Today, I’m attending Microsoft’s Federal Executive Forum 2015. The day is focused on applying technology solutions to many government challenges, particularly in the area of cybersecurity. But before we dove into the devices, systems, and solutions available to agencies, we heard from General Keith Alexander, former Commander of US Cyber Command, Director of the National Security Agency (NSA), and Chief of the Central Security Service.
General Alexander said that his time at NSA and US Cyber Command illuminated a number of major barriers to effective cybersecurity at agencies. He also described a solution to improve operations and coordination in the government and private sectors.
1. Inadequate Network Visibility
A primary barrier to security is the inability of many administrators to see the entirety of their networks. General Alexander impressed that this isn’t a technology issues. “A few years ago, it was an issue of technology but now there is technology to do this.” Instead, the challenge is creating an organizational structure that grants security personnel access to all the information they need to manage a network.
When they are blocked from necessary information, significant risks arise.. As General Alexander noted, “If you can’t see your network, hen how do you see threats and activity, so that people can run and seek action?” Moreover, because administrators can’t compile holistic information, they can’t share that information with other agencies who might be experiencing similar threats.
2. Training Discrepancies
Barriers to information also result in discrepancies between training personnel and enabling them to do leverage those skills. General Alexander explained that, commonly, those tasked with defending government networks are highly trained in security but not given the clearance necessary to analyze complex threat data. Conversely, those working on the offensive side to identify threats aren’t trained to combat them and they are restricted from sharing information with lower clearance levels who do have that training.
3. Lack of Appropriate Technology Adoption
Earlier, the Vice President of Microsoft Federal quoted Microsoft CEO Satya Nadella saying, “Our industry does not respect tradition — it only respects innovation.” General Alexander echoed that sentiment. Technology is changing at such a rapid pace that government can’t keep up.
The General offered the example of cloud technology. “Cloud allows you to handle your network better–to see it, to update it, to patch it, and to protect it,” he said. Yet government has not fully transitioned to the cloud, due to procurement challenges and administrator risk aversion. “It is far more elegant than where we are today,” he lamented.
4. Command and Control Mentality
Luckily, General Alexander said that the military has made great progress in correcting the command and control organizational structure, in order to enable greater information sharing between levels of security and between departments. However, many other government organizations remain delineated in how they tackle cybersecurity, creating unnecessary silos and a ladder of approval that delays action.
5. Ineffective Cyber Legislation
Finally, General Alexander called out the state of cyber legislation for being both incomplete and ineffective. Government could gain significant information, resources, and assistance from the private sector, and vice versa. Yet, current legislation prevents open information sharing of threat intelligence messaging. Cumbersome procurement channels and privacy walls prevent industry from providing solutions to government in a timely manner.
Conversely, government can’t assist private companies. General Alexander feels that government is the best ally for industry in the face of attacks from other states, such as when North Korea targeted Sony’s data earlier this year. “I believe that is an inherent government responsibility, but that can only happen with the right information,” he said. Yet legislation has not established effective collaboration channels; nor has it put safeguards in place to allow private organizations to safely assume the liability of following in-the-moment government counter tactic advice.
This last barrier, cyber legislation, is actually the key to confronting cyberthreats, according to General Alexander. “We need the ability to protect and the authority to [share information],” he said.
Naturally, one audience member asked what this legislation would look like. In response, General Alexander said that ideal legislation would:
- Create channels for government to effectively partner with industry, in order to maximize knowledge and resource sharing. These channels would, ideally, also allow government to act as a defender of the private sector in the face of attacks from other state actors.
- Allow government to takes risks, so that agencies can mimic the fail-fast best practices of the private sector and more quickly address threats. General Alexander emphasized that the ability to make mistakes is crucial if government is going to keep apace with technology innovation and evolving treats.
- Grant greater visibility into networks by allowing agencies to ascertain necessary information about threats from across their systems, personnel, and industry partners. General Alexander emphasized that this information would not be PII, but necessary threat intelligence messaging.
- Streamline the acquisition process to allow government to quickly procure and update technology as new solutions become available.
In conclusion, General Alexander said that, “It’s time to step beyond frameworks.” He called on agency leaders to advocate for legislation and consider new protocols that will make it easier for them to holistically manage their networks, rather than continuing to operate in the current, barrier-laden government cybersecurity field