From the beginning, the Office of Management and Budget has made cybersecurity the lynchpin of its IT modernization strategy. Let’s face it, getting Congress to agree to fund IT modernization efforts wasn’t going to be easy. But given all the recent breaches, from the Office of Personnel Management to JP MorganChase to Target, using cyber as a reason agencies need to modernize was not a heavy lift for lawmakers to get behind.
But here we are three years after the OPM breach, and agencies continue to face the same challenges.
OMB reports agencies continue to spend almost 80 percent of their IT budgets to support legacy systems, which means both goals of IT modernization and improved cybersecurity is not happening quickly enough.
At the same time, there is hope.
Lawmakers approved $19 million in 2018 for the IT oversight and Reform Fund, which can be used for IT modernization and cyber efforts.
DHS was expected to spend $722 million, including $102 million on the continuous diagnostics and mitigation (CDM) program and $287 million on the national cybersecurity protection system.
So there is money coming into agencies to address cyber challenge, just not through the IT modernization channel.
Agencies have a great opportunity to address both of these challenges.
Rick Howard, the chief security officer for Palo Alto Networks, said the wide-spread acceptance of using cloud services for operational requirements is driving opportunity to modernize.
“The money is coming in and you have this new opportunity to deploy your security tools and your operational tools into these new environments. Why would you duplicate what you have done in the past?” Howard said on the Innovation in Government show. “It is different today because it looks like it’s working. Too many organizations have moved to the cloud and have had complete success.”
Howard said a key factor in this move to the cloud is data security in a shared responsibility between agencies and the cloud provider.
“The cloud provider secures their infrastructure, but you, as the data owner, have to make sure your data is secure,” he said. “What’s happened is a little confusion. Cloud providers have been offering security solutions for their environments so what that means is network defenders are trying to deploy another set of security controls in these environments. There are too many tools deployed anyways. We just can’t consume any more security tools so when you go out to the cloud and purchasing a cloud provider security tools, that’s just more tools your staff has to learn to configure and operate correctly.”
Howard said Palo Alto estimates that small agencies already have 15-to-20 security tools, medium agencies have between 50 and 60 and large agencies have more than 150 security tools.
Instead, Howard said there are technologies that can provide agencies with the same security capabilities that can be deployed inside and outside their perimeter.
In fact as the network has expanded to include mobile, cloud and on-premise data centers, agencies now have created “data islands” that all need to be equally secured and accessible.
Howard said agencies need to have the same cyber technology that connects all data islands to reduce complexity and ensure a baseline level of security.
“You can put the same security environments in all of those places. You should demand it, and if your vendors don’t do that, you should be finding vendors that can,” he said.
He said this approach flies in the face of the security best practices over the last 20 years: vendor in-depth, complexity is the enemy and best-in-breed.
Over the last eight years, security experts have changed their thinking based, in part, on a 2010 paper from Lockheed Martin on the intrusion kill chain. The intrusion kill chain called for security at each layer of the network infrastructure so if a hacker gets through one security tool, they have to face another one.
Howard said security thinking continued to evolve as the intrusion kill chain created more complexity as tools didn’t integrate.
“What has emerged as a solution is a platform play. Most of the firewall vendors now have this as a solution. They try to do most of the things you need for basic firewall services and protections down the entire intrusion kill chain. Then, the vendors that you have should integrate any other tools you think you must have to supplement all of those things,” Howard said. “Those best practices are the main reason we are in the trouble we are in with so many tools to manage and not enough people to do them.”
Howard said the use of dev/sec/ops especially in the cloud will make a big difference in how security is developed and maintained. He said the new best practice is to seek vendors that integrate easily with an eye toward using tools with the most capabilities as possible.
Rick is the Palo Alto Networks’ Chief Security Officer (CSO) where he has overall responsibility of the company’s internal security program, leads the Palo Alto Networks Threat Intelligence Team (Unit 42), directs the company’s efforts on the Cyber Threat Alliance Information Sharing non-profit, hosts the Cybersecurity Canon Project, and provides thought leadership for the company and the Cybersecurity community at large. His prior jobs include TASC CISO, iDefense General Manager, Counterpane SOC Director, and Commander of the U.S. Army’s Computer Emergency Response Team where he coordinated network defense, network intelligence and network attack operations for the Army's global network. Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the US Military Academy. He also taught computer science at the Academy from 1993 to 1999.
Jason Miller is an executive editor and reporter with Federal News Network. As executive editor, Jason helps direct the news coverage of the station and works with reporters to ensure a broad range of coverage of federal technology, procurement, finance and human resource news.As a reporter, Jason focuses mainly on technology and procurement issues, including cybersecurity, e-government and acquisition policies and programs.