.jpg)
HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Part 3 of 3: Future Challenges of Operational Technology (OT) Security
Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum.
In this episode, our panel discusses an evolving landscape of cybersecurity threats, we tackle the pressing challenges of hiring and retaining a skilled cyber workforce in the government sector.
Featuring:
- Bob Costello, Chief Information Officer, CISA
- Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA
- Shawn Kingsberry, Vice President, Cybersecurity, SAIC
- David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator)
This discussion took place at the HSDF’s Cybersecurity Symposium on July 10th, 2024.
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Thanks. There's another piece that you described that I think also connects to Bobby's piece. You need to be citizen-centered within federal agencies and think about what this means to each of the citizens, and I love that you brought your tech-savvy mom into this. If you go to an agency because you deserve a benefit, you're going to register for that benefit and you can't navigate easily to that. What's your next step? You search and that's the first conduit to fraud, right? So agencies also need to think about how they are presenting themselves to citizens at the end. And if you are administering a program and can't cleanly connect citizens to that program through a user interface that works and is compelling, then you're just setting up an opportunity for cyber criminals to inject in there. So I'd like to use this to shift to the third area of questioning, and that's this growing interdependency.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Many of the things we talked about rely on a little bit of information there, which gets the process going, but you bring context from information gained over here. Often there's a location element to it, because the sensors are measuring something that then tags it with the location that is derived only from GPS. We've got timing dependencies where the clocks that we use for telecommunications to connect router to router, switch, to switch radio to radio, require a synchronization of time. We've got increased use of time. We've got increased use of cloud. But we know even very high-end companies like let's just take Microsoft Azure right, we all love Microsoft, right?
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Solarwinds happened, boom. If you've got your entire integrated, connected identity, credentialed access management piece that is dependent on a single cloud provider or a single identity, do we now have a new Achilles heel that needs to be looked at from an element of resiliency? Resiliency used to focus on availability. Right, do I have four or five nines to get to the building that has my data so that I can justify going to that building? But now, if that five nines calculation doesn't include logic attacks that may take down every bit of software from, how do we approach the future and plan for resiliency so that we can degrade gracefully and don't have these Achilles heels built in? So, bob, I'm going to start with you on this one. This interconnected sense makes sense act world that we're headed towards.
Bob Costello, Chief Information Officer, CISA:Okay, I guess I'll take it in my direction. I think some of what you're saying is about our resiliency and ability to respond degrade gracefully. I think that you hit on a couple different subjects. So when we talk about GPS and space, I think there was just recently, within the last week or two, a really good New York Times kind of infographic that went over GPS, the attacks on GPS, jamming of GPS, where it happens the most in the world.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Ukraine just had a situation where, intentionally, gps was jammed in an area, synchronization was lost in the power grid and it self-induced several explosions across the electrical power distribution Because they're trying to defend against a GPS-based attack Sure yeah, and I think where I was starting to go with on this is.
Bob Costello, Chief Information Officer, CISA:It actually, though, explained how many of us. I actually worked on the GPS system when I was in uniform out in Colorado, so it was really cool. The officers were up there flying the satellites. The enlisted were making sure they didn't screw it up. We were happy to help what the New York Times really went into. We've maybe lost our technological edge in the US on global positioning, so the European Union's Galileo that does authenticated requests. China has deployed more satellites than us.
Bob Costello, Chief Information Officer, CISA:Baidu involves two-way communication. Yes, so I think. Where I'm more concerned is in the federal government. We often build very complex systems, systems that maybe are very expensive and the rest of the world doesn't even know about in the country. Our emergency communications division is a great example of that. We're building things we hope we never need. They are used all the time though. They are used by first responders During 9-11, both you know GETS and WPS less WPS. At the time we had less wireless users.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Which are the prioritization programs?
Bob Costello, Chief Information Officer, CISA:The prioritization programs Wireless and wireline communications that we have phenomenal partnerships with the telecoms. There is a classified element of that too, so we can make sure that we can get calls through from different parts of the government as needed. These are absolutely critical programs that need to operate you five nines. We really can't tolerate a lot of downtime on them. I think one of the things that I encourage because we go through different stages in our career everyone wants to build this very complex system that's very expensive for any solution. Not every system needs to be like that. We need to really identify what are our critical elements, how they're designed. There's other systems that, honestly, can sustain substantial downtime and that's okay. It doesn't mean that the people running those are using that data or any less important. It just means it's not one of the agency's mission essential functions.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):A classic risk focus right. It's not just the probability that something would happen, it's the impact of that.
