We talk about the challenges of digital transformation and cybersecurity in the US federal government. We discuss solutions for bringing innovative technology and bespoke services into the federal space and how to shorten long procurement cycles. We also cover what the federal government can learn from the private sector, including how to shrink the ongoing cyber skills shortage.
Here are the 4 Topics We Cover in This Episode:
1) Federal CISOs and CIOs Think Cloud Migrations Will Not Bake in Security:
Outside of the US national security, intelligence, and DOD sectors, many civilian agency CIOs and CISOs in the US federal sector have the following shortcomings with regard to cloud migration:
- First, they think security will be baked in as part of cloud migrations to AWS, Azure, or GCP when that is not reality.
- Second, cloud implementation is for infrastructure-as-a-service but way behind in software-as-a-service and application security.
- Third, they are either not aware of their expanding attack surface with a lack of enterprise security culture or there is an inability to gain funding for their security initiatives.
- Last, they have trouble retaining talent from the private sector.
2) Build Versus Buy Debate in the US Civilian Agencies:
Procurement in many of the civil agencies within the US federal government is based on the lowest cost acceptable and not necessarily on value delivered for efficiency. They also cannot hire and retain talent at costs compared to the private sector, so building technology is extremely challenging. In many civilian organizations, they aren’t doing threat intelligence and incident response at the scale and speed necessary.
3) Approaches for Overcoming Cyber Skills Shortage Gap:
Understanding the federal government will lose on hiring top talent due to lowest cost acceptable restrictions in the procurement cycle, we recommend training IT, enterprise architects, database administrators, and system administration personnel who want to grow into security, particularly in automation.
4) Future of Outsourcing to Managed Services Experts and Codifying Appropriate Threat Models:
Some civilian agencies will likely need to outsource portions of SOC operations to managed services companies over the coming years. Some agencies are out-sourcing Level 1 alerting, for example, while keeping the escalations Level 2-4 in house.
However, for the US federal government as a whole to be successful, there needs to be an agreed upon risk posture framework that many civilian agencies adhere to so that automation in detection and response can be achieved at the scale needed in the federal space.
Further, application and software security are way behind and much of the focus is on infrastructure security. Unfortunately, outsourcing is still reticent in the federal space because of supply chain concerns. However, the federal government may have no choice but to implement aspects of next-generation SOC through outsourcing to a higher degree of experts.
LANDON: Welcome to “Cyber 5”, where security experts and leaders answer five burning questions on one hot topic in actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I’m your host Landon Winkelvoss co-founder of NISOS managed intelligence company. In this episode, I’m joined by former technologist at Booz Allen Hamilton, Gaurang Shah.
We talk about the challenges of digital transformation and cyber security in the US Federal Government. We talk about the solutions to bringing innovative technology and bespoke services into the federal space and how to shorten long procurement cycles. We also discuss what the federal government can learn from the private sector including how to shrink the ongoing cyber skills shortage in the federal government. Stay with us.
LANDON: Gaurang Shah, welcome to the show, sir. Would you mind sharing a little bit about your background for our listeners please?
GAURANG: Sure, so I have been working in the cybersecurity area since the mid 1980s so this is the time when people had antivirus, people had firewalls and everyone had like the roadmap which says I’m gonna have an IDS and I’ve done with security implementation. And just about that time I started working on this whole rainbow series, NSA security implementation, the Orange Book, the Red Book in multilevel security. So I got started into that and then I worked in product management, product marketing for companies like Symantec and then the other half of my career was doing cybersecurity consulting work with companies like Raytheon in the DDD space and then with Booz Allen Hamilton in the civil agencies space.
So like I said, my cybersecurity 35 plus years career half of that in product management, product marketing, other half into the cybersecurity consulting.
