Cybersecurity has become the latest frontier in national security with the expansion and proliferation of the digital environment in recent decades. Today, cyber is also an emerging and important component of warfighting, and the U.S. government has placed a high priority on better protecting our critical information, data and cyber assets as the threat rises.
Despite increases in ransomware attacks, breaches, cybercrime and hacks around the world, the U.S. is well-positioned to respond to these kinds of incidents, according to Gentry Lane, CEO of ANOVA Intelligence.
“We, hands down, have the best cyber combatant command of any nation. And even though we’re outnumbered by a lot of them, our capabilities and our ability to effectuate successful operations are far and beyond any of the major threat actors,” said Lane during a panel discussion at GovCon Wire’s Second Annual Cybersecurity in National Security Summit.
The full Cybersecurity in National Security Summit – including keynote addresses by the FBI’s Bryan Vorndran and NSA’s David Frederick, and an expert panel discussion – is now available to view on-demand. Click here to watch.
However, the lack of a cohesive strategy across the government’s cyber-focused agencies is impeding the United States’ ability to innovate at a quick enough pace to thwart adversaries, Lane warned.
The same sentiment is echoed in the government’s implementation of zero trust. As the DOD issues more and more guidance and information about zero trust, some executives feel they have more questions than answers.
“In the critical infrastructure sector, and commercial businesses, there’s really a lack of understanding of how to address this holistically,” explained Emmett Moore III, CEO of Red Trident Inc. “Every company you go to, they’re confused or they’re concerned with what’s the right way for them.”
But even in the absence of overarching coordination and unity, Department of Defense leaders are working within their own agencies — and in collaboration with other public and private sector partners — to take a fresh, modern approach to today’s cybersecurity problems and ensure national security.
David Spirk, senior counselor at Palantir Technologies and the former first chief data officer for the DOD, suggested that the Department may need to entirely overhaul its existing data architecture in order to effectively embrace zero trust.
“I think we, at a basic level, have to rethink our information technology capabilities where we have separate networks, bifurcated by physical segmentation, and acknowledging that that concept probably isn’t what allows us to truly embrace zero trust across a variety of classification levels and with partner nations as we start to understand what being data-driven means and how zero trust, on top of that, allows you to move,” said Spirk.
Spirk explained that in order to fully leverage data in today’s zero trust and cybersecurity missions, DOD leaders may need to come to terms with previous cloud investments as a sunk cost and start over with a fresh, more comprehensive approach. “I think that’s going to be important to truly embrace zero trust from a data perspective going into the future,” he said.
Within the U.S. Air Force, the increasing importance of and reliance on software is driving leaders to change the way they do business.
Col. Michael Medgyessy, chief information officer and chief data officer for the Air Force Intelligence Community, said the agility that software provides to the Air Force is affecting everything from security practices to business processes, and it’s illuminating capability gaps within the workforce.
“We really need to upskill our assessors to understand the code, be able to look into repositories like GitLab and look at the latest running configurations and policies of how those things are actually operating in the environment,” Medgyessy shared.
But in today’s sparse talent environment, upskilling is not the only area of workforce concern for public sector leaders. “There’s a huge workforce shortage within the OT cybersecurity field,” said Moore, which is creating a higher demand for outsourced work to consultants, contractors and other embedded resources being brought into organizations.
This trend is helping organizations to take a harder look at how to integrate OT and IT, and it’s also prompting leaders to shift away from the detection approach to cybersecurity and pivot toward a focus on protection, which Moore said is a key step in the right direction.
Although progress on zero trust and cybersecurity is seen by some federal officials as slow or disparate between agencies, it’s important to note that any amount of progress is meaningful, according to Dr. Brian Hermann, director of the Cyber Security and Analytics Directorate of the Defense Information Systems Agency.
“I think we need to remember that zero trust is a journey. So, some target state in 2027 is what we’re trying to achieve, but along the way, we have what I call progressively less trust, which is every step helps us get there,” said Dr. Hermann.
Additionally, Sean Connelly, Trusted Internet Connections (TIC) program manager and senior cybersecurity architect for CISA, noted that the agency is already working with leaders at other federal agencies to review their respective zero trust implementation plans.
“When OMB released its zero trust memo, each agency was responsible to submit a zero trust implementation plan. We began looking at and reviewing those plans, and then we’ve been reaching out to each of the agencies and working through their CIO shop, their CISO shop and the zero trust leads at those agencies to review those plans,” Connelly explained.