A couple of weeks ago, I had the opportunity to participate in a webinar with Rod Turk, the Chief Information Officer at the Department of Commerce, and Ross Dakin, a Presidential Innovation Fellow at the newly formed Technology Transformation Service. Along with our host, Sean Waterman, from FedScoop, we had the opportunity to really dive into one of the biggest headaches faced by all government agencies – how to secure endpoints from cyberattack.
Bringing together cybersecurity professionals from different backgrounds always ensures a lively conversation and, in the case, our group was well balanced with each of us bringing experience from the public sector as well as the private sector to the conversation. In an era of technological innovation and agile development, which government agencies are embracing wholeheartedly, being able to marry perspectives is particularly important since it eases the path to success. So, for our group – Commerce’s Rod Turk has more than 10 years of executive experience across several agencies including the U.S. Patent and Trademark Office and the Department of Energy, while Presidential Innovation Fellow, Ross Dakin, is brand new to public service and brings with him the verve of startup life and I’m in the middle with part of my career spent as part of the US-CERT team and part in the private sector, with innovators like Tanium.
At the beginning of our conversation we all agreed that data is what drives the attacker. Every endpoint becomes a potential attack vector since it is perceived by the attackers as the gateway to the data. For each agency there are hundreds of thousands of endpoints to track and defend, which is why cybersecurity becomes such an overwhelming and complex task. This is particularly true during a period of rapid modernization like many government agencies are currently in as they meet mandates and move more mission critical activities accessible via the Internet and through apps. Two key vulnerabilities introduced by modernization are that for a period of time data often resides in two places – doubling the number of potential attack surfaces – and as a new platform is rolled out data security policies might not be as robust as required out of the gate.
Rod Turk offered his strategies for mitigating security vulnerabilities during periods of transition. His first tip is to know where data is and, in turn, to have an accurate map of your architecture. For Turk, architecture refers not only to what physical systems and endpoints you have, how they connect to each other and the data, but also who has access to those endpoints. He said the Department of Commerce has an important advantage in the fight against cyber attackers, including their partnership with the Department of Homeland Security to leverage the CDM. The CDM program enables Turk’s team to continuously monitor endpoints and integrate information from tools to provide a more complete and accurate picture of the security of the department’s entire infrastructure.
At the mention of agile development Ross Dakin shared that the Technology Transformation Service, part of the U.S. Digital Service, is encouraging agencies to explore cyber security strategies such as Bug Bounties and Open Source code, which effectively makes ‘everyone’ part of the agency’s cybersecurity team. The Defense Digital Services is running a pilot program this month with their Hack the Pentagon initiative which offers up to $150,000 in bounties for verified identification of security vulnerabilities.
Both Dakin and Turk had many more valuable insights to share during our conversation – from why agency IT leaders should consider microservices architecture in pursuit of more robust cyber security to the importance of engendering a culture of security throughout an agency. If you’re interested in hearing our full conversation you can catch it – and download a copy of the slides – here.