Federal Agencies Bracing for New Cyber Challenges in 2018

It is not a matter of if an organization will get hacked, but when.

Every cyber security professional has heard a version of that statement – likely dozens of times over – in the last decade. It serves as a way to describe the enormous security challenge that organizations face on a daily basis.

“I cannot stand that phrase,” Symantec President and Chief Operating Officer Michael Fey said in kicking off the Symantec Government Symposium. “It gives us an implicit agreement that suffering a breach is OK.”

For federal agencies to remain secure Fey said they must continually look toward the future. That includes continually training employees to stay on top of the latest trends. “Unlike most industries the information you learned 10 years ago might not be relevant today,” he said.

The same approach also applies to thinking about future budgets.

“We wake up in a weird situation,” Fey said. “Cyber security budgets increase but not at the pace of cyber security needs. With new threats, regulations, and demands, there could be a situation where an organization will not be able to afford to do what they did the year before.”

Modernizing Technology

The Symantec Government Symposium brought more than 550 attendees together to talk the latest in federal cyber security. IT modernization, shared services, collaboration, cloud computing and the emergence of the Internet of Things were the primary topics discussed throughout the day.

“Agencies must not just modernize legacy IT systems, which create vulnerabilities,” said Jeanette Manfra, Assistant Secretary for the Office of Cyber security and Communications at the Department of Homeland Security. Instead, agencies must “look at modernizing the whole thing,” including how they buy and manage technology. She also added that agencies must make “risk-based procurement” decisions for IT, “which we currently don’t have a good way of doing,” she said.

The Modernizing Government Technology (MGT) Act will provide federal agencies with additional funds to improve upon legacy systems, but Dominic Sale, Deputy Associate Administrator for the Office of Information, Integrity and Access at the General Services Administration, said agencies should not fully rely on the funds, but think of how they would operate with that cash influx.

“We should not bank on the MGT Act, but it is a good idea and I think that idea is powerful,” Sale said. “And I think there are many of us who think it can be of help. [But] this is not our plan A.”

The most important part of the act, Sale said, may end up being the working capital funds established at each agency. Those funds can be pulled and carried over year-to-year, allowing agencies to spend them when they deem necessary, opposed to an artificial deadline. “That’s a good thing,” Sale said. “That’s nothing to sneer at.”

Federal leaders, by in large, said a risk-based approach to cyber security served as the best path forward. That approach, though, should include shared services. Federal agencies need to think more about how they can work together to reduce risk, opposed to repeating the same mistakes agency to agency.

Cloud computing has enabled shared services to work more from agency to agency. Instead of simply pushing one technology at an agency, government leaders can leverage technologies that are already proven to work. This process can also save agencies money that can be reinvested in other areas of cyber security.

“Shared services are becoming more and more critical,” said Rod Turk, Acting Chief Information Officer and CISO for the Department of Commerce. “At our department alone we have agencies and offices all over the country. Shared services are the only way we can succeed and that mentality needs to be spread across government.”

We’ll be posting additional blogs highlighting the quality content and speakers from the event. If you are interested in viewing our keynote presentations, you can access the video from those sessions here.