Federal Cybersecurity Posture is Improving, but Additional Work Remains

Former Texas Congressman William "Mac" Thornberry and Trustwave Government Solutions President Bill Rucker recently sat down to discuss several pressing issues impacting the federal government’s cybersecurity preparedness, the impact the Russia-Ukraine War has had on cyber, and what remains to be done to shore up the nation's cyber defenses.

This is the first of a two-part conversation.

Thornberry spent 26 years in Congress representing Texas's 13th congressional district from 1995 to 2021. During his tenure, Thornberry was Chairman of the House Armed Services Committee and served on the House Intelligence Committee. His involvement in cybersecurity began with the creation of the Department of Homeland Security, which he co-sponsored.

Since leaving Congress, Thornberry was a Resident Fellow at the Institute of Politics in Harvard's Kennedy School and joined the board of advisers of CesiumAstro, a company that specializes in communications technologies for satellites and aircraft.

Around the two-year anniversary of President Joe Biden releasing his Executive Order on Improving the Nation’s Cybersecurity, Rucker and Thornberry sat down to discuss the EO and other events shaping the cybersecurity landscape. 

Q: The EO requires a great deal of change by federal agencies to bolster their cyber capabilities; overall, have these agencies been making the needed changes fast enough?

Thornberry: From my standpoint, the answer is, of course not. We have never made changes in cyber commiserate with the change in the threat, or commiserate with what's at stake, and this situation goes back for years, if not decades. My impression is there's a lot of good in this cyber order, but in no case are we making the changes fast enough.

Q: Isn't that just how the government tends to work? Slowly. 

Thornberry: It can move quickly if it has an appropriate sense of urgency. For example, COVID vaccines came much faster than anybody had ever seen or expected.

And I think part of the challenge with cyber is understanding it and having a proper motivation, a sense of urgency, and the money to accomplish the task. There's a cost to raising your game, and so for cyber this has been hard. 

Rucker: Cyber is an extremely difficult landscape. Our adversaries have ample funding. They have unbelievable resources, and they only have to be right once. That's the big challenge. We have to be right every single time.

From the government's perspective, I think there definitely have been improvements, but it's still, at times, one step forward, two steps back. I look at the Technology Modernization Fund. This really was a way for people to modernize, and the government funded it at unprecedented levels. Two years ago, the request was a billion dollars and I heard we're somewhere in the neighborhood of $2.7 to $3.5 billion in year one that was requested, but then the next year, the fund dropped back down significantly.  

So that is certainly not progress, and this reduction in funding makes it extremely difficult for the government, which spent a year planning for strategic partnerships and innovation to get the funding to accomplish these tasks.

I love the analogy that when your house is on fire, you don't send out an RFP to the local fire stations. You just want a truck there as fast as possible with water to put out the fire and that is Mac's point on COVID. That was the scenario. It was a fire. I think we could move faster if we took that level of urgency with cyber.

Q: What in the Cyber Executive Order has not been accomplished yet? What should be accomplished first?

Rucker: I have been a bit of a broken record on this topic, but I still think data protection, at least in some areas, takes a back burner to the old perimeter mindset. It's certainly gotten better over the last six or seven years with the birth of EDR, which has people focusing back on the endpoint with a level of visibility they've never had, and dwell times went from 277 days on average five years ago to sub 72 hours now when deployed and monitored correctly.

But for me, the big piece still is making sure you have the right tool for the job, and I always fall back on our data protection work. As the saying goes, databases are "the new oil or the new gold." I believe that databases should be treated differently, and the more mature agencies have taken that step.

Many agencies have their traditional vulnerability management programs, and they'll look across their servers, workstations, and systems for vulnerabilities to increase their cyber hygiene. But databases are still left out of that loop for some reason. As a result, the majority of folks don't scan them at all, and over 95% of the agencies we've worked with don't have an accurate count on the number of databases they have in their environment.

This lack of visibility means they don't know where they're vulnerable.

In my opinion, zero trust is helping solve that problem. At TGS we focus on two of the five zero trust pillars around data and users. People have expanded around zero trust, using a purpose-built tool to scan their databases.All agencies need a purpose-built tool that looks at the databases, scans them for vulnerabilities, one capable of checking thousands of things versus a few hundred, and one that is also able to see what the users are doing and what they have access to.

Doing so will show if they have the same parameter set on multiple high-value assets, which is a key indicator of compromise, and then they will know if an attacker is exfiltrating data from those systems.

This visibility is important because, as we know, inadvertent access to data is still a problem, and when that happens, data gets compromised and exfiltrated. The wrong permissions are set, and the next thing you know, a sensitive database is open to the Internet, and anyone can just take that information. 

Thornberry: I would say there is rarely one silver bullet that's going to solve the problem. A defense in depth strategy is needed. Whether it's a military operation or law enforcement, you need to have an approach that tries to reduce the source of the problem.

You may need higher walls or bars on the windows, but you also need to check what's happening out on the street and arrest people who are doing bad things.

To put it in a cyber context, we need to improve our infrastructure throughout government. I know there are still databases inside DoD that can't talk to each other and that are not suitable for some of the more modern approaches to cyber.

So, you start with your infrastructure.

Of course, you need firewalls to keep bad guys out, but you can't assume they will be foolproof, so that takes you to database scanning and protection. And as Bill said, then you need penetration testing as well to check and see how well you're doing.

As we see elsewhere, you need to have this broad, in-depth approach to cybersecurity. So, we have to up our game across the board.

Q: Are we better prepared to combat cyberattacks now compared to 5 five years ago?

Thornberry: I would just say that yes, we're better than we were five years ago, but are we keeping up with the threat? I'm not so sure about that.

The threats, plural, are advancing faster than we are. Here there is a role for the military, and some of the key advances in recent years have been made by Cyber Command and other branches of the military.

I would just add that the executive order came about because of the Colonial Pipeline attack. Big areas of the country on the East Coast did not have access to fuel for a period of time, and that's just a taste of the lessons that adversaries are learning on how to disrupt our society and our economy.

Rucker: We're certainly better than we were five years ago. After all, cyber is in the headlines every single day. 

The average person still doesn't sit around and think about ransomware attacks and cybersecurity on a daily basis, we do because we live in that world, and we see it every single day.

However, If I'm a citizen of Reston, Va., and I'm in line for 85 minutes to get gas because of a cyberattack, I'm probably going to pay a little bit more attention.

Because of the attention generated by Colonial Pipeline, interest in supply chain and third-party risk is at an all-time high.  

This interest in the supply chain is going to result in manufacturers being asked for specific details surrounding their supply chain, their software bill of materials, and what makes up their technology. This line of questioning may cause problems, as we already have some customers on the defense and intelligence side saying that they believe that within two years the government will ask developers to sign portions of the code.

This requirement will increase liability and cost, which is not a good thing.

So, we're going to have to find a middle ground on that to ensure that we're bringing the most secure software we possibly can to help people meet the mission and secure their environments but be able to do it in a way that that meets these new requirements in a cost-effective way. 

Please click here for Part 2.