Bob Costello, Chief Information Officer, CISA:It's the impact of what happened. So I think that CISA is doing a lot of great work in this area. The National Risk Management Center is really kind of our focus area that works within CISA, as we are the sector risk management agency for eight of the critical infrastructure areas of the United States there's 16. So they work very closely with the others to do analysis and consequence analysis. That's ongoing this week with Beryl. Cisa is able to model telecom impacts, flooding, power impacts and elsewhere using a lot of our systems. So I think that that stuff you know just really speaks to, you know, a whole of government response, because you know FEMA obviously has the boots on the ground in a very large role back here, you know, to get their programs up and running. But we all kind of support each other across DHS and with the other departments and agencies to kind of share information and make sure that, to your point, we provide good citizen services.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Send networks and networks to, great gracefully, and teams of teams, right. Looking at the contributions of all, let's shift to our last question and feel free to include in that any interdependency parts you would like to talk about. But, bobby, I'll start with you. Let's talk about workforce. You know, in the cybersecurity arena we've had for over a decade now the National Initiative for Cybersecurity Education 54 well-defined work roles. We love it as academics because we know, oh, we need to produce people with degrees and curriculum that supports one of each of those 54, or all 54 of the work roles.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Hr people can take the NICE and turn that into a position description and go hire somebody, but I contend that there's some missing elements of NICE. It's probably time for us to refresh our approach to HR. Can you talk a little bit about that? Where are we getting workforce right? What are the things that we should be looking at going forward to ensure that not only you have the right skill sets and experience in your organization, but those that support you, right the contractors in this room have the right skill sets? What would you like to see in the workforce? Me, bobby? Oh, there you go, we'll go with Bobby right. There you go, you'll be clean up on this one.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:I just called you both, bob.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:Yeah, great question. I think for me it depends on the position being advertised. I know in my division I hire senior information system security managers, and so I expect them to have at least five to 10 years of experience to include certifications. Education can be here and there, but I'm looking for what certs do you want to? Have. Well, for my division I would say CISSP would be a requirement. Well preferred have CEH.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Think like an attacker.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:Well, it depends on, again, the position being advertised, right. So what I don't want to happen is I'm advertising for a position and I'm requiring 15 certifications, right. That doesn't map with the job requirements itself and I think we see that a lot in terms of job advertisements on Indeed and other places. But I would say, to answer your Direct question, we can get better in terms of, you know, hiring individuals you know, or graduates coming from college, maybe taking on a more skills based approach where you know we have those individuals kind of, you know, demonstrate practical application of a certain knowledge area per se. A Python coding test, yeah, so there will be one for someone you know that's in development. Again, you know, it goes back to the requirement of the vacancy announcement and I get it.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:Some people may think that the government way of hiring is pretty antiquated and it could be to a certain degree, and so that's why, you know, a cross sector partnership between the government, academia, you know, could go a long way and I will say there are some, some programs right now that are currently in place to kind of bridge that gap. One would be the Pathways, recent Graduate Programs, where the federal government is bringing on, you know individuals in uniform, or they're bringing on college graduates and they're taking them through this training pipeline to get them up to a certain level where they can help the agency or government execute their cyber mission. That's one. Number two would be scholarship for services, right? So where you have a four-year graduate and they want to pursue, let's say, higher education, and the government is saying, hey, listen, I will pay for your graduate degree, but you owe me two years of service and so within that timeframe you're also eligible for promotion. And so those are some of the hiring vehicles that we can, I guess, leverage from a government perspective to bring on the bright and talented. But again, I mean there has to be a sense of wanting to serve, you know, the federal government, because again, the pay may not be as commensurate between the government and private industry.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:But again, back to your question in terms of skills-based, I would definitely agree 100% that we have to move past, I would say, just basic interview questions, and we should really have that individual demonstrate that they have a certain level of knowledge about a topic area.
