President Biden has proposed injecting up to $9 billion to help bolster the Technology Modernization Fund. What should this $9 billion be used on? Where could it be most effectively utilized to secure our nation, and what is the current state of the country’s cyber workforce?
To get answers to these questions, we recently sat down with Don Maclean, the Chief Cyber Security Technologist at DLT and a frequent contributor to the GovCyberHub. Here is what he told us:
GovCyberHub (GCH): The Biden Administration recently proposed adding $9B to the Technology Modernization Fund. What recent events and trends make this additional funding essential right now?
Don Maclean: The SolarWinds hack is clearly a wake-up call for government and industry alike. Modernization is not – strictly speaking – aimed at cybersecurity, but it offers a rare chance to reevaluate all aspects of an organization’s technology profile, including security.
We expect many agencies to modernize through cloud adoption, likely resulting in hybrid or multi-cloud deployment. Such architectures are newer but entail their own security challenges.
GCH: Should this new funding come to pass, what areas would you consider a priority for investment?
Don Maclean: I hope that agencies looking to modernize their IT installations would address both foundational and innovative technologies for security. A comprehensive modernization program is a major inflection point, offering a rare chance to implement a similarly comprehensive approach to security: zero trust.
GCH: What new security technologies, policies, and capabilities should agencies be considering and leveraging these dollars to acquire?
Don Maclean: I would ask agencies to look at micro-segmentation and software-defined networking as one relatively new technology for zero trust implementation.
The SolarWinds hack involved supply-chain compromises, as well as credential theft. Consequently, it makes sense to look at technologies that can secure credentials and can identify compromises to installed software.
GCH: Additional funding is also being earmarked for growing the federal cyber workforce. What is its current state of this workforce? Are agencies appropriately staffed and equipped to address the current threat landscape that they face?
Don Maclean: The shortage of trained cybersecurity workers is a perennial problem in both the private and public sector, but the latter suffers more acutely from the problem. The problem is difficult, but there are several viable solutions that come to mind.
First, they need to commit to offering better pay. In many agencies, the bulk of the cybersecurity work is done by contractors. Agencies can control pay rates through contract vehicles, and should look askance at bidders who offer labor rates that are significantly lower than industry standards.
“The security industry – as a whole – must present the cybersecurity field as an exciting career, where young professionals can make a positive impact.” Don Maclean
Second, they need to invest in training. Contractors and government agencies can – and should – collaborate to provide ongoing, high-quality training to their security staff.
Third, embrace a careful, deliberate approach to outsourcing. Some – and I emphasize SOME – aspects of security can be outsourced to a cloud provider. However, the agency is still responsible for the overall security of their systems and must, therefore, have trained and knowledgeable staff who know where, and with whom, security responsibilities lie.
Fourth, they need to embrace automation. Even a large, well-trained staff cannot handle the flood of data issuing forth from devices and systems of all kinds. Any means of automating will be superior to manual work and also free up staff from tedious, repetitive tasks.
Fifth, they need to reevaluate their messaging. The security industry – as a whole – must present the cybersecurity field as an exciting career, where young professionals can make a positive impact.
GCH: How competitive is the government right now for top cyber talent, and what would they need to do to better compete with the private sector for this talent?
Don Maclean: In terms of pay, the government is at a disadvantage. Private industry simply has more discretion when it comes to offering higher compensation for security professionals. The government must compensate by emphasizing the intangible rewards of working in cybersecurity for the government.