Chuck Brooks, President of Brooks Consulting International , Aaron Bishop, CISO Air Force & Spaceforce , Scott Davis, CISO and Executive Director of Cybersecurity US DHS Customs and Border protection, Mitch Herckis, Acting Director of the Office of the Federal CIO, Executive office of the President, Elizabeth Schweinsberg, Digital Service Expert at US Digital Service, will discuss how organizations can implement zero trust to satisfy federal mandates.
Corey Baumgartner
Welcome back CarahCast the podcast from Carahsoft the trusted government IT solutions provider subscribe to get the latest technology updates in the public sector. I'm Corey Bumgarner, your host from the Carahsoft production team. On behalf of Juniper Networks, we would like to welcome you to today's podcast focused around implementing Zero Trust. Government experts explain how to help satisfy federal mandates. Chuck Brooks, president of Brooks consulting International, Aaron Bishop, CISO at Air Force and Space Force, Scott Davis, CISO and executive director of cybersecurity at US DHS Customs and Border Protection. Mitch Herckis , Acting Director of the Office of the Federal CIO and the Executive Office of the President and Elizabeth's Weinsberg, digital service expert at the US digital service, we'll discuss how organizations can implement Zero Trust to satisfy federal mandates.
Chuck Brooks
Hi, everybody. I'm Chuck Brooks, I'm going to be your moderator today. This is a second in a series from Juniper federal. The first one we had people from industry leaders and industry luminaries discuss the challenges and perspectives of Zero Trust, and what it means. And now we're actually going to the second, which looks at the perspective from the federal side, we have a really distinguished panel here today of some of the top CISOs and leaders in cybersecurity in the federal side. And I'm really excited to get into this. So rather than take any more time, I am going to ask each of our guests to give a little quick background about them. I'll go in alphabetical order. First, we have Aaron Bishop, who is the Chief Information Security Officer for the Air Force, and for Space Force, and he will be telling you a little bit about his background in profile.
Aaron Bishop
Thanks, Chuck. As Chuck said, I'm the Department of the Air Force's chief information security officer was purview over both US Air Force and US Space Force. Prior to that, I own my own cybersecurity research company. And prior to that I was the CISO at SAIC. Prior to that, I was the general manager for the National Security Group at Microsoft, and then even further industry and experience prior to that, so as you can see, most of my work is in the public sector arena, and ranges from both government and industry. So thank you, Chuck. Thanks, Sara.
Chuck Brooks
And next, we have Scott Davis. And Scott is both CFO and Executive Director for cybersecurity directorate, Office of Information and Technology, US Customs and Border Protection. And Scott, you want to tell us a little bit about your background.
Scott Davis
Thanks, Chuck. Yeah, so since Aaron talked about being with the Air Force, Space Force, I'll start my career. When I started with the Air Force, I was fortunate enough to have a 20 plus year career in the Air Force, all of it with it. I retired in 2008, spent a couple of years as a contracting partner for actually DHS, which I now working in, became a federal civilian back in 2010. And I actually worked for what's now the cybersecurity and infrastructure security agency back when I worked for them. They were the National Protection and Programs Directorate, good, both of which were a mouthful, all of it doing cybersecurity stuff. Then I went to the Department of Navy for about nine months and worked in for the Department of Labor for a couple of years as the deputy CISO came over to CBP a couple of years ago, and was formally announced as a CISO on September 11, of this year.
Chuck Brooks
Great. Thank you. Next, we have Mitch Herckis, who's acting director of the civilian security brand branch within the Office of the Federal Chief Information Officer, which is really OMB right and, and he's one of the leading people involved in implementation of cybersecurity policy in the government. Can you give us a little bit background? Mitch?
Mitch Herckis
Yeah, absolutely. Thanks, Chuck. So I have been within the Office of the Federal CIO for a year now, serving currently as director for federal cybersecurity. But I came up working with state and local governments on cybersecurity, first from nonprofit organizations, but also for the private sector, as well as having worked for the city of New York within their New York City Cyber Command, which was set up by the mayor by Executive Order there, and was able to help that team build out that organization, excited to kind of have the opportunity here to discuss how we are applying some of the Zero Trust work across the federal government here.
Chuck Brooks
Thank you. Thank you. And Elizabeth Sheinberg, who's with the US digital service, which is an interesting agency, because one of the newer ones creating government and then Elizabeth, do you want to tell a little bit about your background?
