Be aware, adaptable to new threats says OPM’s cybersecurity chief

Winning the cybersecurity war isn’t about eliminating all threats, but understanding there will always be an enemy and adapting to each new fight.

Speaking publicly for the first time since his November hiring, the Office of Personnel Management’s Senior Cybersecurity and IT Adviser Clif Triplett shared his vision for how to address cyber threats during a wide-ranging webcast Dec. 14, hosted by Bloomberg Government.

“We should never assume that we’re going to eliminate the defects or the cyber...

READ MORE

Winning the cybersecurity war isn’t about eliminating all threats, but understanding there will always be an enemy and adapting to each new fight.

Speaking publicly for the first time since his November hiring, the Office of Personnel Management’s Senior Cybersecurity and IT Adviser Clif Triplett shared his vision for how to address cyber threats during a wide-ranging webcast Dec. 14, hosted by Bloomberg Government.

“We should never assume that we’re going to eliminate the defects or the cyber threats,” Triplett said. “We need to keep working harder to make sure we keep finding them. We may have to look harder to find them, but that’s what we should do. Our goal should not be zero.”

Triplett was joined by White House Special Assistant to the President and Cybersecurity Coordinator Michael Daniel, who echoed similar sentiments, saying it was important when building a cybersecurity framework to be ready to face system compromises “not if, but when they occur.”

“You need to be able to recover from them and even operate through them,” he added.

Both men also recognized OPM’s cyber breach this year as the catalyst for the government’s renewed approach to cybersecurity.

In late October, Federal Chief Information Officer Tony Scott and Office of Management and Budget Director Shaun Donovan signed off on two memos, each building on a 30-day cyber sprint to create a long-term vision and specific deadlines for agencies to give more than lip service to improving their network and data security.

One of them was the cybersecurity strategy and implementation plan for civilian agencies.

“CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur,” Scott said in an Oct. 30 blog post.

Triplett said OPM had been transitioning to personal identity verification (PIV) cards with multi-factor authentications, rather than just having to remember a password. He said there is a lot of room to improve with processes and policies, without dipping too far into pockets.

“It won’t cost us necessarily more, we’ll just do it differently because now we’re much smarter. We’re going to bring more people sensitive to cybersecurity into the organization,” he said. “There’s a real big initiative on right now to bring more talent into the organization. It’s not always all about spending all kinds of money. We’re going to get a lot of protection just by changing our behaviors.”

Cybersecurity is also about risk management and making decisions at senior levels, whether it’s in a government agency or a corporate office, Daniel said.

“It’s not something you can just relegate to IT staff and have it be done effectively,” Daniel said. “It’s really got to be a corporate decision led by the CEO in order to make that kind of risk tradeoff that you’re inevitably going to have to make.”

Daniel said while external cyber threats are a real issue, when it comes down to the numbers, “most of the time the adversary is getting in through a vulnerability that we know about and know how to fix.”

“I think in order to do cybersecurity effectively, you actually have to be integrating the technology but also the human factors involved with it, the business economics and processes that go with it,” Daniel said. “All of those factors have to be combined in order to really do cybersecurity effectively.”

Triplett said what keeps him up at night is the concern about the “interconnectability” of systems.

“I get concerned as every day we’re trying to automate and connect one more thing to one more thing. You hear the discussion of the Internet of Things. We’ll be so connected, I’ll wake up one morning and I’ll have a reasonably minor event that will turn into a catastrophic event and I won’t be able to find out where the root cause was because of the ripple potential,” he said. “That’s pretty scary. One of the things I’ll be looking at is making sure we have the ability to air gap some of these systems. If the risk potential is raised, that I can begin to air gap them and protect them.”

Read all of Federal News Radio’s coverage of the OPM Cyber Breach

Related Stories