The Trump administration wants to move agencies toward shared services for cybersecurity under its IT modernization plan.
Shared services, however, is one of those things that is a lot easier said than done.
Michael Daniel, the former White House cybersecurity coordinator and now president of the Cyber Threat Alliance, said to get agencies to move to shared services they have to understand the give and take that comes with it.
“The trade has to be that we will take a problem away from you and let you go solve something else that is actually more important to you,” Daniel said at the recent Symantec Government Symposium in Washington, D.C. “We will enable you to free up some resources to go spend on improving the technology that your workforce actually uses so that we, perhaps, could move some of our agencies into the early 2000s in terms of the collaboration tools that are available to them. It really has to be connected not just to the IT operations, but connected directly to the business operations.”
Daniel said one example of this already happening is in the financial services sector where the U.S. banking industry is finally moving away from wire transfers and to instantaneous transactions.
Daniel said agencies need to bring together the business side and the cybersecurity experts to have a discussion about how to manage all the risks across the entire department, and that will help make the conversation more “exciting.”
The Trump administration released its final IT modernization strategy in December, where it outlined how the Homeland Security Department will expand its continuous monitoring-as-a-service offering under the Continuous Diagnostics and Mitigation (CDM) program as well as create a governmentwide marketplace for security operations center-as-a-service capabilities.
“[T]he establishment of a SOC-as-a-service (SOCaaS) capability is essential to ensure appropriate enterprise-wide visibility, incident discovery and information sharing among federal agencies. Such a capability would allow agencies currently lacking such capabilities to purchase them from those agencies with sufficient capacity to offer such a service. This could allow for the creation of specialized offerings,” the report states. “For instance, agencies who have demonstrated expertise in defending cloud applications could expand their current SOC capabilities and offer a SOCaaS, focusing specifically on cloud applications. In addition, contracts can be established with commercial providers to provide SOCaaS offerings. Agencies lacking the requisite expertise could leverage these services to accelerate their migration to commercial cloud capabilities.”
The strategy gives DHS, the General Services Administration and the Office of Management and Budget two deadlines.
In 180 days, the agencies will identify potential offerings to provide SOC-as-a-service capabilities to other agencies in the federal government and in the private sector.
In 210 days, any agency that plans to offer SOC-as-a-service capabilities will provide to OMB and DHS a pricing model in alignment with the cloud migration strategy. Additionally, OMB will determine those agencies that don’t have sufficient SOC capabilities and require a plan so they transition to a public or private sector shared service provider.
Grant Schneider, the acting federal chief information security officer and senior director for cybersecurity at the National Security Council in the White House, said several approaches to cyber shared services could work.
“We do need to have agencies look internally, and at the same time, we need to look across government,” he said. “We get different windows of opportunity, and right now we have that window to look at consolidation and centralization. We need to take advantage of that.”
Schneider said this is why the IT modernization effort is so important to cybersecurity improvements.
“We have to look at them holistically. To expect DHS, or anyone else, to be the defense, but having nothing to do with the operations,” he said. “We have to view it holistically as how we are doing our IT operations because it’s in that base of IT operations where we get our foundational security and then we can layer things on top of that.”
Schneider added that with all the cybersecurity laws—more than 60 in all—on the books, Congress, the administration and industry will have to explore which ones help and which ones are obstacles to getting toward a shared services environment.
Schneider said one of the reasons why shared services are more important today than ever before is the lack of qualified workers across all sectors.
“We have a people challenge where we have the adversary and don’t have enough of the people to defend ourselves adequately. We expect in the federal government that everyone, across the board, is held accountable to the same degree, to the same level and we expect them to be able to provide the same capabilities from a defense standpoint,” he said. “How do we make it so the Marine Mammal Commission doesn’t have to worry about their own IT and by extension their own cybersecurity. We will never, certainly in the government and I would say in private industry, get the workforce that we need to defend all of these different systems in a lot of different ways. Frankly, we end up just stealing each other’s employees and moving them around.”
Schneider said shared services and consolidation of cyber defenses means agencies would need a smaller number of higher skilled experts who can spend their time identifying vulnerabilities in the system instead of waiting for someone else to tell them about it.
“We’ve got to shrink out threat surface,” he said. “We’ve got to get some parts of the federal government out of the business of trying to do that defense on their own. We will be able to do it across the board at a level that we need to.”