LANDON: Well, I can’t thank you enough for joining the show. You’re certainly a seasoned veteran in terms of seeing the broad swath of digital transformation that’s really come across the US public sector over the last 20, 30 years. And that’s what we’re gonna be talking about today, that digital transformation, how threat intelligence can be used in the US public sector. A lot of listeners are probably familiar with the private sector and enterprise, but let’s talk about the federal government, the US Federal Government.
What’s the day in the life of the modern day CIO and Chief Information Security Officer in the US Federal Government as it really relates to that digital transformation to Cloud enterprise?
GAURANG: So first of all let me just say that even though we say in the public sector, the federal government, it’s truly not monolithic. So if you look at agencies like the Department of Defense, or like Intel Community or even Department of Justice, Department of Homeland Security I think their security posture is a little better than say agencies like the Internal Revenue Service or the Health and Human Services. And then if you go further down I think you’ll find that they’re still lagging behind from the security perspective.
Also like the Cloud migration is definitely going, but the one thing I found in public sector with the Cloud migration that sometimes it gives them a false in a sense of security cause they just think, oh, I put everything in the Cloud and then I don’t need to worry about security like AWS or Salesforce.com or ServiceNow will take care of all the security and they don’t really understand that the customer also has the responsibility and all of the Cloud service provider gives you list of the controls that is still the responsibility of the customer. Also in the public sector I think most of the Cloud implementation is really for the infrastructure as a service and in some cases maybe the platform as a service, but I think they are way behind in using software as a service so I think there’s still some issues.
But now going back to your earlier questions like what are those challenges the CIOs, CISOs face in the public sector. So of course, the challenges are not much different between the public sector and the private sector, but they’re still constantly evolving the threat landscape, the expanding attack surface, and proliferation of data tools. And the other thing that I find in the public sector is still there is this lack of the enterprise level security culture. Everyone just does their own things and overall there is really no or lack of the security culture. And then of course, this is the general issue of difficulty in hiring and retaining cyber talents. And the last thing, but not least, is funding in the public sector versus in the private sector especially like Fortune 500 or Global 1000 kinds of companies.
So these days, we’re talking about addressing the challenges of the convergence of like state sponsored advanced persistent threats and now also the cyber crime like ransomware. At one time that did not exist that much in the public sector, but now I think ransomware has also become a reality in the public sector. And while the the CIOs and the CISOs are doing all of this work, there’s also now the new executive order coming out of in White House and they assign certain tasks and say, “Hey, you public sector agencies, you really need to start worrying about implementing the Zero Trust and accelerate your Cloud migration.” So all of that and the whole evolving threat landscape and everything it’s just getting more and more difficult and not easier for the public sector.
And my personal observation having worked in the public sector now for last like 10, 12 years, I think there’s still need to improve in all aspects of cybersecurity which I’m talking about the basic stuff, people, processes, technology, and governance and they really need to focus on prioritize cybersecurity, continuous monitoring, cyber innovation and agility and as I said earlier they really need to establish that enterprise level security culture, make sure everyone understands the security is the shared responsibility and the need to properly communicate with all stakeholders and not just people in the security realm.
LANDON: You come from Booz Allen Hamilton, a long legacy of Booz Allen Hamilton. I was at one time a contractor myself working for large companies like the Booz’s and CACIs of the world at one time. The government certainly understands how to buy people and certainly how to I wanna say, they would know how to buy people certainly to make technology. With all the challenges that you just listed there and when we focus on the reactive side, right, if we’re talking about instant response, threat intelligence in the public sector, what does the build versus buy context? What is that discussion really within the federal government?
Right, if we look at enterprise, enterprise looks at build versus buy as the private sector said, this is a risk management function. If I can buy it quicker and be more efficient and build over time I’m gonna certainly do that, right? Like I’m not gonna go and spend a lot of money on developers to build an agent firm that helps me alert, I’m just going to buy that and then execute against efficiencies. That’s how the private sector generally does it and they do that with services as well as products. Is it the same mentality within the public sector?
