There’s a growing appetite among federal chief information officers to move from merely talking about transforming government IT and cyber, to actually taking some risks and institutionalizing change.
During a panel discussion at the 9th annual Billington Cybersecurity Summit in Washington, D.C., CIOs from the Transportation (DOT) and Homeland Security (DHS) departments, along with the Defense Department’s (DoD) acting deputy CIO for cybersecurity, shared key efforts underway that are positioning their agencies to be more agile, more secure, adopt new technologies, and expand their workforce capabilities.
But getting to the point where agencies are open to change can be an uphill battle.
“The government has great muscle memory,” said DOT CIO Vicki Hildebrand. “We’ve always done things a certain way, [but that] doesn’t mean we should always continue to do it that way.”
In particular, Hildebrand said the department is focused on using hiring authorities that will allow DOT to bring in more IT talent through various means, including term appointments, details from the private sector and internship programs.
To fill the workforce gaps in areas such as cybersecurity, Hildebrand has sought outside expertise to help with penetration testing, which involves creating a controlled attack simulation. Experts try to break into your network to find vulnerabilities before attackers do.
“It’s really about becoming more proactive than reactive,” she said. “The cyber world has been very reactive.” With the explosion of the Internet of Things and connected vehicles, DOT must consider the vast transportation landscape and security of all its systems.
The department partnered with Synack, a company that specializes in smart crowdsourced security testing, to help the department cleanse its environment. Hildebrand said DOT started with a piece of software that it thought was rock solid but in reality contained vulnerabilities.
“This is a rinse and repeat situation, and we’re going to continue to do this through the entire department, and I think this is going to help us a lot” Hildebrand said. “Again, it goes back to … being proactive. I don’t want to wait for a bad actor to tell me I’ve got a vulnerability and then I react to it. .”
DoD’s Code.mil, Defense Innovation Unit
DoD is taking a similar approach to uncovering and remediating cybersecurity vulnerabilities through programs like Hack the Pentagon and Hack the Marine Corps, said Thomas Michelli, DoD’s Acting Deputy CIO for Cybersecurity. Some 6,000 vulnerabilities have already been uncovered.
DoD is also ramping up Code.mil in the coming months, Michelli said. Code.mil, is an effort focused on encouraging DoD providers to share open source code and inviting others to help review code.
The department has also codified its Defense Innovation Unit (DIU) and dropped the word “Experimental” from DIU to reflect its permanence at DoD. DIU is focused on helping the department more rapidly adopt transformational technology to help warfighters. It’s headquartered in Mountain View, California, with offices in Austin and Boston.
Institutionalizing Innovation at DHS
“One of the things my organization needs to be better at is establishing requirements that make sense, leverage commercial, and having the technical acumen in place to make sure that we are doing it right,” said DHS CIO John Zangardi. To help institutionalize these changes, the department is in the process of hiring a chief technical officer.
Another area of focus is exposing department officials to innovation in places such as Silicon Valley, the Massachusetts Institute of Technology (MIT) and financial institutions in Manhattan.
Zangardi is focused on bridging the divide between government and industry, specifically when it comes to relationship building. “If I don’t have a relationship with industry and they don’t understand what my requirements are, we are going to fail,” he said.
Internally, Zangardi is also working to build trust and relationships. One example is a reciprocity directive he signed telling component agencies to reuse and share the work they do during the ATO (authority to operate) process. An ATO is a formal declaration that authorizes a product to operate on government systems, and it’s often one of the hurdles that can slow down cloud adoption. But the issue of ATO reciprocity is a cultural one. It’s one thing to sign a memo, but institutionalizing change is hard.
“You constantly have to challenge the status quo,” Zangardi said. When asked about getting the department to accept risks and try new things, he said, “I deal with risk every day; my network is old.”
He added, “The real risk is how you explain things to leadership as you make changes. It’s important that you’re able to communicate the risk.”