Elizabeth Schweinsberg
Yeah, the US digital service. We just had our eighth birthday in August and so I work there My official title is digital services expert. Up But my training and prior background is in security engineering, I started and digital forensics, for the government moved into corporate digital forensics and incident response, where I learned a lot about how enterprise networks really get put together, move further into adding threat detection underneath X. It's all one big happy family and started with a digital service about two years ago, I have been detailed to the Centers for Medicare and Medicaid Services for my entire time. And about a year ago, I started leading their Zero Trust workgroup put together in response for the Executive Order. And then we ran CMS is response to the federal Zero Trust security strategy. I also get to work with Mitch and Mitch his office in my role as a USGS member on helping shape some of these policies.
Chuck Brooks
Fantastic. Thank you all for your service. And let's dive right into it. First question for all is how has a Zero Trust mandate impacted federal government agencies? Security so far? And what will be the impact for future cybersecurity? I know it's a broad question. But since it's a new initiative, allows you some time to insert interpret what it has done so far, and where it's going to be going. I'd love to get your insights on that. And I think I'll start out with Scott first on this.
Scott Davis
Thanks for that. One thing that the memo did was formalize it. So the term Zero Trust has been around for quite a while over a decade. But it really formalized it for the federal space and gave us goals and timelines to go for meeting it by fy 24. So put parameters around it guidelines, mile markers, if you will, working with CIS. I mentioned them earlier, the cybersecurity and infrastructure security agency, they came out with their Zero Trust architecture, their framework, DoD has their own, they're very, very similar, but a little bit different. But we have the different pillars. And then through the memo, we have, like I said, those mile markers to go with. So we gave his areas of focus, for example, the identity pillar, making sure that the right people have access to the right information at the right time, the data, making sure that the data tagging in granular level of who should have access to that data where it should be classified, create encryption, all kinds of different things as far as that goes, and then the network like micro segmentation. So there's a lot of different there's other pillars as well. But I know we've got a little bit of time. We've just got now roadmap going and one of the things that we've done within CBP was a gap analysis to find out where we are because we were leaning forward in a lot of different areas before it was formalized by the OMB memo. For example, the identity and the network micro segmentation, we already had efforts going towards those. Now we did a gap analysis to see what would it take us to get to check those marks along to the FY 2014 Global. So those are the activities that we've been doing. And CBP,
Chuck Brooks
it's really great that you did a gap analysis, I think that's really a starting point should be not just for, for government, but for anyone involved in business, because there's so many threats out there and to know what you have connected to you and what data you need to protect this is really a an important endeavor. Thank you. Aaron, your perspectives?
Aaron Bishop
So I agree with Scott completely. I think it's a little different for me and my role into daft because of scale, I now have to deal with not only how to these organizations that we have 137 bases around the world? And how do we focus on where do we draw the lines for segmentation on the network? Where do we draw the lines for ICAM? Is it One Ring to rule them all kind of thing? Or do we need to start breaking this down a little bit more? So the analysis goes beyond just are we going to do Zero Trust? But how do we do it at this kind of scale? So that that really kind of weighs in heavily on our analysis, and our when we were doing our gap analysis, then we also have to look at the operational paradigms things like do I sit at home? And you know, sort of aircraft from that perspective, or communicate with satellites from that perspective? Or do I get into a war footing where I'm doing expeditionary communication? And now I've got to figure out how do I do this on portable technology, or I gotta stand up new creation of capability in a place we weren't previously there. And all of a sudden, the complexity goes exponential for us.
Chuck Brooks
That makes sense. I've dug a little bit with satellite security. And that alone, I think, is an area where Zero Trust is critically important, at least some elements of it. And I know that's been one of the areas it's somewhat neglected in the past because it's mostly industry that's been launching a lot of this but now you have responsibility for the for this and that's a we'll get to that later in the discussion. Oh, Elizabeth, do you want to weigh in too?
Elizabeth Schweinsberg
Sure. I'm going to echo some of the same thing. So throughout M 2209. With the federal Zero Trust strategy memo, there's a large emphasis on identity and increasing the trustworthiness of the people logging into government systems through your structural password changes. Nobody likes changing their passwords, we should stop making us do it. Improved use of MFA, making it more phishing resistant. And generally knowing more about the people and devices that are accessing our systems to the extent that we can, that is going to go a long way to reducing the number of unwanted people on our systems, whether it's internal to a government agency, or the services we provide the US public.
Chuck Brooks
Great, thank you, Mitch, I know you're in the same area. But you're I know; your role has been a lot of this been promoting throughout the agencies and also publicly the importance of the Zero Trust initiatives.
