Fixing “the Cybers” in Washington DC
- The challenge: collapse fifteen years of experience into a one-page recommendation.
- Keeping the government safe from cyber villains is a shared responsibility.
- This is part one of two parts about my experience. Read part two here.
I was recently asked to provide guidance to the Trump transition team to help prioritize their IT strategy to improve the resilience of the US government (USG) to cyber-attacks. On a single page.
I realized that I would need to condense into that page almost everything I’ve learned in 15+ years of enterprise IT. Detail would be impossible, and my recommendations for how to fix ‘the cybers’ would need to make sense to serving agency CIOs who are, in my experience, dedicated and informed but hamstrung by complexity, legacy and red tape.
They need less advice on new technologies and products and more clout.
They need to be empowered to mandate change.
There’s an urgent need for fundamental change.
I ended up with a single recommendation: “Move everything to the cloud. Fast.”
This flies in the face of last week’s recommendations from the Obama-chartered task force on cyber security that recommended training 100,000 new cybersecurity professionals and increasing federal R&D funding for cybersecurity by $4 billion over the next decade. That won’t save us. It’s a bit like calling the fire brigade when your old building is fiercely ablaze. We urgently need to move the center of our democracy to a new fireproof building, before our current one is engulfed by the flames.
It is the legacy practices of today’s human-centric IT (and security) organizations that are the Achilles Heel of the US Government. Years of budget cuts, increasing oversight and legacy complexity have left the USG with the oldest and leakiest IT infrastructure in the nation. Low pay scales that can’t compete with the private sector add insult to injury, making it harder for CIOs to retain and motivate skilled personnel. Adding more humans to the mess won’t help.
Human-centric IT is too slow to adapt to change – impacting the strategic IT need to become more effective. And more importantly leaving gaping holes in our defenses as we drag our heels on patching, application updates, configuration changes, dealing with alerts and security configuration changes. One US agency I’ve worked with takes 262 days to change a firewall rule because so many different groups have to opine on whether or not it is needed. (I was admonished: “We’re the US Government. We can’t cut off random bits of the Internet!”).
Human centric IT is expensive, opinionated, slow and fallible. All of these favor the attacker. Cloud is the opposite, and it shifts costs from CapEx to OpEx – so it can save the taxpayer money.
We urgently need a fundamentally more secure approach to IT.
This approach has security built into the infrastructure rather than bolted on as an afterthought. An infrastructure with proven security rather than the vacuous promises of bolt-on security vendors (who depend on “sophisticated nation state attackers” to explain away their woeful failures). We must cast aside human-centric IT management and mandate the adoption of highly dependable, secure, automated infrastructure that reacts at machine speed to machine-timescale attacks.
Automation is the single most important step that we can take towards protecting government IT infrastructure. Cloud computing is fundamentally about automation. It enables self-patching, self-remediation, self-monitoring and self-detection. It also has built-in instrumentation that can feed advanced machine learning algorithms that will play a critical role in understanding vulnerabilities, dealing with alerts and responding to attacks without human intervention, and perhaps most importantly giving IT a well-reasoned framework within which to make decisions. Most importantly, cloud infrastructure is architected to enforce security from the ground up, implementing least-privilege using virtualization, micro-virtualization, micro-services and software defined networking.
We don’t need more cyber-pros.
We need fewer of them and they need to be better informed by tools that take the drudgery out of understanding the state of the infrastructure and helping to secure and heal it. Cloud is fundamental to that transition. And almost every objection I hear to the adoption of cloud by the USG is voiced by incumbent IT pros whose skill sets have failed to keep pace with the rapid changes in technology, and who perceive cloud as a threat to their jobs.
In part two, I’ll add more detail to my recommendation that the USG mandate that its agencies move to the cloud as fast as possible in order to quickly up-level our resilience to cyber-attacks.