China keeps Grant Schneider awake at night.
Schneider, only the second-ever federal chief information security officer, said he could’ve chosen nation-states in general as his concern, but that China has “displayed their intent, has clear means to get into and to attack our critical infrastructure systems, our government systems.”
“To me, that, as a nation, it’s not a government problem, it’s not a federal cybersecurity problem, it’s how do we protect ... our IT,” said Schneider, speaking Sept. 4 at the Billington CyberSecurity conference in downtown Washington, D.C. “It ... has the potential for just catastrophic impacts when it’s compromised."
Chinese cyber actors have demonstrated ability for not only espionage, but also theft, he said. Many cyber experts point to the Chinese fighter jet that looks eerily similar to the F-35 as an example of Chinese actors’ ability to steal sensitive government information.
To help mitigate the national security risk throughout industry and federal agencies, Schneider said that he wants the government to serve as the example.
“We should be setting the example for how organizations should look at cybersecurity,” Schneider said. “Private entities should look at the requirements that we put on federal agencies. They’re for a reason.”
Many federal government cybersecurity standards are set by the National Institute for Standards and Technology (NIST), though several updated cybersecurity rules are currently held up at OMB, according to Ron Ross, fellow at NIST.
On Sept. 4, NIST released a new document, NIST 800-160 volume 2, which will provide new standards for cyber resiliency. The document will provide guidance for federal agency’s systems that “so they can take that punch and still keep on operating even if its in a degraded or debilitated status.”
The document, which is available for public comment for 45 days, includes new dimensions to federal cyberdefense: damage limitation and cyber resiliency.
“We’re trying to make the ... computing machines operate more like the human body, with an immune system where you can get a cold or a virus and then your immune system kicks in and it doesn’t take you down completely,” Ross said.
Greg Touhill — the first federal CISO, who shared the stage with Schneider — said that the key to federal cybersecurity is risk management.
“He who defends everything, defends nothing,” said Touhill, now president of Cyxtera Federal.
Touhill said that he’s concerned about the expanding threat landscape with the rise of internet of things devices, as well as the risk exposure of industrial control systems and critical infrastructure. Based on his experience, he said there’s “still a lot of work that need to be done” on information sharing. Touhill also praised the government for starting to move away from checklist compliance, though Schneider said that the agencies still have headway to make on that issue.
“Compliance is certainly not enough; I would say we’re not there yet,” Schneider said. “I’ve been associated with ... a lot of cyber incidents over the years. And every single one of them was through a known vulnerability that had a known technical fix.”
If everyone was at compliance, then the cost of attacking an agency would be higher.
"That will start to at least get us on a playing field where we can actually challenge their abilities, as opposed to having them come in to the doors we leave unlocked,” Schneider said.
Touhill said that when he was the director of the National Cybersecurity and Communications Information Center, he thought that cyber incidents he dealt with were due to “careless, negligent or indifferent people.” Upon reflection on his career, Touhill said he would also add over-tasked to that list. The retired Air Force general added that the investment strategy in cybersecurity is off.
“We go out there and we chase the latest fad, we put out the technology that we don’t properly leverage ... because we don’t necessarily invest as much intellectual capital into the people and process aspect,” Touhill said.
Schneider agreed that there must be integration among those prongs of cybersecurity.
“We need to be able to have a collaboration about the technologies and about the process and about the people with the senior leadership,” Schneider said.