The federal government should lead by example for the private sector and American citizens in how to properly manage cybersecurity, the U.S. CISO says.
Despite the fact that federal agencies are often thought to lag behind large, innovative commercial companies in tech stature, the government “should be setting the example for how organizations should look at cybersecurity,” Grant Schneider said this week at the Billington CyberSecurity Summit.
“We want the federal government to be an example,” he said during a panel with his predecessor as U.S. CISO, Greg Touhill, who held the White House post during the Obama administration.
Schneider’s argument for this came mainly from the federal government’s efforts to set cybersecurity policies and requirements and develop tools that bring agencies together in a unified posture against threats.
“Private entities look at the requirements that we put upon federal agencies, they’re all there for a reason,” Schneider said. “And it may be too many to ever get to, but the ability to understand the risk of your environment, trying to put tools out for the country to leverage, and then we want to set an example of how to leverage those tools and implement them within an infrastructure both through binding operational directives, through policies, through special pubs, through all the mechanisms and all the levers we have to protect your information when we’re holding it in the government.”
Agencies can “also serve as an example for how you can best protect your information as a citizen or as a corporation,” he said.
While the government doesn’t mandate anything for private sector companies, it’s good information for those firms to consider, said the panel’s moderator Phyllis Schneck, currently managing director at Promontory Financial Group. During the Obama administration, she served as deputy undersecretary for cybersecurity and communications for the National Protection and Programs Directorate within the Department of Homeland Security.
“Those are thoughtfully written and necessary, so look at the words the government is saying,” Schneck said.
Schneider pointed to binding operational directives (BODs) as an important development in the past five years as a key to government’s cybersecurity maturation since the 2015 Office of Personnel Management breaches. A 2014 law gave DHS the authority to issue BODs to agencies requiring them to take action “for purposes of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk.”
Most recently, DHS’s Cybersecurity and Infrastructure Security Agency issued a BOD in April requiring agencies to fix vulnerabilities deemed critical within 15 days after discovery – as opposed to the 30 days that agencies previously had to address those flaws.
“I think the binding operational directives fill a really important void that we had before. We had laws and policies and NIST guidance, and every agency was told to sort of figure out what that all means and what to do about it and how to do it and how to apply it to their infrastructure,” he said. “And all those things have to be lowest common denominator, right, they have to be the same for more or less everyone and every enterprise. [But] the binding operational directives can be more tailored, more focused and more specific.”
BODs are also powerful in that they elevate conversations about cybersecurity to senior leadership and create a “recurring conversation,” he said. It can create engagement and conversations that CIO and CISO types “may have been screaming about in the basement for quite some time.”
Touhill agreed, “It’s important to have unity of command and unity of effort,” equating BODs to military orders — when they’re given, action is taken without question.
He added that the private sector is now looking to take advantage of BODs. “That subsidiary of benefit is really paying off to better protect critical infrastructure across the country.”
That said, he acknowledged they need to continue to evolve — they’re “a step in the right direction, but I think we need to be a little bit faster and agile on that.”