GAURANG: Basically it’s the same, but then there are some fundamental differences and partly it is because the private sector, with the threats they are facing, has the agility to go to the next level whether it’s like they’re really buying the latest and greatest tools coming out on the market. And as you know, Landon said that the whole procurement cycle in the private sector is much shorter than the public sector. Public sector a lot of times I think is not like the best of breed is not even like the value is like the lowest cost. And even after they buy things it’s not like plug and play you still have to like especially the enterprise level security tools, you still need to do a lot of optimization, you still need to configure right away to get the full value out of that and that becomes an issue. And in terms of building I think it’s really hard because again that whole talent aspect.
I mean, if you look at the kind of people we have at your company Landon, like NISOS or something like Mandiant, the talent you guys have in your organizations, a lot of public sector agencies just cannot afford it, right. So they try to go for the lowest cost option and then it’s really difficult to build anything based on that and I’ll give you just a little background in what is happening or what was happening over the last few years. So a simple thing like your security operations like SOC and many of the public sector agencies were still operating in what I call the SOC version 1.0 and all they were doing was just tier one, tier two, tier three monitoring and incident response. So you just have like a bunch of people staring at the monitors looking for certain things, certain events alerts happening and then it would go incident and response. Some people started adding some level of automation at tier one, some of the the DevSocOps in terms of like the tools optimizations, alert detection, some kinda a logic development and everything.
So they started doing that, but there was very little in terms of the threat intelligence or like some kind of an actionable intelligence it just wasn’t happening even. Even simple things like incident in response. So there were not like doing the actual digital forensics or automation kinda of things. So in my personal opinion I think especially the civil agencies in the Federal Government are still far behind the Fortune 500 Companies in both the build and the buy scenarios. And as I said earlier, primary reasons are again finding the right talent, funding and the long procurement cycles. So I think they are behind in terms of like the people, processes, technologies and governance.
LANDON: Well, since we’re all on that topic right now, let’s cover that skill shortage. The government has no issue; they know how to buy personnel to sit on site, understanding that now we’re in a post COVID world and people know that they can find a job that’s not sitting on site.
How does the US Public Sector overcome that skill shortage really in cyber security? Can this even be accomplished in the next two to three years or does this really need an overhaul in procurement? Does this need an overhaul in budgets? Does this need an overhaul in just process in terms of how people manage and leave because they might a SOC might not be somebody sitting in the building staring at screens. How does this get overcome?
GAURANG: Yeah, so Landon this is basically all of the above, right? So, yeah, so it’s just definitely the cyber workforce is a big issue with the Federal Government and short term I don’t really see anything major happening. So in the longer term I would probably say maybe two to five years is kind of a timeframe they need to address several things, right? So again, this whole mentality of the lowest price contractors, salary limitations for the federal employees. So if you try to hire somebody and he says, “hey, it’s gonna be like GS 14,” and if we look at the salary range and somebody says, “oh, I can make twice that money in the public sector.” So I think they have to start increasing some of those skills for some specialized types of positions. Because if you look at in the Federal Government the majority of the people when they do the security related work it’s still that traditional we used to get one time used to be called C&A the Certification and Accreditation, now called A and A, Assessment and Authorization.
So that is basically just low level security work a lot of just like paperwork and when you look at let’s say try different drills doing that so a lot of like high technology related cybersecurity work there is not enough talent. And as I mentioned earlier that there’s still, a lot of agencies cannot afford to go to like somebody like NISOS or someone like Mandiant and say, “Hey, I need your bright people to come and implement security, so several approaches, right. So one approach is to train a lot of like good IT people into security and a couple of simple examples, right. So in IT SYS admin function has been there for a long time so there are so many sysadmins for Linux, for Windows. Some of those people could be trained to do security admin, same thing with the architects. You have a lot of like enterprise architects, application architects, many of them can be easily migrated into the security architecture functions. Your DBAs, the Database Administrators, can be trained to become like Data Security Architects.
