The 5 “Whys” for Stronger Cyber Security Governance at Federal Agencies
Cyber security is an issue of national importance, and it must be tackled collectively and at its roots.
Successful cyber defense, or lack thereof, is evident with the recent Kaseya attack on July 2nd 2021. No entity big or small, government or private sector, is safe from Ransomware and related cyber security attacks.
First, we had the SolarWinds breach, then the Colonial pipeline attack, and now Kaseya. Who or what critical system or service is going to be next?
While there may be more to the recent Kaseya attack, what seems to emerge is that there are no quick fix technical solution, as well as an administrative or technical safe harbor, from attacks that threaten critical assets.
Technology solutions are as good as their underlying management foundation. This article probes the merits of informed management, leadership honed by experience (not just knowledgeable) for rooting out critical flows in most defense mechanism already in place. The article is not aimed at discrediting or downplaying the attempts and actions undertaken by both government and the private sector to deal with these attacks. On the contrary, it seeks to highlight that more Leading, Managing and being Accountable (LMA) is needed, if not critical -- more so than all other cyber defense related solutions presented and implemented today. To be clear, there have been various forums and expert teams who are working in earnest to mitigate major cyber attacks that are impacting our national interest.
We list the key areas that are still lacking in forging an effective defense against formidable and highly competent teams of attackers who are by a wide margin ahead of those who are defenders of cyber assets. One could surmise that these attackers are successful due to their expert leadership in guiding teams in these sinister pursuits.
Status Quo
Most often than not, today’s remedies are focused around people and technical solutioning. In addition to a doubling down on technical solutions, hiring more cyber security experts, adding more defense in depth, and moving from one vendor solution to another, IT and security teams are working in earnest to tweak and improve the various systems, performing vulnerability scans and penetration tests. However, there is scant attention and support of boosting our own leadership assets in negating those who are guiding the attackers.
Hence the crux of this article points to the “WHY?” The root cause of the problem is that very few steps are being taken to focus on LMA, with the aim of empowering those with the heavy burden of protecting these assets at the highest Leadership level.
Lead Manage and Be Accountable
Currently, there is often a repeating set of actions for dealing with cyber attacks. Corporations, law enforcement, government agencies, vendors, and experts all get involved to mitigate and restore – and nothing is heard after these attacks. Even with the White House calling for meetings, and setting Ransomware mandates, we still hear silence until the next attack. The same patterns also repeat themselves after another significant attack is brought to light.
By focusing on "how" to prevent attacks, without realizing the systematic management and leadership challenge, we are not spotlighting or addressing the root of the problem. Management and Leadership are a key and optimistic view that could change the status quo.
Therefore, Makpar believes a fresh look at LMA is critical at both the government and private sector due to the following five challenges. The reader is invited to provide their views in keeping with the aims and sincere sentiments of this post to make our cyber assets secure.
The 5 Why’s:
1. There is inadequate and no clear Accountability by those who need to be accountable including Lead and Manage at the very senior positions. The national security and safety implications is underscored by the fact that the President of the United States and the White House is getting involved. However, the Executive branch is not the correct entity to find solutions -- it is the responsibility of the leaders of the respective agencies. With that in mind, funds and accountability are the two key items often hampering an effective cyber defense, both of which should be driven by experienced executives at the highest levels of government and the private sector. The authority and responsibility should be given to a few key people in the government and commercial sector to enhance accountability. Currently there seem to be a dizzying number of government and private sector leaders showing varying degrees of LMA. It seems that there are many well-meaning entities showing leadership, but that in its self is the issue. Too many people being accountable means no one is. A select group of industry and agency leaders should be empowered, and then be held accountable by a set of KPIs, or KRAs, associated with security. This accountability should not be punitive, rather it should empower leaders to become informed and demonstrate their experiences. Empowering a select set of leaders to make wide-ranging decisions to fund and be accountable to a set of robust policies that will revamp the administrative, technical and physical security aspect of cyber defense. Leaders in the C-suite should also not delegate this accountability. Instead, they should demonstrate their knowledge of digital competence and cyber security knowledge via a set of measurable criteria – leading and demonstrating LMA.