Mitch Herckis
Ya know, this is great conversation and like to plan that gap analysis thread, you know, we found, every agency had to submit an implementation plan to the Office of Management Budget to the O CIO. And, you know, there were about 20 critical implementations that every agency would have to do over a two-year period under M 2209, the Federal Zero Trust strategy. And the intention there is for agencies to build a baseline, what we saw off the bat is, you know, a lot of agencies, as was alluded to here have made significant progress and a lot of different areas already. And this is really kind of able to show, you know, where have they not been able to meet those touch points, and how are they going to drive forward, and we got some really great things forward, and agencies are really driving forward, we've been consistent contact with agencies about their effort, Lizabeth has been one of our allies, ensuring this happens, we have a subject matter expert group, we've had deep dives with every CFO act agency, and we've been working with a lot of the non CFO act agencies as well on their plan. You know, we've seen serious strategic planning moves well beyond just the building additional walls, and all those sorts of things, and really serious thoughts around things like identity, things like how to limit lateral movement or isolating individual environments. So that's been brought up here. You know, there's been a lot of really good conversations, and those are ongoing, and we're launching those into the future as well. We're not just stopping with a one off. So really excited to see what agencies are doing and, you know, reflected some of this conversation here today.
Chuck Brooks
That's really encouraging to hear what you just said, because it appears that there is a lot of activity and involvement upfront from these agencies. And they're taking this very seriously. And as most of us know, government doesn't necessarily move slow. And it's not always the most agile thing. But it appears to be with this initiative. In Zero Trust, there is a lot of activity being taken place and sort of inward looking at each agency by CISOs. Aaron, you were you were starting to talk about some of the challenges. What are you know, what are the most common strategic and technical challenges that you're facing with your agencies? I guess you could separate Space Force from Air Force, what are you seeing? And what do you think needs to be happened to overcome some of these challenges, technical, maybe roadblocks?
Aaron Bishop
all strategically first, I think there's a couple of different layers that were struggling with. And by struggling, I don't mean like there's a showstopper, but it you know, challenges that are unique to our size, scale and mission, we have to plug in with DoD, we have to be able to support a CO calm, and it's not Air Force centric, it's not Space Force center, because not DAF centric, it's, you know, we're part of a greater fight. And so being able to have that inner operability, between Army Navy, the fourth estate, etc., is a key aspect of this. So as we build out our stack and our Zero Trust models, we have to make sure we're in alignment with them, as well as interoperability. So strategically, that's huge. Strategically, there's also an issue about, we don't have one network, we have lot of networks that we have to manage and be able to move data freely between them for mission purposes in aggregating different datasets in order to get a full picture of what we are tasked to do. And that causes a whole new level of complication. You know, when we talked about data tagging, we're talking about SD wins that are separated, you know, so it makes it very complex. On the tactical on the technical side, I can is a beast, from a DoD perspective, when you have millions and millions and millions of identity objects just for people. I'm not even talking about endpoints not even talking about, you know, all the other things that are on the network. We're only talking about millions of people. It is a hard thing to do, you know, for again, that One Ring to rule them all kind of mentality. So that interoperability with DISA, DoD, other services is a key piece, but keep in mind we have mobility. So I may have the Lieutenant Colonel who's now assigned to a joint billet and I need to get him out of my world and into the joint world or over to Navy's world or to a co calm and still be able to reach back and have access to the things he's responsible for, but still be able to see what is in front of him and his, you know, joint duty assignment. So as you can see, from a strategic to a technical on both ends, there are lots of challenges to get this right.
Chuck Brooks
It makes sense, given the size and complexity of DoD and all these integrated activities with other services really makes it a challenge. Thank you, Scott, what are your thoughts on this from a DHS perspective?
Scott Davis
So, for good or bad, so CBP is within DHS, so we are following DHS as lead. So we're one of the components within it. So there are some challenges with that, because we can't really go our own way, there are some things that we can do on our own. But we are beholden to DHS headquarters and their guidance and their policy as well. Not that that's a technical challenge. But the two that I would add on to that is, one is the operational technology. So we think about, you know, the computers, the laptops, the mobile phones, and things like that. But there's a whole other world of operational technology that we have to consider. That's one of the things that and we haven't bitten into that Apple yet, I think we've gotten some touch points into it. But within CVP, you've got a bunch of folks that are walking around, they've got walkie talkies, they've got other handheld devices, there's sensors, there's all kinds of cameras, all that operational technology, because five years ago may not have been on a network. Now we've got to make sure that we've got visibility into it, for Asset Management for vulnerability management, all these different pieces. So that's one of the technical challenges to truly get to Zero Trust that we'll be facing. And I'm sure there's others that will be as well. And then the other one that's going to be a very challenging, not technical, but it's the cultural aspect, culture within the IT community. And then in the user community, we have to teach our own IT people, here's the new paradigm. Lots of folks don't even know what the buzzword of Zero Trust means. So it's explaining that to our own IT people and then making sure that because we're going to break a few eggs, it's not going to be the proverbial easy button of what most people think, especially at home, when they can do things really, really easy. It's harder to do it at work. We have to make sure that there's an education piece and walking them through what Zero Trust means in their day-to-day work lives. That's going to be another challenge.
