LAS VEGAS — The top White House official overseeing the digital security of the federal enterprise sent a clear message to the cybersecurity community on Wednesday: When you find solutions to cyber problems, tell the rest of the ecosystem about them so they can be quickly scaled.
“I’ll bring all the federal CISOs to the CISO Council and say, ‘We need to have a conversation about what’s working and what’s not,’” acting Federal Chief Information Security Officer Mike Duffy told a large audience of security practitioners at the Black Hat conference in Last Vegas, Nevada.
“And everyone wants to wait for someone else to tell them about the great solution that they solve so that we can learn from that person. But I’m here to tell you that all of us have a little piece of that puzzle,” he said.
Duffy spoke alongside Robert Costello, the chief information officer at the Cybersecurity and Infrastructure Security Agency, as well as Rob Knake, the former acting principal deputy national cyber director.
“It’s that communication, that dialog, that we have that’s so important for the policy process and in the policy implementation,” Duffy said.
The panelists also discussed the importance of zero trust, a cybersecurity management method where all users on a network should never be trusted and always verified as they navigate through systems.
The U.S. needs to pivot away from checklist-style zero trust benchmarks, Duffy said. “Now is a moment where I’m very focused on the operational aspects of what that means. It isn’t enough to make a zero trust checklist, or say, where are you in maturity?”
Instead, organizations have to show something for it, he added.
The Trump administration has worked to downsize the scope and scale of CISA’s mission and reduce what it views as an overburden of cybersecurity regulations. But the panel aimed to stress that policymaking still has a role to play in optimizing the cybersecurity landscape.
There is “still a core of 30 career civil servants” within the Office of the National Cyber Director, said Knake, referring to staffing reductions in the federal government and departures of political appointees. “What we’re going to see on cybersecurity is still an open question,” he added.
ONCD has been working through sweeping regulatory harmonization efforts to help streamline reporting rules for organizations when they’re hit by a cyberattack. The office is also trying to transition federal cyber jobs toward a skills-based hiring structure. Sean Cairncross was just confirmed to head the office.