Bobby Hall, Director, Compliance Division, Office of the CIO, FEMA:Case in point when I hire individuals for my division as an information system security manager, my interview questions are scenario based Right. So I want to make sure that if I put them on the spot, you know that they can answer those questions, but then, most importantly, that they can execute if, let's say, I'm out of the office per se and so it's not just you know, tell me about risk management. Or tell me you know what is. You know CIA, you know it's questions like you know, if you are the ISSM for this cloud solution, what is your strategy to get the system authorized within a short time frame? And so now they have to think about project management, they have to think about stakeholder engagement, and so those are some of the things that I kind of embed within my interview questions to make sure that we hire the most qualified applicants.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):Do you have internship opportunities at FEMA?
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:We have interns right now. Yes, we do, sir, and hire them through.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):USA Jobs Correct, outstanding SAIC. You're paying all these big bucks and making it hard for these guys to get the right talent right.
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:No, Sean, no, actually no what are the workforce challenges for you.
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:So well, two things. I know time is running out. I want to hit the cloud issue with SolarWinds right quick. So first off, I come back to the zero trust conversation. Right, because first, everybody's in hyper cloud. Even when you're in Azure, you're in multiple clouds. When you're in M365 and you're in Azure, it's all multiple clouds, right. So when you start to get into identity segmentation of identity, application data and the likes and the throughputs, rolling that into your cyber framework and actually embedding AI into that to actually drive operations Now you can deal with strange things happening that you didn't expect to happen and that's actually being delivered today. That's one thing.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):So now workforce and being ready to be agile in that right, Because you're never going to figure it all up ahead of time. So have you built in the agility in your response?
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:Well, that's what I'm saying. You can't get around the operational side of now. What do people actually do? Right, and that's part of your controls, right? So, but now, coming back to the people side, I got to tell you today and I've been in several conversations across government about how do you actually deal with, like today, the federal government 50% is eligible to retire. State government 42 to 43% is eligible to retire. And when you look at what that means, and now you start to say, hey, the challenge of actually hiring folks, and now you have kids that are like I much rather drive an Uber, right, I'm just saying, I'm just keeping it real, right, so now you start to look at what that actually means.
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:So the challenge of getting talent isn't just government, that's across the board, and you almost have to bundle cloud, cyber, all together right Into the same types of problem space of challenges of getting roles. Now, from a government perspective, right, I got to tell you, when you start to look at reorganizing resources and starting to look at what's inherently governmental versus where I'm actually going to have a service provider, support and work as a partner to actually deliver the mission, now you have an opportunity to hire different types of people on the government side and partner them up and interns, because now they're going to partner up and work with other integrators that are actually supporting the mission as a partner right. When you start to look at it through that lens, you're going to get repeatability. You're going to get the ability to bring in because now you're holding this contract accountable for resources because it's outcome-based right. I got to have this mission delivered this way and I'm looking at audiences some of the people I actually work with are in the audience and they know that this is actually happening.
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:But when you change the staffing approach from a government perspective of how you say how do I now organize based on the state of play today? Because the state of play today, the way I would staff a government organization today, is very different than when I was a CIO 10 years ago, right, so I would look at that differently and then you can address that right. And there are challenges because now, because you're buying outcomes, you aren't necessarily buying the hourly rate and now you actually can end up getting more out of an actual Uber contract than you get out of you hiring this person and putting all of the energy into this person. But now you can hire people, train them up and do interns and yes, we do have intern programs. Come on over.
Shawn Kingsberry, Vice President, Cybersecurity, SAIC:But I'm just saying to me I think you have to think differently. And this kind of came out with Fatar, right? It's just like when Fatar came out, the resume for the CIO had to change, right? And it's the same way when you look at if I'm in any government agency. How I look at staffing has to change and the impacts of the decisions that are made are so big.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):I was a part of an intern program that SCIC did, where you used your summer interns in a very novel way and put them into competing teams around Shark Kage at the time, and it was just a fantastic use. We had a business guy with a technician guy, a student, and really great work there, sissa. What do you see as the cyber workforce challenges going forward?
Bob Costello, Chief Information Officer, CISA:Yeah, there's definitely a couple things. So we're definitely not having a problem recruiting. We get many, many applicants. I think that has to do with our approach.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):You know the leadership of Director Easterly, making it a. Everyone wants to be cool in cyber now.
