Limited resources at federal agencies and critical infrastructure industries are forcing IT departments to prioritize the cybersecurity of certain systems while leaving others more susceptible to breach, according to Jeanette Manfra, National Protection and Programs Directorate assistant secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security.

“We cannot apply all of our resources equally across all of our systems,” said Manfra at a Consortium for IT Software Quality event March 20, 2018.

“That does mean that there are going to be some issues where you do potentially have breaches because we chose to prioritize the resources toward other systems. That is not an enticing scenario for many. That is a risk, though, that I’m hoping we can be willing to take, because we have limited resources, whether you’re a federal agency with only so many federal dollars or you’re a company that just has to take a risk-based approach.”

According to Manfra, threats to federal networks and critical infrastructure have gotten increasingly persistent and complicated and cyber hygiene has not kept pace.

DHS has therefore established three priorities for improving cybersecurity in those sectors:

  1. Improve the nation’s cybersecurity capital through the cybersecurity workforce;
  2. Increase resilience through strong risk management; and
  3. Foster innovation, collaboration and information sharing that creates a whole of nation cyber approach.

A dearth of cyber-trained workers has long been an issue for both the public and private sector. Though the Scholarship for Service program enables agencies like DHS to pull newly trained cybersecurity students into the federal government in exchange for tuition payment, there still aren’t enough people training in cyber to fill every open position.

“Right now, at DHS we’re focused on assisting America’s academic institutions to produce qualified entry-level cybersecurity employees and increasing awareness of cybersecurity professional opportunities. We will also work very closely with the Department of Commerce and the Department of Labor through the National Initiative for Cyber Education and related efforts to look at how we code cybersecurity professionals,” said Manfra.

DHS has also worked to make the resources available to government agencies for cybersecurity go further than they would otherwise through the Continuous Diagnostics and Mitigation program, which agencies in procuring DHS-approved cybersecurity tools.

According to Manfra, CDM’s benefits are providing the federal government with significant cost savings (often delivering services at 70 percent of what is purchased through other acquisition models); an increased use of shared services; and more operational visibility into the security of government systems.

“Because we’re buying all these tools, the requirement is that the data has to come back to us,” said Manfra. “We feel that this model will be the future for us in terms of how we deploy capabilities and how we have insight into what agencies have on their networks.

However, Manfra said, even increased insights and decreased purchasing should not persuade the government to continue dumping so much of its funding into hard-to-secure legacy systems. Instead, it must invest in new technology that will harden them from the start.