2. A Lack of Urgency in today’s post-pandemic reality is making it harder for the C-Suite to come to grips with the “now normal.” Understandably some are still slow to react or expect some return to pre pandemic times (at least some reversal) when exposure/probabilities would reduce. The behavior of the workforce, and in tandem the behavior of attackers, have changed. The threat surface, and more so the bad ad/or misguided behaviors of the workforce, have increased the threat of infiltration and attack. Leadership have not reacted with urgency by directing and overseeing improved practices. Working from home (WFH) and subsequent overload on corporate VPNs for example, combined with the move to Cloud to enable services to a remote talent and client base are a few areas that have exponentially increased the threat surface. No number of back-to-office plans, throttling back migration to Cloud, is going to change the trajectory or frequency of attacks.
3. Creating a “New Deal” with Vendor/Integrator/Service Providers will advance overall security efforts of critical assets, that are mostly in the hands of private entities. Related to both points above, there has not been a new social contract between vendors, and principals i.e. Federal authorities. Understandably we are driven by the market, and profits. However, sound policies and agreements based on shared responsibilities to protect our vital national assets do not hinder the market or profits -- in fact they will strengthen both. Currently, there is no tangible evidence of “two-in-a-box” accountability between vendors and the respective agencies they serve. There are no new formats for RFPs focusing specifically on security, and contracts with security focused SLAs with penalties (and rewards) for ensuring the mission criticality of key infrastructure. However, there are some mechanisms that are being introduced including the CMMC Cybersecurity Maturity Model Certification to get our arms around the procurement of services and systems that meet a higher security threshold. Though, these mechanisms are as good as the buy-in, enforcement and more importantly joint oversight of the principles and vendors, that would require some significant agreements between parties to ensure a better cyber defense.
4. Lack of Openness and Transparency in cyber security defense points to the need for Black Box thinking akin to the airline industry, where transparency has led to safety. While there are those who debate transparency in this context, CISA that initially opposed transparency has come out in support of Trusted Transparency. Kerckhoffs’s principle and Shannon’s maxim both articulate this, and point to how transparency leads to better security. This was aptly demonstrated for years by the airline industry. When there is an air crash, the investigation and the proceedings are made public, everyone learns, and the industry convenes to make air travel that much safer – ultimately winning the confidence of the flying public. With all of the supporting evidence toward transparency, it has continued to remain a challenge in the cyber security industry.
What is important to note is that there are attempts to double down and build a realm of Trusted Transparency. And, until policy makers direct this as a priority, critical learnings will remain hidden within silos. Incidentally, Mandates of a Transparency culture where everyone learns, shares knowledge on how to mitigate, shares resources, and plans for the good of the public has begun to take hold in the healthcare industry, and this is great news to the public.
5. Lack of digital savviness leading to the inability to craft governing cyber security (digital) policy is also a significant challenge. By most accounts, most in the C-Suite are digital migrants with the exception of a few who are admittedly experienced. While not necessarily a drawback in days past, it does become a problem when C-Suite does not have a significant presence in the ranks with real digital experience -- let alone the ability to protect digital assets. Technology always moves faster than policy as one of Makpar’s cyber security experts recently articulated. This gap widens when real world experiences in cyber security are not evident at the highest levels of organizations. This lack of experience in digital leads to delegating the “security solutioning” to others down the chain of command, including to a CISO and/or a CSO etc. The CISO and or the CSO does not hold sway over funding, nor should the buck stop at their table. This is basically an abdication of the responsibility and accountability of the CIOs or those at the highest levels of Agencies. This could possibly be the biggest “why” highlighted in this article.
In summary, the above propositions are indeed narrowly focused on the importance of Leading, Managing and being Accountable for cybersecurity at the highest rungs of our leadership. It is a difficult subject that needs to be broached, debated at the very least, if we are to overcome what some naysayers may believe are insurmountable challenges. Holding our leaders accountable is not an affront, it is an affirmation that our leaders carry a heavy burden to protect us from cyber attacks and they need our support. We need to pause, encourage an open, honest and direct conversation on WHY we cannot demonstrate significant progress against cyber attacks before we continue with only the “HOW.”
Stay tuned for a soon-to-be-launched Makpar video blog series where we dive further into this topic.
Makpar’s highly skilled and certified cybersecurity experts understand the technology and methodologies required to preserve the Confidentiality, Integrity, and Availability of information in all computing environments. Please click here to learn more.