New CISO’s Strategy Aims to Boost Cyber Security at Every Level of Government
Though the new Federal Chief Information Security Officer could be out of a job shortly after the election, he’s making his case for “a complete tour” and rolling out plans to improve cyber awareness across the government and even the nation.
Gregory Touhill, appointed the nation’s first Federal CISO in September, acknowledged that as a presidential appointee, his term would typically have a “Cinderella” close in January. But Touhill told a military, government and industry audience at the AFCEA Cyber Summit in Washington Oct. 11 that his vision extends well beyond the end of the Obama administration.
“I’m playing it for the long term,” said Touhill, a retired Air Force brigadier general, who spent the prior two and a half years as deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security.
First on his agenda: establishing a Federal CISO Council, which holds its first meeting Oct. 28. Modeled on the Federal Chief Information Officer Council, the CISO is supposed to increase cooperation, collaboration and shared situational awareness across the federal government’s CISOs. A Cyber.gov website will be launched within weeks to share the results of the council’s work and to be “a one-stop shop” for cyber information for the wider community of interest.
Indeed, looking to that wider community, Touhill said he’s working on creating a nationwide cyber advisory council for CISOs from state, local and tribal governments to help them share information as well.
These programs fit within a broad, five-point strategy he outlined that aims to increase the quality and effectiveness of federal cybersecurity programs:
- Harden the workforce. He outlined a vision for education and training across the government, including a plan to hold table-top exercises for every incoming cabinet secretary.
- Treat information as an asset. “Too often we’ve tried to defend everything equally,” Touhill said. “Our info assets aren’t equal. … I don’t want to spend $10 guarding a $5 system.”
- Do the right things the right way. He criticized the government’s emphasis on compliance over best practices, and promised to change the culture – and the regulations – to make that possible.
- Continuously innovate and invest wisely. Saying he thinks every imaginable cyber tool has been purchased somewhere inside the federal government, Touhill also suggested many of those tools and programs are not being used properly or effectively. “You wouldn’t run a business this way. Why do we run a government this way?”
- Make informed cyber risk decisions at the right level. Risk decisions that should be made “in the board room,” are instead being made in the server room. “We have to do better,” he said. “What gets measured gets managed,” Touhill said. “We have to leverage metrics that drive decisions, and get them in front of the decision makers. … “A risk that can’t be articulated and measured won’t be addressed properly.”
Touhill said he wants to develop cyber education programs that will engage the workforce and to include training programs that replace annual reviews with ongoing exercises. For example, he said, he plans to develop tabletop cyber training exercises for incoming cabinet secretaries and deputies to help them understand potential cyber events and work through responses with their senior teams. “I think we can cover some pretty good ground in an hour desktop exercise,” he said. “It makes a really good intro to their chief information officers and CISOs.”
We really look at what we’re measuring,” and focus people on the right metrics for their particular place and focus in the government. “Some [measures] are appropriate for local management, some that are appropriate at the operational level, and others that are appropriate at the strategic level.”
Touhill promised to launch a Cyber.gov website within the month and to develop programs to hunt for for bad actors and unsafe practices on government networks; improve penetration testing; and expanding the use of “bug bounties” as a means to identify vulnerabilities across the .gov domain. He even wants to create a cybersecurity mascot along the lines of Smoky the Bear (“Only you can prevent forest fires.”)
He criticized government failures to maintain and update software and systems in an organized and systematic manner and for failing to fully understand that some information assets require more protection than others.
Managers and executives must work to fully understand and manage cyber risks by their merits, rather than try to comply with every rule and regulation still on the books. “I don’t believe that compliance is always the right approach,” he said. “We’re going to change the culture toward best practices.” The difference, he explained, is that “we have a lot of old policies out there, such that if you follow the policy from 2003, you may be in compliance but you’re not following best practices.”
Old policies are being reviewed and retired, he said, and new programs will be rolled out. “We want to make sure our workforce and the folks who are implementing these changes are well educated and trained, because a risk that can’t be articulated and measured won’t be addressed properly.”
Guidance will be issued, for example, on how to assess risk for agencies’ annual Federal Information Security Management Act (FISMA) assessment.
“We’re focusing on risk vectors,” Touhill said. “What’s the impact on national security? What’s the economic impact? What would the impact be on trust and reputation? How do you measure that? All of these risk constructs need to be incorporated to manage cyber risk inside the federal government.”
Touhill promised to deliver more specifics in the coming weeks as his Federal CISO Council comes into being and as more details are worked out. Quoting Adm. Mike Rogers, head of Cyber Command and the National Security Agency in calling cyber “a team sport,” Touhill said he intends to partner with other agencies in government, including the National Institute of Standards and Technology, the Department of Homeland Security, Cyber Command and others. “We’ve got a lot more work to do,” he said. “We’re going to do it in a collaborative manner.”
Touhill is on the right track, said Michael Baker, CISO at General Dynamics Information Technology. In every organization, not just in government, but also among those managing and helping to secure critical national infrastructure, it’s essential to focus attention on risk factors and to mitigate risks where they start. But while attending to known risks is essential, it’s even more important that we focus on and mitigate hidden risks that may not have attracted anyone’s attention yet. That’s harder to do and especially harder to measure. But it’s where having experience and expertise pays off most.”