One of the top priorities of former President Barack Obama’s administration was on mitigating the cybersecurity threats posed to both American businesses and government entities. Indeed, the former president took several steps aimed at improving the nation’s cybersecurity posture during his time in office, issuing an executive order in 2012 designed to strengthen critical infrastructure against attacks and implementing a Cybersecurity National Action Plan (CNAP) early last year, which laid out a set of both near-term actions and long-term strategies aimed at bolstering cybersecurity awareness and protections for all Americans.
One of the provisions within the CNAP called for creating the position of a federal chief information security officer (CISO) who would be responsible for driving cybersecurity policy, planning and implementation across the federal government. Last September, President Obama appointed retired Brig. Gen. Gregory Touhill to the position.
A 30-year veteran of the U.S. Air Force, Touhill has been involved in securing computer systems of one form or another throughout his entire career. Beginning in the early 1980s, when small computers were just emerging, he was tasked with helping introduce them into USAF operations and he has worked in the information security arena ever since. In addition to being the nation’s first federal CISO, Touhill also previously served as Deputy Assistant Secretary for Cybersecurity and Communications in the U.S. Department of Homeland Security (DHS) and as Director of the National Cybersecurity and Communications Integration Center where he led national programs to protect the United States and its critical infrastructure.
Touhill recently left his career in public service to become president of Cyxtera Technologies’ new Federal Group (CFG), which offers data center services and cybersecurity capabilities to federal agencies and departments. In this "At the Frontline" interview with SecurityInfoWatch.com (SIW), Touhill discusses some of the biggest challenges facing federal agencies with regards to cybersecurity and how he plans to take the knowledge and skills he cultivated in the public sector and apply them to his new role at Cyxtera.
SIW: What were your biggest challenges as CISO for the federal government? How did the government’s cybersecurity policies and procedures stack up with what you were accustomed to in the military?
Touhill: I found the policies and procedures of the federal civilian government and that of the military are almost identical. The difference is that in the military they often are better executed. That said, the most talented and innovative tech experts I met in government service were civilian employees. I believe leadership is the key to doing the right things the right way and at the right time.
There were several challenges that I faced. First, the CISO position across the government still does not have legislative authorities – and in fact, the U.S. CISO position itself remains vacant since I left. Government officials who operate off of administrative writ of the chief executive do not have the same tools at their disposal as those who have a legislative mandate as well. This was an issue for my position as well as the department CISOs. I believe Congress needs to formally specify and empower the CISO position in the next Federal Information Security Management Act (FISMA). Last month, I testified before the House Committee on Science, Space, and Technology urging Congress to formally charter the CISO position. If Congress is truly serious about cybersecurity, I believe they will specify the federal CISO position in the next FISMA.
Second, in FISMA and other legislation like the National Defense Authorization Act, Congress divides the federal government networks into administrative and national security systems. The individual departments are chartered to manage the administrative networks while the Department of Defense (DOD) leads the national security systems. The result is that the federal chief information officer (CIO) and CISO coordinate actions but do not have the authority to direct best practices across the entire federal government. Let’s not forget that the military is a major part of the federal government. The federal CIO and CISO should have the authorities across the entire government to provide unity of effort.
Third, because of these issues, we needed to build a community to provide unity of effort across the federal government to ensure that our policies and procedures were properly and consistently executed. As such, I convinced the federal CIO Council to charter and fund a CISO Council. A few of the CIOs needed prodding; however, within six weeks of my arrival, we had our first meeting where over 70 CISOs participated. The CISO Council continues today and is improving synchronization, sharing of best practices, and execution of mission-essential tasks.
SIW: Where do you believe the federal government is lacking the most when it comes to their cybersecurity posture and what would be your recommendations for addressing those shortfalls?
Touhill: Our federal IT architecture leaves a lot to be desired. We are not doing a good job adopting best practices from industry. Every department and agency operates their own independent networks and is expected to protect all their information with equal results. That means that strategically important small agencies are expected to have the same IT and cybersecurity capabilities as large, well-funded entities, like the DOD, Treasury and DHS. I believe we need a federal IT agency, much like the DOD has the Defense Information Systems Agency (DISA). Agency CIOs should spend more time at the application layer and pay more attention to information management while the proposed federal IT agency should focus on core services and the rest of the Open Systems Interconnection (OSI) model stack. We must build a more secure architecture and we absolutely cannot afford to delay lest we put our country and our country’s data at further risk.
SIW: Likewise, where do you believe the federal government is getting things right on cybersecurity?
