BOSTON -- Rob Joyce, appointed in March as the federal government's cybersecurity coordinator, was in Boston Monday...
to outline the Trump administration's plans to modernize the federal government's IT infrastructure. Among the changes in store for the nation's technology systems: moving to a shared services model to better protect sensitive data and demanding departmental-level accountability for IT risks, including those posed by legacy technologies.
"With this executive order, we step back and say we're going to manage the federal information technology activity as an enterprise," said Joyce, who also goes by the title of cyber czar. "Even though it's millions upon millions of assets, even though it's thousands upon thousands of networks, we're going to step back and try to view that as the sum total of risks."
Joyce was in Massachusetts for the launch of the MA Security Initiative, a joint effort by Mass Technology Leadership Council and CyberMA, a regional chapter of CyberUSA. The initiative will bring together local technology experts and educators to bolster collaboration, communication and education around cybersecurity. Joyce applauded the efforts at the top of his talk, calling them "awesome." But the bulk of his presentation focused on the executive order President Trump signed on May 11, one day, as it happened, before the WannaCry attack began.
According to Joyce, the Trump administration is looking to inject enterprise-like thinking into how IT systems are secured. Those who head up federal departments and agencies will be held responsible for "the state of their IT," he said. They will be asked to take stock of what they have, as well as identify and justify risks that exist within their technology infrastructures. In particular, departments will be held accountable for programs and applications that are no longer supported by vendors but have not been phased out -- posing a potential threat to the whole federal network.
"Not only do the IT decisions in any one department and agency matter to that department and agency, but they take and add risk across the whole of government," said Joyce, a National Security Agency veteran.
He pointed to the recent breach in the FAFSA, the free application for federal student aid, as an example of how a system is only as strong as its weakest link. In an effort to streamline the application process, FAFSA linked to the IRS network to automatically bring in necessary financial data, so the applicant wouldn't have to type it in.
"Unfortunately when [FAFSA] did that, there wasn't strong validation and verification," Joyce said. "People found out that they could go to the FAFSA application and, with a minimal amount of PII [personally identifiable information], pull down financial information from the IRS."
The breach was caught early, affecting an estimated 100,000 taxpayers, according to news reports, and it provided more incentive for the current administration to build a kind of bird's-eye view of the federal technology infrastructure.
"We have to have methods to detect those breaches early, defend against them and then compartmentalize them so that they don't cascade into massive data losses," he said. "You can't defend the network if you don't understand what it comprises."
But mapping out the data and technology landscape is only a part of the solution. Every federal department and agency also needs IT expertise. That's no easy task for a government that supports a diverse range of agencies -- from the Department of Defense to the Marine Mammal Commission, Joyce said. As part of the effort to close the holes in IT security and prowess across federal departments, the executive order also calls for the introduction of a shared services model for future IT procurement.
"If there is a service provider that is providing those capabilities with the expertise -- the top-end talent -- for those smaller, less technical agencies and departments, the rising tide raises all boats," he said.
Joyce added that managed services will equate to a faster "refresh rate" of technology and introduce service-based architectures that will keep infrastructure updated and enable departments to shed older technologies quickly and seamlessly.
"The federal government can't afford to refresh all our IT in one fell swoop," he said. "But we can take those risk evaluation areas ... and use those as the low-hanging fruit to feed into the things we're going to modernize and improve."
Data protection key in thwarting ransomware attacks
Vulnerability remediation of WannaCry leaves much to be desired
WannaCry is a gut check for hospitals