In a world where securing just one organization against cyberthreats is a massive job, Donna Dodson’s role is still more broad.
As the chief cybersecurity adviser at the National Institute of Standards and Technology, Dodson is tasked with thinking about security at a standards and practices level. What does good cybersecurity practice look like? And how will this change as more and more devices come online?
The latter question is one Dodson is especially fixated on. Because tech will undoubtedly continue its rapid development, she says, it is incumbent upon us to consider what additional challenges the future holds and what tools we’ll need to meet those challenges. We asked Dodson to expand in a recent FedScoop Q&A— a new series of interviews with top federal IT executives.
Editor’s note: The transcript has been edited for clarity and length.
FedScoop: Briefly, what do you find is the most critical part of your job right now?
Donna Dodson: From my perspective as the chief cybersecurity adviser at NIST, the most critical part of my job is looking strategically at the changes we’re seeing across the digital infrastructure, the changes in the threat environment and the existing vulnerabilities and ensuring that our research and development program for standards and practices is actually addressing that changing landscape that we see today.
And what do I mean by that? You know, we used to have desktops that were attached to local area networks and there was a perimeter around an enterprise and protecting that perimeter was critically important. In today’s world, with the digital infrastructure, we’re seeing compute power pop up in all kinds of places where those boundaries don’t exist. So the platform is changing, and how we’re using technology is advancing.
FS: Is there any topic in federal technology right now bigger than cybersecurity?
DD: You’re seeing that change in infrastructure, we’re seeing cyber-physical systems being connected within government and really across the nation, and that changing infrastructure, to me, holds all sorts of opportunity and innovation, and then the question is how do we use innovations in cybersecurity to protect that evolving infrastructure and that evolving environment. So I think that change in environment is equally as important in the federal government as cybersecurity. Cybersecurity just for the sake of cybersecurity is not an effective paradigm.
FS: What challenges keep you up at night regarding cybersecurity?
DD: I think ensuring that we have strong cybersecurity capabilities, strong cybersecurity solutions for that evolving infrastructure and that change in compute platform. We’re doing a lot of work at the NIST Cybersecurity Center of Excellence to be able to demonstrate out for these different business needs how you can use standards-based cybersecurity capabilities.
Think about how much you do on your mobile phone today if you don’t have access to your laptop. If you can’t get to your laptop, that probably doesn’t impede you actually working — you can do what you need to do with your phone. And as we’re creating more and more connected devices, we can do more and more. And ensuring that we have the right cybersecurity capabilities to protect that environment is something we spend a lot of time on here at NIST.
FS: How can the U.S. government do a better job protecting its systems and Americans’ information? What is needed?
DD: The administration is thinking a lot about this today and the federal agencies are coming together. And I think as part of that, as part of the government continuing to be able to partner with the private sector and come up with capabilities that have standards baked in for our cybersecurity needs. I think it’s that partnership between government and industry that can really make a big difference here.
FS: What isn’t talked about enough regarding cybersecurity?
DD: Cybersecurity is really about people, policy, process and technology. And I think we need to look at all of those, not just the coolest new technology.
And another area that I think gets lost is being able to consider the users of technologies as part of the system. So NIST has not just computer scientists but also social scientists working on projects in our information technology lab to ensure that we think about how are we going to make it easier for users to do the right thing and harder for them to do the wrong thing and easier to back up if they do the wrong thing. Which I think is critically important.
The other area that I don’t think we talk enough about is when we’re looking at what our requirements are we often look for a perfect solution. But we don’t think enough about if something goes wrong, how we’re going to detect, respond and recover from that. That resiliency aspect of things doesn’t get sometimes as much focus.
FS: What advice do you have for others regarding cybersecurity?
DD: Building a team that can be innovative and think not just about where we are but where we want to go takes some diversity. And constructing teams with different points of view adds tremendous value, so we can think about what happens when everything does go right but we can think about those edge cases as well. Having a diverse team allows you to do that.