When it comes to cybersecurity, engineering your way to a more secure environment is a very important step. But according to John Banghart, Director of Federal Cybersecurity at the National Security Council, technology isn’t the only solution.
“I want to focus on people and priority, as opposed to technology,” Banghart said. He was speaking at GovLoop’s in-person cybersecurity conference, held Wednesday, April 30 in Washington, DC.
You can read additional coverage of the event here.
John Banghart speaking to the audience on Wednesday. Photo by Jean Qiao
The Motivation: Inconsistencies Across Government
Banghart began his discussion with Wednesday’s audience by using the recent Heartbleed vulnerability as an example of the current shortcomings in the government’s cyberresponse strategy.
The National Security Council’s first step after Heartbleed was announced was to figure out the government’s exposure to the vulnerability. According to many reports, 66 percent of all websites were impacted – and governments host a great deal of websites.
“That actually turned out to be a very hard problem,” said Banghart. “What we found was that there were wild inconsistencies in agency management of cybersecurity.” Banghart attributed these inconsistencies to a number of factors:
- Variation in resources allocated to cyberdefense.
- Variation in subject matter experts and training.
- The existence of a security operations center.
“Even after two weeks, we still did not have a complete picture,” he said.
The Lesson: Situational Awareness and Prioritization Are Key
1. Situational Awareness
A great lesson from the Heartbleed experience was the need for a Continuous Diagnostic and Mitigation (CDM) program. This is currently a top priority for the federal government.
“We need to be able to understand the situation at all levels about where we are vulnerable and not vulnerable,” said Banghart. “CDM is a way to help you get that situational awareness within your agency – about your assets, vulnerabilities, configurations – but it also allows senior leaders make proportional, rational decisions across the board, based on quality information.”
To contrast, the response to Heartbleed was somewhat less measured. “With Heartbleed, there was a bit of ‘hair on fire,’” said Banghart. “Because when you have uncertainty – when you don’t know your situation – you have to assume the worst.”
One of the most important solutions to the problem of inconsistency across government agencies, or even within individual agencies, is the creation of standard practices for prioritization and risk assessment.
“Our IT systems have so much complexity, and there is so much nuance in how we manage our resources, that we need to get to a point where we have more consistency in how we are tackling these problems,” said Banghart.
This means making hard decisions about which systems are so vital that agencies are willing to shut them down – which could have a direct impact on the mission – in order to keep them secure.
“Part of the challenge I want to pose to all of you: Do you have to protect all information equally?” asked Banghart. “No, not really. Part of what we need to do is make this prioritization a part of the business of the organization.”
The difficult part is that there is no single solution for each agency. Solutions are instead driven by the agency’s mission, as well as agency requirements and regulations. But, argued Banghart, it is vital that agencies at all levels go through this exercise to figure out their priorities. And once that is completed, continue to monitor your assets so that you know what’s going on at all times.
If you’d like to learn more about CDM, or download GovLoop’s cybersecurity guide, be sure to browse the resource links below. You can also read additional coverage of Wednesday’s event here.
- GovLoop Cybersecurity Guide: Innovations that Matter: Your Road Map to a Secure Future
- U.S. Department of Homeland Security: Continuous Diagnostic and Mitigation Program
- U.S. General Services Administration: Continuous Diagnostic and Mitigation Service Options
- U.S. CERT: Continuous Diagnostic and Mitigation Toolkit