Forcepoint and CyberScoop’s recent Cybersecurity Leadership Forum showcased an expert panel discussing the opportunities and challenges of implementing analytics to help protect federal agencies from cyber threats.
At the heart of the discussion was agency mission. Chad Sheridan, Chief Information Officer, Risk Management Agency at the U.S. Department of Agriculture (USDA) commented that federal agencies often fail to bridge the gap between cybersecurity and mission because they lack clarity on what systems are truly most important to mission execution. He noted that analytics are a great tool to gather the insights that will help more quickly bridge that gap.
But in what felt like almost a counter-shared services perspective, he commented that because of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, the federal focus on analytics is becoming centralized and requires caution to make sure correct agency-specific advantage is attained: “I love the idea of CDM making data more visible up to the top level, but…I worry that our inability to bridge the cyber-to-mission gap, and an over-focus on centralization, could mean $1T in spend but an inability to articulate the value to our agencies.” Given the high level of attendee interest in CDM, with two conference sessions dedicated to it, CDM is clearly poised to be very widely adopted – so a centralized/distributed balance will undoubtedly need to be struck.
Micah Czigan, Associate Deputy CIO for Cybersecurity at the Department of Energy (DoE) noticeably felt the responsibility of his agency’s massive mission – energy grids simply cannot go down. He explained that each of the hundreds of DoE sites is like a unique IT snowflake: “I could hire ten thousand analysts and we’d never find everything manually; analytics is the only way to find things, and we catch things often.” But with the IT trend changing to a focus on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) architectures – spanning large geographic areas – the DoE is entering unfamiliar territory. Different analytics are now needed to detect new vulnerabilities and threat actors, creating a requirement for a new terminology to communicate in a commonly understood way. Czigan is looking to the National Labs and the private sector for leadership in shaping that new terminology.
Toward improved communication, Sheridan underscored the importance of people – real humans with the contextual knowledge of an agency’s mission – in translating analytics into something relevant and useful; for example, in the USDA’s purview, specifying what cybersecurity means for farming leaders. Such salient information is what will change agency culture and turn the needle on better security.
Larry Hale, Director, IT Security Subcategory, Office of IT Category Management at the General Services Administration (GSA), explained the role the GSA is anxious to play in helping agencies navigate the analytics challenge. He noted that innovative technology products like analytics tools are more easily acquired through the GSA’s Schedule 70 contract vehicle. In an effort to raise the security bar across all levels of government, GSA has also empowered state and local agencies to purchase off Schedule 70 through the GSA’s Cooperative Purchasing Program.
Hale’s team is dedicated to assessing and understanding individual agency needs, and helping them get the analytics tools, training and services that will best support their unique mission. He explained that the GSA must work with agencies where they’re at; each has a different level of cyber maturity, so pushing a single solution won’t work.
Going forward, Czigan emphasized the need to put information into the hands of local responders. He explained the DoE’s goal as aggregating all cyber data in the cloud and providing access to all sites for reference, learning and comparing across the entire landscape to spot related threat events. Such direct access will allow local responders to react in real time.
Sheridan called for taking friction out of the system. He espoused applying Lean Manufacturing and IT development principles to cyber: “Make indications the same thing, harness the value of shared data and indicators. There is no mission value in chasing bad data.”
As a testament to the benefit of analytics done right, Czigan confirmed that analytics the DoE wrote 10 years ago are still in use. He noted that they have the opportunity and the obligation to keep building on that foundation: “I have optimism we’ll get there.”
Kathy Stershic, CIPM and CIPP-US, is a Senior Director of Content for W2 Communications.