Secretary of Homeland Security Alejandro Mayorkas laid out six sprints the Department will undertake to help strengthen government security. Members of Protocol's Braintrust gave their advice on how to lead them.
Good afternoon! Last week, Secretary of Homeland Security Alejandro Mayorkas outlined the Department's plan to lead six 60-day cybersecurity sprints aimed at improving government systems and processes. We asked the experts to think about the best ways to lead them, either by focusing on one initiative in particular or by taking a wider view and highlighting the way to make them all work in conjunction with one another. Questions or comments? Send us a note at firstname.lastname@example.org
President of CrowdStrike Services and CSO at CrowdStrike
I applaud Secretary Mayorkas for proposing this plan in an effort to fortify our government's cyber defenses. My advice for teams leading a sprint is to embrace new technologies in a twofold manner. As we have seen recently, malicious actors now favor identity-centric attacks that allow them to remain undetected in an organization's network for lengthy periods of time as they camouflage their activity with legitimate credentials. Within every government system, no identity can be trusted unconditionally, and that requires constant vigilance and vetting of every user and every access request. Agencies must implement an identity-centric and data-centric security strategy with a mature zero trust architecture that is dynamic and end-to-end, automating workflows to ensure verified access across endpoints, networks, workloads and devices.
Additionally, agencies must embrace the cloud to scale to connect to every user no matter where they are, instantly, and integrate identity into endpoint security. This is especially salient in the current state of the COVID-19 workforce, with workers operating both in office and remotely. The focus now needs to be on modernizing security strategies to make mass cloud adoption, which was accelerated by the COVID-19 crisis, sustainable. Traditional antivirus is no longer effective in securing distributed workforces as they access business-critical information and applications from various networks and cloud applications from multiple devices.
Finally, there needs to be more actionable intelligence-sharing between the public and private sectors. Through this exchange, agencies will gain access to critical intelligence that will allow them to take a risk-informed approach to defense, enabling them to better defend their organizations against malicious adversary activity.
Director of Strategic Threat at Darktrace
I have seen firsthand how effective focused project sprints are to accelerate progress and tackle complex national security problems. However, the sprints are only as good the progress made in those 60 days and require commitment and accountability throughout. In my experience as a national security advisor, I would advise the cybersecurity sprint teams to:
Commit to the Sprint: Sprint team members are inevitably going to be pulled from their everyday roles. Identify the right talent from across or outside the organization and ensure those individuals, as well as their managers, commit to the sprint as their key priority for the next 60 days.
Embrace Technology as an Enabler: Technology is an ally, and should be leveraged as a component of each sprint, or there could be a standalone technology sprint running in parallel. Existing AI solutions in the private sector are already proving to help detect and respond to ransomware, improve industrial control system resilience, safeguard transportation data and can even help in the workforce sprint efforts.
Schedule Weekly Senior Accountability Sessions: Each sprint leader should hold a weekly session attended by the most senior DHS leaders possible. The meeting should be tightly focused on what was accomplished in the last week, goals for the next week and any obstacles faced. The senior leader's presence offers someone that can more easily remove roadblocks, ensures accountability for progress made and regular meetings enable teams to clearly see if objectives are being met.
CEO at Absolute Software
It's encouraging to see the continued emphasis DHS is putting on cyber initiatives — the challenges of which have hit federal, commercial and academic organizations extremely hard over the last few years. COVID-19 accelerated digital transformation across these sectors, including the distribution of their workforce in masse — all of which illustrates why resilience is becoming one of the most critical capabilities and a must-have for any security strategy.
Secretary Mayorkas's emphasis on cyber hygiene is a critical to achieving cyber resilience for the nation. We know that adding more security technology on its own will not stop all attacks; the attack surface for bad actors is only getting bigger, not smaller. We also know that digital transformation in the form of increased connectivity is the future and remote work, in some form, is now a part of how we will operate. Enabling the remote workforce and protecting your organization means managing and securing devices, data and applications at the endpoint. And ensuring both security and resilience at the endpoint are critical components of cyber hygiene.
In order to shape and secure the post-COVID economy, we need to ensure enterprises, federal agencies and schools are connected, resilient and able to continue operating — even if under attack. We cannot not stop malicious actors or achieve a completely risk-free environment. But, by continuing to innovate, fostering a sense of shared responsibility and collaborating with the private sector we can ensure we are "resilient-ready" — which is becoming a critical KPI moving forward.
Research Scholar at the Stanford Internet Observatory
A 60-day sprint occurs in the context of bigger, longer-term efforts and can help shape what those efforts look like. Of the six focus areas named by Secretary Mayorkas, one where I see a lot of current opportunity is the cyber workforce. The U.S. has a labor shortfall of hundreds of thousands of jobs in this field, and worldwide that number is something like 3 million. At the same time, we're trying to rebuild from a devastating (and ongoing) pandemic that caused both record job losses and a sharp uptick in cyber crime. The new Congress and new administration have shown a willingness to make big plans to help Americans recover. I see this as a perfect opportunity for the government to kill two birds with one stone by launching an ambitious jobs program to re-skill American workers into the cyber sector.
CEO at Rapid7
Secretary Majorkas's remarks on DHS's cybersecurity preparedness efforts were timely and well-considered. However, I am puzzled by reports that the Biden Administration's infrastructure plan does not include cybersecurity funds or standards for critical infrastructure. In light of this, and as part of the agency's sprints on industrial control systems and transportation security, I would strongly recommend that DHS work closely with Congress to integrate sustained cybersecurity-specific funding and requirements in the infrastructure legislation.
Many of the threats to U.S. critical infrastructure are persistent, pervasive and well-known. As the secretary noted in his remarks, the incident at the Florida water treatment facility, ongoing attacks against healthcare providers, election security threats and severe compromises to government systems are all recent reminders of the sobering risks U.S. critical infrastructure faces. Though strengthening the government's own security will help, about 80% of U.S. critical infrastructure is held by the private sector. While improving US critical infrastructure cybersecurity requires many components (such as workforce, information sharing, etc.), Congress should also consider mandatory security processes and safeguards as a condition of funding for modernization. As the lead federal agency for critical infrastructure cybersecurity, DHS will be a powerful voice in this conversation.
Any requirements for critical infrastructure cybersecurity should be based on risks, tailored to the specific sector, and be neither unduly burdensome nor unnecessary. However, as the window for passing infrastructure legislation shrinks, the government should also act with urgency to ensure security is accounted for. We have repeatedly seen the severity of cyber risks to critical infrastructure in the past six months. Upgrading our infrastructure will substantially increase our technology footprint and make existing unaddressed weaknesses even more dangerous. It will be an enormous missed opportunity and potential long-term problem if we fail to integrate security from the start.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.
More from Braintrust