Supporting agile development to help the workforce operate in a mobile yet secure fashion is a “critical” element of enhancing cyber hygiene, Department of Homeland Security Chief Information Officer Eric Hysen said in an exclusive Homeland Security Today live conversation with Editorial Board member and former DHS CIO Luke McCormack.
“How do we adapt our governance processes at the department to not necessarily mandate but better incentivize better software processes?” Hysen said.
DHS has “tried a number of things around agile governance” and is still talking about issues such as requirements, analysis, and getting approval to begin development. “We know that that’s not how modern software development goes,” he said. “We still have more to do to think about how do we tweak that process, incentivize, make it as easy to do the right way with modern tools.”
Emerging technology such as artificial intelligence and facial recognition is “making a real impact across the department today,” and DHS is focused on understanding where technology is being used across the department, then setting and following best practices department-wide.
While AI-assisted decision-making for officers “is already real,” the CIO noted, DHS is also focused on potential issues such as algorithmic bias along with ensuring that emerging technology is also secure technology.
In April, DHS announced that its first bug bounty program had concluded with more than 450 vetted security researchers identifying 122 vulnerabilities; 27 of these were determined to be critical. The “Hack DHS” program awarded a total of $125,600 to participants.
Hysen called Hack DHS “a great starting point able to find and remediate several critical vulnerabilities.”
“We need to be reliant on all matter of techniques and approaches,” he added.
The department, along with other federal entities, has shifted from the perception “that you will have a perfect defense system if we just build our cyber walls high enough” to incorporating the zero-trust model that doesn’t replace elements of strong cyber defense “but is an important addition.”
Hysen said he was “surprised how easy it was to get components and systems on board,” while highlighting the importance of agility. The capabilities that are offered to the DHS workforce on mobile devices “directly tie to security – the more we can enable the workforce, the less they’re going to try to find workarounds.”
“There is a critical connection there,” the CIO stressed.
Cyber hygiene work at DHS “is still evolving,” including testing to determine the best model to adopt and issuing a self-assessment to vendors. Evaluation of these results will help guide the department to “better target areas where are teams are going to dig in.”
“There is so much movement going across the department,” Hysen said, adding that DHS wants to avoid being duplicative and be “in lockstep” with direction of CISA and the White House.
A unique challenge for federal IT departments has been attracting the talent to execute IT priorities from tech modernization to cybersecurity, and the DHS Cybersecurity Service was recently unveiled to make big changes in the way that the department lures, onboards, and retains cyber talent in the face of unrelenting competition from the private sector.
Hysen said the first employees were recently onboarded through the system at CISA. DHS is also using other tools while “working very hard to hire using that new system,” which is a reimagining of traditional civil service procedures including candidates being evaluated in an assessment of their tech skills and career tracks offering the same type of flexibility and progression one would see at a private tech company.
Asked about what he’d like to see in the department a year from now, Hysen said the department should have reached the point in supply chain security that it “should be clear to industry partners where we are going and what they need to do to come along with us.” The CTO community should be leading the government in use of AI technology including facial recognition software, he said, and be “explicit” to public about how this technology is being used. And the goal of supporting hybrid work dovetails with the quest to hire and keep top talent at the department.
“I’m looking forward to having significantly fewer cyber vacancies across the department,” Hysen said.
