The federal government is facing a confluence of factors that make defending their networks increasingly difficult at a time when the number and sophistication of the malicious actors attacking them is only increasing. That’s what we heard when we recently sat down with Parham Eftekhari, the Executive Director of the Institute for Critical Infrastructure Technology (ICIT).
ICIT is, “America’s Cybersecurity Think Tank.” It is a vendor-agnostic, objective source of research and educational information that helps the government and private sector organizations better equip themselves and prepare for the ever-present cyberthreat. As a think tank dedicated to studying the current threat landscape and the security challenges facing organizations, they’re among the best sources of information when it comes to understanding the cybersecurity stature of the military and federal government.
During our discussion with Parham, which took place on the heels of ICIT’s 2019 Fall Briefing – which featured a number of cybersecurity experts from across the public and private sector – we talked about why cybersecurity is such an uphill climb for today’s government, the unique challenges facing the different sectors of the government and why leadership is really the best solution to security problems.
Here is what he had to say:
GovCyberHub (GCH): Can you tell our readers a little bit about ICIT? What does the organization do?
Parham Eftekhari: ICIT is the Institute for Critical Infrastructure and Technology, we’re a 501(c)(3), nonprofit, cybersecurity think tank. Our mission is to improve the resiliency of our nation’s 16 critical infrastructure sectors, defend our democratic institutions and empower generations of cybersecurity leaders.
We do that by developing original content with stakeholders from public and private sector organizations. That research is made freely available on our website (www.icitech.org). We share the research with partners and our community members – including the legislative community, federal agencies, state and local government leaders and practitioners, and cybersecurity leaders and community members in and across the nation’s critical infrastructure sectors, such as: healthcare, finance, manufacturing, communications, and technology
– From this foundation of research, we have the privilege of educating the community. We do things like run briefings, roundtables, and engage with the media. We are looked to as trusted, objective educators dedicated to helping the community sift through the clutter and noise that’s out there.
GCH: What does the current threat landscape look like for government agencies and the military? What kinds of malicious actors are they facing? What kinds of attacks are being perpetuated against them?
Parham Eftekhari: At the highest level, you have a convergence of negative forces. You have insecure supply chains that continue to introduce vulnerable technology into the government ecosystem. You also have antiquated, legacy architecture that is insecure because of the age of the technology and factor that contribute to its inherit insecurity.
At the same time, you have agency CIOs and CISOs whose networks are growing due to a number of factors – including IoT and shadow networks, and operational technology that is now connected to the Internet (IT and OT convergence) that is adding to the threat landscape.
Then, you have a proliferation of readily available malware and various types of adversaries like nation states or cybercriminals who are able to exploit all those different vulnerabilities.
On top of that, you also have a people challenge. We need to better educate employees within agencies. We also have a personnel issue. We need more highly trained, highly skilled cybersecurity practitioners to fill the jobs that exist.
All of these things are put in a pot and mixed up, and you have the state of government cybersecurity, and that’s what federal leaders are tasked with addressing.
GCH: ICIT and DLT recently co-chaired the ICIT 2019 Fall Briefing. Based on the discussions at that event, what would you say are the top priorities for IT and cybersecurity leaders in the government today? What technologies are they looking to invest in? What vulnerabilities are they most looking to address?
Parham Eftekhari: I think they’re starting with the people. They’re always looking to bring in the right people. One of the top issues that came up was leadership and culture. And that all comes down to people. If you ask any CIO or CISO, that’s always at the top of their list or priority – who’s leading their teams and who is on their teams. When it comes to the challenges that we discussed, that’s always going to be the priority – to continue training and hiring so that they increase the skills of their team.
From a technology perspective, it’s exciting and fun to talk about the new, sexy technologies. But the reality is, cyber hygiene still is the primary focus for many organizations. They need to do basic blocking and tackling. That’s an area that organizations need to master before they move on to more advanced, more exciting technologies.
Good cyber hygiene includes developing robust cybersecurity awareness programs so that your employees aren’t clicking on malicious links, segmenting the network, making sure they’re patching systems and applications. Once the house is in order, then they can start thinking about leveraging some new, innovative capabilities.
There are some exciting things out there – Zero Trust architecture, network monitoring for anomalous behavior, using AI and ML to automate security processes that free up personnel time to focus on more value-added decision making. These are exciting things, and these are some of the areas that agencies are focusing on.
GCH: The Fall Briefing featured a large number of government and military security professionals and IT leaders. Were there any particular security challenges or themes that you heard about from these individuals?
Parham Eftekhari: Some of the challenges that virtually every public sector agency and federal leader are facing – regardless of which agency or sector – include challenges with respect to cultural issues and leadership challenges within the organization.
We often talk to CISOs and CIOs, and they tell us that – while budget is always an issue and going through the acquisition process is a challenge because there’s always a need to improve access to better technologies, at the end of the day, the most important variable in the success of any technology program comes down to the people in the organization.
