Ex-cybersecurity chief calls on feds to step up efforts

While progress is being made in the nation's efforts to ensure the security of its cyber assets, a revolution is needed in the federal government's thinking in order to win the "cat and mouse game" with cyber attackers, a former senior cybersecurity official said Wednesday.

"The government doesn't know what its IT assets are," said Amit Yoran, who resigned as director of the Homeland Security Department's cybersecurity division last month. He added that the government is much like large multinational organizations, where cybersecurity awareness does not cut across all divisions.

A recognized private-sector expert, Yoran said he tried to address the problem during his one-year stint at Homeland Security. By the time he left, he said the department had made progress in mapping which of the 127 federal entities are responsible for what parts of the government's cyber assets. His office found that there are 5,700 different "network blocks" across government.

The division also began asking about agencies' Internet exposure in order to understand the risks. But scanning the 5,700 networks for that exposure is "a Herculean effort" and is ongoing, he said. Yoran spoke at a conference sponsored by the Computer Security Institute.

Generally, Yoran said the government's risk assessments appear to be largely based on consultants' reports rather than on an actual examination of the systems. His vision for the government is to use the government-wide knowledge of risks to take more coordinated, effective security steps.

There are "pockets" of top-flight cybersecurity skill within the government, Yoran said, and they need to be pulled together. Doing so will be fundamental to getting buy-in from the private sector, which owns about 80 percent of the nation's critical infrastructure, he added.

Yoran said the future is bright for cybersecurity, especially for making more secure software. "We are still at the very early stages of cybersecurity," he said. A new way of thinking is ushering in the next generation of technologies, and the government needs to be out front in encouraging that transformation, he said.

"We really need to revolutionize how we think about cybersecurity," Yoran said. "In three years time, there will be no definable perimeters on our systems." The typical systems, such as firewalls and intrusion-detection systems, will not be efficient any longer, he predicted.

"You won't be able to protect or own all of the information you are providing to your customers," Yoran said. "In many cases, you won't even be able to identify where the data resides."

Yoran's departure from the division caused concern among industry and in parts of the government that cyber security is not sufficiently high-profile in the government. He declined to comment on how the position should be structured, except to say that there should be sufficient access to senior-level decision-makers and that the person should have solid political skills.

Yoran also said that while there is great experience at Homeland Security in physical security, "the same is not true for cybersecurity."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.