However, Cyberstat sessions faded, and the larger issue of agencies unable to measure risk accurately through intra-agency efforts became more evident. Congress then passed Federal Information Technology Acquisition Reform Act, known as FITARA, putting federal agency CIOs in charge of IT investments in their agencies and mandating semi-annual scorecards to track major agency IT and security performance.
Fast forward to 2020, and the Cyberspace Solarium Commission recommended a Bureau of Cyber Statistics to collaborate with the National Institute of Standards and Technology on “identifying and establishing meaningful metrics and data necessary to measure cybersecurity and risk reduction in cyberspace.”
In retrospect, the most significant single obstacle to progress in cybersecurity is not the technical challenge or even the workforce/skills gap: It is a weakness in the ability to measure. Most federal agencies’ attention is spent on compliance or metrics checking the box of scorecards and less on more accurate and granular data.
If the federal government cannot accurately measure the security data it collects, risks will remain unknown, posing dangers to our nation’s cybersecurity posture. Cyber metrics typically answer one of three questions—how secure a network is (a baseline), how the network’s security can be documented (compliance), or how the network’s security can be improved (gap analysis and targeted improvement).
According to the National Institute of Standards and Technology, organizations struggle to systemically measure the impact of their cyber investments. Agencies invest in security, find threats, and generate data on their use of various tools and security policies but struggle to measure their return on investment or to quantify the potential value of different options for improvement.
There are also activities such as physical security and IT close support (the staff who typically do password management and inventory IT assets) that directly affect cybersecurity but which federal agencies do not reflect in their cybersecurity budget. These activities are typically excluded because they are performed by other parts of the organization, but agencies fail to reflect the contributions of these activities to cybersecurity. This means that the investment total —the “I” in ROI—is too low. Whether this missing data is relatively minor or a significant sum likely varies with the agency.
Information professionals—both CIOs and CISOs—typically focus on measuring impact on information security, usually in terms of confidentiality, integrity and availability. Some federal agencies struggle to translate these information-focused measures into terms of mission impact and ultimately into terms of risk.
Paving the Path for Cyber Public-Private Partnerships
As federal agencies attempt to manage risks, identify the ROI from cybersecurity and IT improvements, and continue to invest in digital transformation, it’s time to leverage private sector capabilities and build mission-focused public-private partnerships (P3s).
In this instance, federal agencies should leverage P3s to make security the default condition for IT and communications technologies as it becomes increasingly important in our lives, prosperity and national security. P3s can help examine third-party risk, minimize network security exposure through modern threat modeling, and help develop and implement cyber deterrence strategies. As a recent example, the Trusted Internet Connections 3.0 Test Lab and the Advanced Technology Academic Research Center partnered with 10 companies for agencies to accelerate creation and adoption of more actionable guidance on implementing network security technologies.
While some may criticize the value of public-private partnerships or question the motivations of the private-sector participants, both sides are key stakeholders in ensuring that we focus on cybersecurity for the individual customer or citizen, for the organization—whether a business or a government agency, and as a nation. These relationships also help ensure that government is able to leverage solutions and lessons learned by the private sector rather than to “reinvent the wheel” at the expense of both time and money.
There is considerable recognition of the necessity for such collaborative opportunities, both within government and with the private sector. For example, the FBI, which recognizes that no single agency can combat cyber threats alone, leverages private-sector capabilities in its cyber strategy. The President’s National Infrastructure Advisory Council (NIAC) completed a study that recommended the creation of a center to improve real-time sharing and processing of private and public risk data, and the bipartisan Solarium Commission recognized that operationalizing cybersecurity collaboration with the private sector would be a key component in enhancing national cyber resilience.
A Mass Migration to Zero Trust
As the threat landscape grows, federal agencies can no longer delay implementing the zero-trust model across all their networks. Zero trust is a concept created by and first implemented in government. Yet, some federal agencies still struggle with the implementation process or in some cases are unaware of how far along they have already come in their full-scale adoption.
While progress can be made by implementation in a static fashion—such as in segmenting networks and establishing categories of users and access, to be fully effective, zero trust needs to be implemented dynamically to be capable of operating in real-time and adapting to changing organizational needs. For example, many federal agencies had to shift to remote work, which dramatically transformed operations in the threat landscape.
Zero trust is fundamentally about visibility, control, and the protection of computing resources. The mass adoption and implementation of zero trust across federal agencies can be accelerated by the adoption of NIST Zero Trust Architecture and recent agency initiatives to create policy templates, pattern, libraries, and reference implementations that can help ensure that an agency is implementing zero trust in a standard way across the organization and in all networks, endpoints, and clouds.
A Secure and Scaled Cyber Future
Experienced cyber leadership and a genuine understanding of how to leverage both government expertise and private sector capabilities are where the most innovative and impactful investments will occur within agencies and as they partner with the private sector to safeguard critical infrastructure.
There’s no silver bullet to scaling and improving federal cybersecurity. However, the combination of actionable and relevant cybersecurity metrics, more rapid federal adoption of zero trust, and enhanced P3 collaboration will have a transformational impact on modernizing the nation’s cyber posture, balancing risk, and accelerating progress towards building a more resilient digital infrastructure.
Jim Richberg is the chief information security officer for Fortinet Public Sector Field.