One of the common themes that we heard at the ICIT Fall Briefing was the importance of strong leadership. Leadership is pervasive in an organization. Leadership doesn’t come exclusively from the top. It starts at the top, but leaders in an organization want everyone on their team to take ownership of the project, and they want a team full of leaders and not a team full of followers. Which is why we heard a lot of talk about the importance of culture of the agency and of the team that are running these programs.
We also heard a lot about supply chain and supply chain security. The Department of Defense (DoD) is one of the agencies focused heavily on that. The cybersecurity supply chain security maturity model was discussed heavily [at the Fall Briefing]. This started well over a year ago when MITRE released its Deliver Uncompromised proposal, and we heard various leaders at the Pentagon talk about their shift in thinking and a change in the DoD acquisition process where security becomes a pillar of acquisition.
At the briefing, DoD and intelligence community speakers talked about the threat coming out of places like China in respect to a lack of confidence in the integrity of the hardware and software being produced. So, supply chain security is a very important area of focus, not just for the DoD, but also across intelligence and civilian agencies.
GCH: Why do you think securing the supply chain is such a difficult thing for the DoD and intel communities to accomplish?
Parham Eftekhari: One thing that stood out to me, with respect to the defense community, was the scope and scale of the defense industrial base. This makes addressing the threats they face very difficult.
If you look at the sheer volume of the acquisitions that the DoD does every year from a software and hardware and equipment perspective, securing that supply chain is something that is going to be a multi-decade effort. This is not something that’s going to happen in one administration, and that’s something people need to acknowledge and not get frustrated with. This is a marathon, even multiple marathons.
We deal with the defense industrial base, and when you look at the different players in that community, you have the large players such as Raytheon, Lockheed Martin and Boeing, but then there is a huge part of the ecosystem that are small and medium-sized businesses. From a contracting perspective, they actually make up the large majority of the companies that are providing the services. There’s only a small handful of the really large guys, so the large majority of companies that make up the defense industrial base are these small businesses.
When you look at the security requirements that are being placed on the defense industrial base, they make it very difficult for small and medium-sized businesses to be compliant. It doesn’t mean that they shouldn’t do it. It’s still a requirement and they must be held to those same standards, but I think those are some of the challenges that we’re going to have to work through.
Empowering and supporting the small and medium-sized business community within the defense industrial base to meet the new security requirements must be done to reduce the DoD and intelligence community’s risk of exposure. Ultimately, that will improve national security.
GCH: What about the civilian agencies? What are some of the unique security challenges that they face?
Parham Eftekhari: When it comes to the civilian agencies, there continues to be adoption issues. There needs to be a continued march towards modernization and investment in new technologies, moving away from legacy systems and moving towards cloud-based applications and services.
We’ve been talking about this for a number of years. I’ve been in the government space for more than ten years, and that was the first thing I learned—the cloud is here, we need to get on it. Ten years later, we’re still talking about it and it’s still a challenge.
We have to develop a standard, not only from a technology perspective, but from a taxonomy perspective so that there’s a way to measure the success of moving to the cloud and the ROI being generated. There are obviously tremendous benefits from an efficiency perspective – supporting the agency mission, servicing the citizen, and reducing the cybersecurity risk exposure. You can also better automate things if you modernize systems.
Another big theme is around “Zero Trust” architectures. There is clearly a mandate being led from our federal CIO all the way down. We had two of the government’s Zero Trust authorities at the Fall Briefing talking about the benefits of Zero Trust and how they can start to adopt these architectures.
GCH: ICIT recently published a report with DLT entitled “Modernization Requires Leadership.” Can you tell our readers a little bit about that report and its findings?
Parham Eftekhari: The report focuses on three key areas of modernization: threat intelligence, zero trust and moving to the cloud. The thread we use to weave those together isn’t just the benefits of modernization, but the role that leadership plays in ensuring the success of any modernization initiative.
If you look at the degree of success of any program or project, you can trace that success back to the leader and the team. It comes down to communication. What stakeholders are you getting involved? Are you bringing in other parties across the organization and getting buy-in from across the organization? Are you building a business plan? Articulating ROI? Are you doing more than just talking about how a move to the cloud will save you money and make you more secure?
It comes down to strong leadership to be able to connect the dots, articulate the value and build a strong value case or use case. We talked about these three core areas not just from a technology perspective but from a leadership perspective, and I think we make an interesting argument for not just the importance of these technology investments but the role that leadership plays.
So much has been written about going to the cloud, zero trust and threat intelligence, and we wanted to have a unique perspective on it because these things continue to be important to the success and resiliency of our government IT infrastructure.
For additional information and to learn more about the current threat landscape facing the government, click HERE to download a complimentary copy of ICIT’s “Modernization Requires Leadership.”