovation is not slowing down anytime soon, and security can’t afford to either.