Last fall’s massive Equifax breach, which compromised the identities of more than 145 million Americans, took place just months after the credit agency failed to act on a direct warning from the Homeland Security Department. Breaches and compromised credentials are always a major wake-up call, but many cybersecurity experts hoped this particular breach would have a more lasting effect: prompting Congress and the President to finally fix the country’s confusing and ineffectual data security laws and get serious about national cybersecurity.
Four months later, it’s clear we were overly optimistic.
There is a lack of discipline and finality in the government when it comes to tackling the cyber crises that we’re facing on a global scale. While Trump’s cybersecurity executive order last May seemed like a step in the right direction, the order did little to create formal policies or put any form of a plan in place for how to tackle cyber warfare. The order left remaining questions about what exactly the administration’s plans are for tackling what is arguably our fastest-growing threat.
To make matters worse, 28 members of the National Infrastructure Advisory Council (NIAC), which advises Homeland Security on matters of cybersecurity, resigned en masse last fall. But the most looming vacancy of all: over a year into Trump’s presidency, the administration has yet to fill the federal CISO vacancy, and it’s unclear whether it ever has plans to. The government is left without a leader at the helm to help implement security policies and practices and ensure that the United States’ cyber infrastructure is protected from nation-state and other malicious actors.
It’s time to get serious about a federal CISO.
The government is an enterprise
May’s executive order aimed to move as much of the government’s cyber defense system to the cloud as possible, creating a single infrastructure for federal IT networks. With this mandate, 190 different government agencies will be operating under shared services. This long-overdue move is certainly a step in right direction as the government looks to defend its networks against outside attacks.
The government is, in essence, an enterprise, and the CISO vacancy is a vital piece missing from this puzzle. An enterprise’s customers, investors and employees would quickly take note if no IT security plan was in place and no leader was in sight — yet here we are.
The cybersecurity executive order placed responsibility in the hands of each agency director, a counterproductive mandate given the administration’s plan to transition to a consolidated network. If the government hopes to improve cyber infrastructure and centralize risk, it needs a leader at the helm to oversee implementation and enforcement of this plan — it needs a federal CISO.
The data treasure trove
While the cloud certainly offers unprecedented benefits in terms of cost and efficiency, it is a
fast-growing, ever-evolving hotbed for malicious activity. To put it in perspective, the average organization has 1,022 cloud services in use, and almost 94 percent of these lack proper security controls, meaning they are vulnerable to malware or an employee could accidentally share PII across the wrong accounts and cloud services.
This is especially concerning when we look to an enterprise-level federal cloud environment. The Trump administration is bullish on the idea of increasing cloud adoption in the public sector, but without a CISO, there is no guarantee data will be properly controlled, contained, or monitored, and is at risk of getting into the hands of nation-state actors, vindictive insiders, or anyone looking to act maliciously.
A federal CISO also recognizes that security is as much about risk mitigation — understanding people and processes — as it is about having the right technology in place. It’s just as crucial that the administration educate federal employees about best practices as it is that it actually sets up barriers and blocks certain activities. Without proper education, employees lack the discipline needed to ensure they are sharing and syncing data in a secure manner, and may even lack the wherewithal to avoid a sophisticated phishing scam.
Endangering critical infrastructure
A CISO can also help reinforce the security of the nation’s critical infrastructure. According to a recent MIT report, vital economic systems like electricity, finance, communications and oil/natural gas are incredibly vulnerable thanks to aging operating systems, risk of access by third parties, and the regulatory focus on compliance vs. security.
Politically motivated, nation-state attacks like the Petya ransomware attack on Ukraine and the WannaCry ransomware attack on Britain quickly spread around the world, including into the U.S. Yet, our critical infrastructure remains a sitting duck. At this point, it’s only a matter of time before an attack on our vital economic systems comes our way.
Without someone to create, implement and enforce policies that secure the vulnerabilities of sectors like electricity, finance, communications and oil/gas, these systems are powerless to anyone looking to wreak havoc, and are likely to shut down completely in the event of an attack. As more of our critical infrastructure migrates online it’s crucial that the administration act to protect and secure these systems.
Bringing in the private sector
The president himself cannot tackle these threats alone, nor can a single executive in the CISO role. Government agencies can’t act as separate entities when tackling cybersecurity — we need to bring in more players to ensure that security policies, plans, and education tactics are universally adopted, implemented, and enforced across the government. In light of the fact that the government is now acting as an enterprise, we need enterprise leaders to set an example and light the way.
Should the CISO vacancy continue to go unfilled, it’s crucial that the administration make good on its promises to partner with private companies to help bolster cybersecurity. The federal and the public sector alike have traditionally lagged on understanding and adopting security best practices, making a public-private partnership an important step. If cybersecurity policies are being set from the top down, it’s time for private companies to get ahead of this before it’s much too late.
Sanjay Beri is founder and CEO of Netskope. He has held leadership positions at Juniper Networks, Ingrian Networks, McAfee and numerous other companies.