What are the primary cyber challenges facing the federal government today, and what broad trends have led to those challenges?
I think we are starting to see a slight nudge in the larger conversation about cybersecurity, but perhaps the biggest challenges are about scoping the discussion, not just the problem. I would put the challenges in three categories—accountability, alignment and application.
Challenge 1: Cybersecurity Requires Fiscal Responsibility and Accountability.
There are three issues that have prevented the few major agencies responsible for cybersecurity across government from seeing a real return on their investments.
First, much of the large-capacity cyber funding is viewed as an add-on or as special centralized funding, as if cybersecurity is a commodity or a big problem that needs a centralized fiscal power to get us up to speed. Cybersecurity is an ongoing, mission-aligned operation (see Challenge 2).
Second, quality cybersecurity solutions extend beyond the commercial software. It must be holistic, and includes software development practices, the specialized work and customizations done in engineering departments, the security of supporting financial organizations, and the custom data and applications that departments or agencies are building for themselves.
Third, not all data or systems are the same. They should not cost the same to protect, nor should they be protected in the same way. Cybersecurity applies to much more than just IT (laptops, servers, network components). It is expanding exponentially into industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks, smart buildings, vehicles, and the army of machines and devices that only talk to other machines (Internet of Things).
All of this means you can’t financially or responsibly put cybersecurity in the server room: it needs to get back into the board room where the risk is managed and fiscal responsibility meets fiscal accountability.
Challenge 2: Cybersecurity Operations Must Be Mission-Aligned
This is what makes Parsons what we are today in terms of our cybersecurity offerings. We have provided decades of support to the Federal government because we approach the problem as an ongoing and increasingly complicated operation. This is only sustainable when you align to a mission, and understand how threats operate within the terrain of the environment you are tasked to protect. You must know:
- how the threat will get in,
- how it weaponizes,
- where it will lurk in your environment,
- what it’s trying to do and what data it wants,
- where it feeds and hides,
- and how to protect against it and ultimately defeat it
Challenge 3: Cybersecurity Application is an Organizational Problem.
How cybersecurity is applied across the organization of the Federal government is an ongoing challenge. While some agencies are struggling with the issues described above, there are pockets of agencies out there are aligning their acquisition of cybersecurity tools and services to mission functions, and engaging with partners to cooperatively weave cyber into their larger enterprise tasks and environments.
There is a finite set of problems to be solved. At Parsons, we continue to create tools that will work on one of those finite problems in many environments to protect similar missions. The new wave of interest in fostering inter-agency relations to apply existing tools and practices to new environments has been very encouraging.
Do recent events like the OPM data breach and the DNC hacking indicate that the government and related entities aren’t doing enough to combat cyber threats? If so, what are the most critical needs to be addressed, and what role can Parsons and other private firms play in that process?
One of Parsons’ chief engineers continually says that in cybersecurity, like in aerodynamics, the opposite of instability is not stability but maneuverability. Now in cyber we also have the difficulty of “propagation of instability.” One of the big problems in the cybersecurity world is that we approach it as every man for himself. The OPM breach was a powerful example of the need to raise the level of protection everywhere before an incident affects everyone.
What OPM also showed us is that we need more rigor for what we already know we need to do. We had many of the right policies, security controls and tools, but they weren’t used. These were basic things that everyone should do at a minimum to securely operate an IT organization, on the same level as not keeping your keys in the ignition. We need to think of these controls not as critical to cybersecurity but as the minimum level of rigor in day-to-day operations.
Contractors can help, especially if they foster the mission support mentality that Parsons has. As mission-enabling partners, we have invested in our customers’ enterprises and contributed to their resilience and risk reduction by performing our functions with sufficient rigor. From the smallest systems to the largest, they all require the same thoroughness.