So some of that is really just retraining where they already have a lot of technology skills and they can easily get into the other security technology. The other thing that is happening is I call it like the integrator cybersecurity workforce that addresses the cybersecurity challenges looking at their missions, business processes, everything connected to cyberspace. And that way is not one size fits all, people with the lower level of skills they can still contribute to the cyber security work and then the higher skill levels can do the other things. And then the last thing is some of that skills gap has to be addressed via automation and machine intelligence. So they’re not gonna do all the work, but they can at least provide some decision support to the security analyst. So now your security analysts don’t have to have all of the knowledge within themselves they’re now getting all kind of like support from that whole automation machine intelligence aspect.
And one other thing Landon, you may or may not be aware of this so NIST have issued what they call the Cybersecurity Workforce Framework and that provides like a fundamental reference in support of like the workforce capable of meeting today’s cybersecurity needs using some kind of a common and consistent lexicon to describe cybersecurity work by like categories, specialty areas and their roles. And as part of this framework they provide a super set of cybersecurity like knowledge, skills and abilities, the KSAs and the different task for each work role and I know that a lot of agencies are looking into using the cybersecurity workforce framework and that would certainly help address this issue not immediately but over like next two to four years.
LANDON: What does the transformation that we’ve been talking about look like over the next three to five years? And I guess I probably wanna break that down from an IT perspective in terms of moving to Cloud. They might be a little bit behind, but we’ll probably see the Federal Government move the majority of its infrastructure in some way, shape or form to Azure, GCP and AWS. But then from that perspective and you mentioned it that people think that you can just go to Cloud and that they’re now automatically secure.
There’s still that cybersecurity shortage that they need to ultimately be able to do and then in the private sector of course, that immediately means you outsource a lot of this. I mean, if you would’ve told me 10 years ago, told us 10 years ago that you would be outsourcing, that major enterprise would be outsourcing the managed detection response of their enterprise you would’ve said, no way, right. And now that MDR market is just absolutely out of control and of course, plays a part of that as well as in terms of the managed intelligence portion looking outside the firewall. Do you see a potential managed services play in the Federal Government space or is that still just gonna be too challenging for them? They’re gonna have to have staff augmentation, they’re gonna have to have people on site, they’re gonna have to have a 24/7. Is the scale too big, I guess is my point to really think that they’re gonna really effectively be able to outsource in light of the cyber skill shortage gap?
GAURANG: Sure, so I think that that’s an excellent question and I wish I had a true answer. So I think what I’m gonna say is based on me personally dealing with some of the agencies related to their security operations. There are some of the agencies and I’m again going back to my earlier, that the public sector is not like monolithic. So some of the agencies may be more inclined to gradually using the managed security services.
So again, previously we were talking about like a lot of the SOCs they have tier one, tier two, tier three and in some cases I think they may be willing to go to the managed security services for tier one, but for tier two and tier three they may still retain things in house and they can still hire like contractors like NISOS or Mandiant, but the challenge is still going to be changing the mindset. So I think what needs to happen in the next three to five years in the public sector is their security operations need to be threat focused, they need to enable prevention of like tactics and attack methods like what they call it TTP the techniques, techniques, and procedures rather than the prevention of the discrete integrator just like this is what they’re really doing now.
So everything is becoming today is really lot more reactive and I think they really need to migrate into that proactive mode and integration of traditional IT and new security functions I think is also gonna be key. One of the other things I think, I believe that is gonna happen in the next few years because today they do a lot of like compliance work separately, and then there is the whole vulnerability management program and then there is some level of security situation awareness kind of things. At some point in time I think they really need to fuse everything together and really come up with some kind of vague insight into a consolidated enterprise risk posture.
