Cybersecurity is now central to the mission of the Department of Homeland Security (DHS) as threats to federal government agencies become more aggressive and sophisticated. However, mission success for the DHS doesn’t just depend on cyber security solutions but also depends on upgrading outdated IT infrastructure throughout both the department and the government.
This was the central message of speakers at the Center for Strategic and International Studies conference, “Strengthening the Federal Government’s Cyber Defenses,” last month.
“A lot of our limitations and challenges stem from” legacy infrastructure, said Jeanette Manfra, DHS Assistant Secretary for Cybersecurity and Communications. “We have to modernize the infrastructure and modernize how we procure. The government in pockets has been looking at adopting mobile and cloud, and that’s good.”
She cautioned that improving the physical assets is only part of the challenge; changing the bureaucratic process has to change, too.
“We have to be thinking about modernizing everything else that goes along with that … Are we making the right governance choices for [both IT and operations technology (OT)]?” Manfra said. “The more we modernize our IT systems, the more we reduce some of our vulnerabilities, [but] we’re also not taking advantage of ways to modernize securing that technology.”
Rep. Will Hurd, who represents the 23rd Congressional District in Texas and is chair of the House Government Reform subcommittee on IT, promoted the benefits of the Modernizing Government Technology (MGT) Act in helping federal agencies undertake the changes needed. “When you tell folks the government spends $90 billion a year on IT, 80% of it on legacy systems, they get outraged,” he said.
But while getting past legacy systems to up-to-date systems that use the most current technology is important, Hurd reminded the audience of how quickly things change.
“Quantum computing is going to be here sooner than we expect. It’s going to upend encryption. It’s going to change how we operate in cyberspace,” he said. “The true hegemon is going to be in quantum computing.”
Christian Marrone, CSRA senior vice president, federal, and former DHS chief of staff, confirmed Hurd’s perspective and the outrage of citizens. He said modernization that is critical because “that’s where the vulnerabilities come from.” Continuing to prop up legacy infrastructure is just “throwing bad money after bad money.”
Marrone suggested that the acquisition process must be streamlined, and the fundamental requirement for that is retraining the acquisition workforce. “Even if we have the IT modernization fund, even if we have CIOs [at the table], it won’t matter if they keep working the same way.”
DHS is trying to move from technology implementation to risk management, said Karen Evans, director of the U.S. Cyber Challenge and former GSA administrator. “That’s a key function that all of us need to think about, because the conversation always devolves to technical.”
When the Office of Personnel Management breach was revealed in 2015, Marrone was serving as DHS chief of staff. The department quickly reviewed its contract vehicles and discovered “there was nothing about the [cybersecurity] standards they had to maintain for their systems,” he said. “We moved quickly in the department to [add language] in our contracts moving forward – it took us over a year … OPM was such a big event and we could not get our procurement and acquisition folks to turn quickly enough.”
“Christian is right on – the speed of the change of threats, the speed of change of solutions, we’re not keeping up,” said Jim Williams, former acting administrator of GSA. “Typically acquisition and procurement people don’t think about speed, they think about process. If DHS issues a binding operational directive that says, ‘Here’s the threat, do this,’” agencies may only be able to respond through contractors.
Want to hear more of Christian Marrone’s thoughts on how the federal government can improve cybersecurity? You can find more of his thoughts on the role acquisition and procurement practices play in securing federal agencies on CSRA’s Thinking Next.