Bob Costello, Chief Information Officer, CISA:Well, I think that we've shown a different approach to federal recruiting. I think the other thing, too, is I don't expect people to be feds for their whole career. Come in, do a couple years, leave. Maybe you come back, maybe you don't. Maybe you learn something different. I think that we haven't touched on. We have a huge diversity problem in IT and cyber. We have an absolutely huge Yet you know someone who didn't walk to get their degree until they were 40. Oh jeez, boston accent came out there.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):It came out there really hard.
Bob Costello, Chief Information Officer, CISA:Really hard and doesn't have a degree in IT or mathematics or stuff like that. You need to be looking at the whole scope of people. I think in my organization CIO's office is not successful without strong contracts, teams, finance teams. I have two leads there, taria Breckenridge and Raina Friday, that run that outstanding and that kind of you need all these things in an office to run effectively. So I think on my front we do have the cyber talent management system that we are utilizing quite heavily. It allows us to bring in people that maybe just have an interest in cyber or IT, you know, without any training, without any background, which I think are very important.
Bob Costello, Chief Information Officer, CISA:Of course, as a veteran very interested in recruiting veterans and giving people opportunity, you know I was definitely one of the people, having been supporting law enforcement for a long period of time. We were always in person. We were in person for large parts of COVID as well, because you can't clear passengers from your home, you can't inspect cargo, although we do have some remote capabilities now. Yeah, I was a little bit against all this remote and telework, but you kind of have to adjust and make it work. So you know my team is spread. You know we have actually people in Hawaii. You know leadership team like Paige Collier who runs my iCamp team. She's out in Arizona, so you have to be open to those ideas and I think I agree, like we have a challenge in federal government on recruiting.
Bob Costello, Chief Information Officer, CISA:It should be speedier. It shouldn't take 12 months to onboard. You should be able to start without your clearance if you want to, and sometimes that's hard, depending if you're Title V, title VI, all these other things that we deal with, I think, in our partner community on the contractor side. One thing I'd ask please stop being so whiny. If I don't want to meet, maybe it's just I had a bad week. I think we expect different things. I really like when they self-govern. It shouldn't be me telling you you're not performing, you don't have the technical skills on the team that you have.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):You want them to be able to self-assess?
Bob Costello, Chief Information Officer, CISA:Well, self-assess and self-govern, remove people before we have to Work with us in a partnership. There's nothing worse than getting that meeting and then saying tell me your deepest thoughts, bob, and your priorities. I can't help you. I'm like all of you. I'm back to back throughout the day. Help us, help you because we need you.
Bob Costello, Chief Information Officer, CISA:We look for different things in our partner community than in our feds Feds and I do try really hard. There's probably many people that have worked with me for many years. It's bilateral. I actually want pushback, bob.
Bob Costello, Chief Information Officer, CISA:We failed because your team didn't do X OK. How do we correct that? I needed to know that. So I think the other thing I'll just close with is if you have any interest in being a CIO or a senior fed, you have to learn contracting. You have to learn how to do it effectively. My role would be a complete failure if I didn't have almost a morning and night sync with our chief of the contracting operation, juan Arashia. We talk all the time because we're not successful without each other, but, to be perfectly honest, I need him far more than he needs me, and so you have to spend time building those relationships to do. I think someone else mentioned like we have to write better contracts. I see a lot of contracts that go out. It's like, oh wow. Contracts that go out. It's like, oh wow, no one's going to be successful at this because we're not telling anyone what we want, but they know we have a lot of money or things like that.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):So I think, effective contract management Well, you helped us finish here because it's so important. I guarantee you he does need you.
Bob Costello, Chief Information Officer, CISA:But it's a relationship, yeah absolutely. And I think effective contract management is vitally important and I think effective contract management is vitally important.
David Simpson, RADM (ret.) USN, Virginia Tech, Pamplin Business College Professor in Leadership and Cybersecurity (moderator):And, finishing with your previous point to that, the importance of diversity within a cyber organization, that it's not just the diversity of where we came from, but it's having experiential diversity, it's having a diversity of academic experience and training experience, and you're not spotting the next new threat if you don't have a part of your team that is uniquely contributing from a diverse experience. So that's so good. Well, this has been just wonderful for me to learn from you all.