And that would leverage your advanced analytics in machine intelligence and learning your leveraging workflow automation and in the tools. And then the one big thing and I think that’s a whole separate topic so I’m not even going to go into the details, but I still believe that in the public sector there’s still a lack of the implementation of application security, implementation of software security. The focus is still at the infrastructure level and I always claim that the crown jewels are residing at the application level and every time we try to do like scanning against like top 10 or top 20 and it totally pains me to see like one in year 2022, you still have a lot of those SQL injection cross site scripting vulnerabilities and as I said there is no excuse to have something like this in this day and age.
Other outsourcing I think and then these days the whole supply chain security risk is also like a big thing. The Federal Government is a little reluctant to again outsource because of the supply chain risk. You know like in the IT world a lot of outsourcing is really done offshore. So you’re talking about like India and the other countries and certainly the Federal Government frowns upon something like that. So outsourcing of some of the security functions I think is still gonna be a challenge and I think the only way companies like NISOS and Mandiant has to go to Federal Government and say, we are not talking about doing everything and everything, but there are certain things that requires this very specialized talent that it would be very hard for the government to hire that kind of a talent and that is where they really need to contract with or outsource some of those kind of security functions to the other organizations.
The key thing is this what I call the next gem in WASA with lot of like research and analytics like open and adaptive environment, consuming, producing threat intelligence, continuous hunting for the exploitable weaknesses, leveraging lot of emerging technologies, using lot of like threat detection, like frameworks libraries, building some comprehensive dashboards which gives CSOs good visibility also provide the SOC analyst a lot of support. And as I mentioned earlier, just actionable risk intelligence your threat intelligence integrated in a triage the context space analysis on indicators of compromise and threat knowledge databases and internal intelligence in assuring in a platform.
So all of this are already happening in the private sector with the Fortune 500 Companies, public sector really needs to leverage what private sector is doing and try to implement that within the public sector.
LANDON: How does that actually have to get done? You’re talking about overhauls in procurement like you mentioned that earlier. How does that fundamentally happen?
GAURANG: Partly is like some directors coming out of the White House. So we already talked about some of the executive orders putting a lot of focus on security. The CIOs I think now they’re getting the CIOs who are also coming from the private sector so they also understand the importance of security culture technologies.
And the other thing is now better understanding of the threat actors, the threat landscape. Cause up until like three, four years ago a lot of federal agencies would say, “oh, we have like no big things of any value to people out there.” And now I think they’re all you know simple things like my last client was National Institute of Health. And typically they say, “oh, we just do research work, we also collaborate with different universities, different organizations and across the whole world.” I mean, they would collaborate with universities and researchers in India and China and a lot of other countries and now they’re realizing that yes, you still need to do some level of collaboration, but you still need to implement security. You just need to do everything securely and at one time it was an uphill battle when you talked to the researchers and the scientists and they just believed in sharing and not much security focus.
So I think those are the kind of things that is changing. And then in a few episodes that happened in the past, like I mean, now was a little bit inundated, but the big one was the office of personnel management. I mean, that kinda a breach which has a very long term impact of something like this and just like in the private sector because I think I had been saying for a long time that when you have security reporting into the CIOs there’s always a conflict of interest. So security really needs to have a seat at the big boys table reporting directly to the Board of Directors or at least the CEOs or the presidents and not the CIOs.
So I think the same thing is now happening in the public sector so that they’re moving security out of the CIO realm and having more accountability with the other part of the organization. So a lot of things like culture change and I see that is happening. Like I said, I’ve been doing public sector work for like over 12 years and in the last few years I have seen that transformation from both the cultural perspective, the technology perspective and from the process perspective.
LANDON: Guarang, thank you very much for joining the show. Congratulations on such a great magnificent career and certainly look forward to working with you certainly in the future.
LANDON: For the latest subject matter expertise around managed intelligence, please visit us at nisos.com. There we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world’s most challenging security problems on the digital plane and conduct high stakes security investigations. Without the value the team provides day in, day out this podcast would not be possible. Thank you for listening.