We have promising cybersecurity strategies, now the hard part: implementation

We have promising cybersecurity strategies, now the hard part: implementation
© Getty

The Trump administration recently published two papers defining its cybersecurity vision and strategy for the nation. While many of the broad objectives for protecting U.S. interests in cyberspace are not new, some specific actions are worth noting.

Department of Defense cyber strategy

The Pentagon released an unclassified summary of its 2018 Department of Defense Cyber Strategy, an update of a 2015 document. As with the previous strategy, it calls on DOD to play a leading role. But of interest is the new emphasis on “defending forward” and utilizing “offensive cyber capabilities and innovative concepts… across the full spectrum of conflict.”

This represents a shift from the department’s position of just a few years ago, when its public focus was entirely on defensive cyber operations. By pledging to “disrupt or halt malicious cyber activity at its source,” DOD is serving notice that it will do whatever is necessary to prevent adversaries from attacking U.S. interests in cyberspace. 

ADVERTISEMENT

The 2018 strategy places great importance on the need for innovation “to keep pace with rapidly evolving threats and technologies in cyberspace.” It seeks a culture “that fosters agility and innovation” to successfully defend the U.S. in the cyber warfighting domain. The strategy also speaks of the need to leverage automation and employ commercial-off-the-shelf (COTS) cyber capabilities.

We’ve seen these commendable objectives before, but the DOD culture – and indeed the IT acquisition process itself – has often caused the department to fall short of achieving them.

It is encouraging to see the strategy specifically state that DOD “will reduce the time it takes to procure software and hardware in order to keep pace with the rapid advance of technology.” It also says that the department:

“…will identify opportunities to procure scalable services, such as cloud storage and scalable computing power, to ensure that our systems keep pace with commercial information technology and can scale when necessary to match changing requirements. [DOD] will also leverage COTS capabilities where feasible to reduce our reliance on expensive, custom-built software that is difficult to maintain or upgrade.”

These strong commitments need to be backed up by the statutory and administrative changes necessary to reform the military’s cyber acquisition process and to strengthen DOD cyber policies and operations.

National cyber strategy

The White House also released the National Cyber Strategy, which had its genesis in President TrumpDonald John TrumpTrump rips Dems' demands, impeachment talk: 'Witch Hunt continues!' Nevada Senate passes bill that would give Electoral College votes to winner of national popular vote The Hill's Morning Report - Pelosi remains firm despite new impeachment push MORE’s May 11, 2017 Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

The document is a lengthy elaboration on the importance of cybersecurity to our nation, accompanied by a long list of objectives and promises of action. That, of course, is the key to any government strategy – action.

Defining problems and stating objectives is one thing; getting the government to pull together and take action is another.

There are several items worth highlighting:

  • It emphasizes the importance of risk management to government cyber practices and the protection of American critical infrastructure. While failing to reinforce the value of the NIST Risk Management Framework (RMF) and Cybersecurity Framework (CSF), it’s still a net positive that risk management was afforded such prominence.
  • It pledges to expand the work already begun to transition agencies to shared services, including the cloud. This initiative is vital to government’s IT modernization and to providing more secure, cost-effective services to the public.
  • Under the broad objective of prioritizing innovation, it states that the government “will promote implementation and continuous updating of standards and best practices that deter and prevent current and evolving threats and hazards in all domains of the cyber ecosystem.” This standards-based approach to cybersecurity is commendable, but it should be accompanied by a commitment to greater use of COTS compliance and monitoring tools for automation throughout the enterprise, not wasting resources on government-off-the-shelf capabilities which compete with COTS and will ultimately serve to stifle innovation.

Growing the cyber talent pipeline

Both strategies recognize the need to “develop a superior cybersecurity workforce,” beginning with educational initiatives at the primary and secondary levels to “promote science, technology, engineering, mathematics, and foreign language (STEM-L) disciplines.”

ADVERTISEMENT

There is a huge and growing demand for cybersecurity professionals in the public and private sectors. To grow the cyber talent pipeline, there needs to be a push at the federal, state and local levels to encourage students to view cybersecurity as a potential career and to provide the training necessary to build America’s future cyber workforce.

The administration’s goal of supporting cloud-based enterprises can also help address our cyber workforce shortage. Migrating to the cloud will centralize certain security functions and, through standardization, reduce the number of unique skill sets required, thus lessening the technical burden required of cyber warriors.

These two cybersecurity strategies serve as a comprehensive road map for future cybersecurity efforts. But it will require an equally comprehensive set of specific actions to achieve these worthwhile goals. Many of those actions are spelled out in the strategies, and should be implemented without delay by Congress and the Trump administration.

Government now has a cyber road map – let’s step on the gas.

John B. Wood is CEO and Chairman of the Board of Telos Corporation, a leading provider of continuous security solutions, including to agencies of the federal government. Follow him on Twitter @john_b_wood

Robert DuPree is manager of government affairs at Telos Corporation. Follow him on Twitter @RFDuPree