Modernizing Federal Information Technology and Cybersecurity: The Next Sentence GameJuly 10, 2017
Let's play a game.
It’s called the "next sentence game."
I will give you the first sentence. You give me the next sentence.
Ready, here we go.
"If the federal government places greater focus on modernizing information technology, it will help strengthen cybersecurity."
What's your next sentence?
Here is mine.
Modernization can, but doesn’t necessarily, lead to better cybersecurity.
Why am I asking you to play this game?
Because this game, on a much broader scale, is what our federal government will likely be playing over the coming years. The president's executive order 13800, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," puts modernization and cybersecurity front and center.
"The executive branch has for too long accepted antiquated and difficult–to-defend information technology (IT). Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture," the order states.
This policy priority presents a great opportunity to replace legacy systems and applications, which may not work with modern security technologies, or are no longer supported to receive fixes that address new vulnerabilities.
However, back to my second sentence, modernizing systems does not necessarily lead to better cybersecurity. How technology modernization is implemented will drive how much it will improve cybersecurity.
Modernization should start with a set of policy and strategy decisions about priorities and tradeoffs. What is the primary goal of modernization? Is it efficiency? Is it about reducing costs and improving value to the public? These are good and important priorities. How will cybersecurity fit with these and other priorities like reliability, usability, or maintainability, each of which have costs associated with them? How will decision makers make these tradeoffs?
Let's make this more specific. Technology systems are often targeted by highly capable adversaries who can be expected to evolve their techniques to evade defenses. Technology modernization should be built on assumptions that cybersecurity will need to evolve throughout a system lifecycle and that system and organizational resilience will be needed to maintain mission and business functions despite adversary attack. If those assumptions are not made, or if they are determined to be a fundamental barrier to lower cost or higher functionality, an opportunity to strengthen cybersecurity will be missed.
Network consolidation, which the executive order also prioritizes, is another example where cybersecurity benefits are related to how modernization is implemented. If done well, consolidation can improve cybersecurity by reducing unnecessary complexity. It can focus skilled and trained security personnel on a more manageable environment where defenders are better able to "get their heads around" what is going on in terms of design tradeoffs, the meaning of events observed in the system, etc. All good.
However, some amount of system diversity can help cybersecurity. For example, it can improve redundancy, an important resilience feature, and limit the concentration of data. This means that decision makers must both understand the real security opportunities that come with consolidation, and consider how to compensate for the reduction in redundancy and increase in data concentration.
Finally, if we are going to modernize technology, in part, to strengthen cybersecurity, it offers a great opportunity to simultaneously modernize our cybersecurity policies. Are there particular policies, or policy areas, which could be updated or refined? For example, if you want to measure how well the IT conforms to a policy, why not formulate the policy with the technology in mind (so it’s feasible) and the technology with the policy in mind (so that the technology supports the policy out of the box, rather than being bolted on)?
This all comes back to people and decisions. Ultimately, setting priorities and making tradeoffs requires people to address a range of strategy, policy, and technology considerations. Which people will be at the table making these decisions?
We need teams of people who can bring both deep mission and cybersecurity expertise to these decisions. What are the most critical mission risks facing an organization? What measures can we take to make our systems and organization more resilient to mission risks? How do we make tradeoffs between security, efficiency, cost, etc.? Committing to technology modernization doesn’t ensure that the right people will be at the table to have these vital conversations.
Federal leaders should take the opportunity to actively build cybersecurity into decisions throughout the modernization process. There are numerous opportunities to do this. For example, when: setting policy and strategy, determining priorities and requirements, structuring acquisitions and procurements, and developing and deploying new systems. If cybersecurity is built into modernization decisions, hopefully everyone’s second sentence will be: Modernization helped our federal government strengthen cybersecurity.