Government and industry need to harness lessons learned from the collaboration following the massive SolarWinds breach and not “victim-blame” companies that invested in cyber defenses yet still got hit in a cyber attack, federal Chief Information Security Officer Chris DeRusha said today.
DeRusha, former CSO for the state of Michigan and a DHS cybersecurity veteran, told the Billington CyberSecurity Defense Summit that the administration is also focused on keeping an “open door” with industry partners and improving the process for innovation acquisition as part of a broad agenda to put cybersecurity front and center.
DeRusha stressed that the new administration’s focus on cybersecurity is definitely a “team sport,” bringing in the National Security Council, the Cybersecurity and Infrastructure Security Agency at DHS, agency CISOs, the intelligence community, law enforcement, and other stakeholders.
Last week, President Biden nominated former National Security Agency Deputy Director Chris Inglis to serve as the first national cyber director. DeRusha said it’s been “a tough few months” for the federal government after the SolarWinds hack, but he felt Inglis would have an “immediate impact” when he steps into the new role.
“Society hasn’t unpacked fully what types of risks we’re facing,” he said, stressing that “industry and government need to partner closely so we can educate not just the American public but our workforces.”
Government and industry have engaged in “pretty deep, rich collaboration” since the SolarWinds hack, working across silos and sharing threat information in real time.
“How do we bottle lightning here?” DeRusha asked, emphasizing the need to remember how recovery from the attack has come this far. “It’s really the only way we’re going to be successful with the new types of threats we are facing.”
Supply chain risk management is a priority of the Biden administration, he said, citing February’s executive order and the goal of assessing supply chain products and making recommendations consistently, “carefully and judiciously.”
DeRusha said shifting to a zero trust model, which assumes everyone and everything is untrustworthy until proven otherwise, is critical and requires commitment and focus from the business side of organizations “to understand why we’re making these changes” that some may find inconvenient.
“We’ve got to get really good at being compelling, how we’re communicating these risks,” he said. “… We’ve got to do a better job explaining ROI and what this is buying down.”
The more than $10 billion for cyber and IT in the American Rescue Plan signed last month is viewed by the administration as “a down payment,” the CISO said, as they look across the federal IT space to see what needs to be modernized.
“It’s now incumbent on us as administration to show the value demonstrated, that clear ROI,” DeRusha said.
Asked about the path forward on acquisition, DeRusha said they will continue to push for standardized approaches and reducing the prevalence of unique requirements, along with encouraging innovation labs and trying to reduce barriers and shorten the time to awards.
“We do understand we need to move fast,” he said. “Industry is doing its job moving fast, keeping up with adversaries.” Government is going to focus on getting that tech faster, he added.
DeRusha said he believes in an open-door relationship with industry. “We need to understand your perspectives. We need to hear from you,” he said. “Let’s be creative and let’s think big,” pushing some boundaries beyond how problems traditionally have been tackled.
What government and industry can’t do is settle back into way things had been done before, the CISO said. “We really need to use this moment as an enduring wake-up call,” look at good ideas that may have been passed over at one time “and figure if the time is now.”
DeRusha said he wants to “move away from narrative that blames the victim” after a cyber attack “and instead surge help to the victim.” Organizations may be making cyber investments as they should be, but
“sometimes the best of the best are getting beaten here — let’s focus on the forward plan to help each other get out of it.”
What’s critical, he said, is making sure organizations “understand the potential consequences of remaining in a status quo environment.”