Touhill: The federal government has taken several actions that are improving federal cybersecurity efforts. For example, the creation of the federal CISO position put department and agency CISOs closer to the boardroom.
Second, President Trump’s May 2017 executive order on cybersecurity focused agency heads to better manage cyber risk.
Third, over the last couple of years we improved coordination and information sharing among the departments and agencies. In addition to the creation of the CISO Council, the National Cybersecurity and Communications Integration Center (NCCIC) has continued to grow and evolve in capabilities. For example, the NCCIC created and fielded an automated information sharing capability that delivers threat information to Security Operations Centers in each department or agency. They are also sharing this same information with private sector partners, including critical infrastructure providers. This capability took information sharing on cyber threats from months to milliseconds. These are but a few of the many great improvements made in federal cybersecurity.
SIW: There has obviously been a great deal of attention paid recently to Russia’s efforts to try and influence last year’s presidential election and even the voting process itself. During your time in the government sector, how great were the threats posed by nation-state actors like this in other areas of the government’s IT infrastructure and how do you keep them at bay?
Touhill: Nation-state actors are a potent cyber threat but they are not the only threats cyber operators defending our IT infrastructure and its information have to address. The United States Computer Emergency Readiness Team (US-CERT) says that if you successfully implement best practices, you significantly buy down your risk, even when facing skilled nation-state cyber operators. We found that the top five best practices to address the threats are to implement:
- Multi-factor authentication;
- Active directory whitelisting;
- Segmentation;
- Reduction and tight control of privileged user accounts;
- And, reduce and tightly control remote access, including from your third-party partners.
One of the reasons I joined Cyxtera is because our team and capabilities help enterprises address the risks the nation states pose.
SIW: We often hear that people are the first line of defense in mitigating cyber threats, but what role does technology have to play here and are both private corporations and government agencies leveraging the best solutions out there?
Touhill: I long have said that a “hardened” workforce is your best line of defense, yet that workforce needs the right tools to get the job done right. Technology can reduce the workload on an already task-saturated workforce. However, if the technology is not properly installed and configured by a well-trained and disciplined workforce, you’ll ultimately be disappointed in the results. I’ve found that many public and private sector entities are not keeping up.
Technological advances like software-defined perimeter technologies, network micro-segmentation, and data analytics produce results that are more effective, more efficient, and more secure. If I were still in government service today, I would be pursuing these capabilities relentlessly to better protect the American people’s information.
SIW: Do you believe the government has gone far enough in implementing various standards like the NIST Cybersecurity Framework or does more need to be done in this area?
Touhill: Let’s call it the National Cybersecurity Framework as it doesn’t belong to NIST. Since it was crowd-sourced by NIST, it belongs to everyone. Everyone ought to implement a risk management program that leverages the framework as a guide. I am a huge proponent of the framework. In fact, at the January 2017 CISO Council meeting, I proposed, and the council unanimously adopted, a resolution for each department and agency to conduct formal risk assessments this year using the framework as a guide. I like that the new presidential cyber executive order calls for every department and agency to implement the framework and that the House is considering legislation mandating it. I’d love to see those risk assessments we agreed to in January completed this fiscal year.
SIW: What would be your advice to the current presidential administration when it comes to shoring up the nation’s cyber infrastructure?
Touhill: Lead by example. Harden the workforce. Treat information as an asset. Do the right things the right way at the right time. Continually innovate and invest wisely. Make informed cyber risk decisions at the right level. And finally, take counsel from and collaborate with those of us in the private sector that have “been there, done that.” We have the benefit of knowing your strengths and weaknesses, but also of having access to the solutions that will help solve your greatest challenges.
SIW: How do you believe your background in the military and government service will help you transition into your new role at Cyxtera?
Touhill: After my term expired in January of this year, I took my time deciding where my next steps would take me. I already was an adjunct professor of Cybersecurity at Carnegie Mellon University’s Heinz College and enjoy teaching and mentoring cyber professionals. As I transitioned to the private sector, I wanted a leadership role that would enable me to continue contributing to our national security and found all that and more in my new position leading Cyxtera Federal Group (CFG). I spent decades in the .mil and .gov domains and know where the government’s most pressing IT and cyber needs are. I surveyed the market over many months and found that Cyxtera’s incredible capabilities are best postured to solve those needs.
Cyxtera’s solutions protect over 3,500 customers in the private and public sectors, including 430 global financial services institutions. We operate 57 world-class data centers in 29 major markets around the world. Our Software-Defined Perimeter solution, User Authentication & Fraud Protection, and Machine Learning for Investigative Analytics capabilities are second-to-none.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