Chuck Brooks
Yeah, I like the point you brought up ot versus it. I think C says now recognize that yesterday there are actually different processes and in capabilities required for both dealing with just another challenge for everything. But thank you for that perspective from DHS and CBP, it's really interesting. It's what I'm fighting to is for this is a question for all of you later on, is it out of the budgets enough to do all this, it sounds like it's quite a quite a challenge. Just to begin with, with all these different directives you have to follow. I'll start with Elizabeth and go to Mitch on this too. Since I know OMB is coordinating a lot of this.
Elizabeth Schweinsberg
Is any security budget ever really enough? Like there's always more that we can be doing. It's a little bit awkward here because the timing of the memo was a little out of sync with the budget cycle. So we are having to spend a little bit more time trying to come up with low effort, high return activities that can increase our Zero Trust maturity, ideally, with the tools that we already have. Because there's a lot of tools and agencies that just, you know, you need to configure a little differently to really look into it. And then also, we need to be showing that our changes are worth it. So going from a visible two factor authentication, your SMS email, authenticator, app-based ones to a phishing resistant MFA requires architectural changes, and probably an actual token, you have to give out to everybody. So are we collecting the right information upfront that we can show the metrics that show how we are actually reducing phishing, not just from a like, yes, this reduces phishing, and will save us to like, no, look at these phishing attempts that were thwarted because maybe they gave away their password, but they couldn't give away the second factor, and thus, no compromise actually happened. So. Mitch?
Mitch Herckis
Yeah, no, I and I would appreciate Elizabeth, kind of mentioning the budget item as upfront there, you know, we are in budget season here at the office mentioned budgets. So I'll probably refrain a little bit from talking about that in detail. But, you know, I will say, you know, we are trying to build the mechanisms because we understand, you know, going back to that kind of technical challenges point, this is underlying issue of legacy systems that have kind of held back, you know, not just cybersecurity but you know, productivity Generally, for far too long, it's just been ignored at some agencies and or just hasn't had the budget to fix those things in the past. And that's why we set up the technology modernization fund to kind of provide that vital tool to kind of identify those systemic issues that might be holding back in agency. And that's, you know, not just an issue when it comes to operations, it's an issue when it comes to cybersecurity, you can only bolt on so much, right? You have to kind of occasionally build that underlying foundation that allows you to do the right thing to modernize to build a modern approach to cybersecurity. We're talking about a fundamental shift in how agencies approach strategically security and, you know, that's an extraordinary challenge from the get-go. But if you don't have the flexibility and systems or the modern implementations in place, it becomes that much harder. So, so it's something we're very aware of at the Office of Management Budget level, and the Federal CIO level and the executive office of the president level. And we're thinking of how do we ensure that agencies are getting the right things to, to move off of those systems and move off of those technical challenges wherever possible?
Chuck Brooks
Yeah, that's not an easy task. It's a lot to do. That's great. Thanks for that overview. I want to move to the next question. Which is really an interesting question. Because you've seen a lot of investment, I think, a huge amount of investment and government go to, to actually moving from on prem to cloud to hybrid cloud. And this brings a whole new set of challenges. And so the question is, how do you take a Zero Trust approach to secure a cloud or hybrid cloud environment when you may not have control of all the data? Or you may be sharing some of that with other clouds? And it may be a little bit different in government? But I'd love to get your perspectives on that. And I think we'll start again with Aaron on this.
Aaron Bishop
Wow, that's a fascinating topic. That's probably as deep as it is wide. My opinion, Zero Trust is, you know, going to the culture point that was made earlier is, you know, what is it that we're talking about? Right? So, you know, like in the DoD, DoD architecture has seven pillars, you know, and we focus on the user and ICAM, we focused on endpoint, we focus on network segmentation, and SD Wan. And, you know, there's these different pillars, the key ones in there, of course, are the application, how does it manage those attributes and be able to provide the level of security we want and the access we want, but the data tagging, more importantly, what type of data who has access and rights to that data, etc. So there's a lot of work has to be done in that space. But what I would argue is Zero Trust is not a thing, Zero Trust isn't a label or certification for a product. Zero Trust is a mentality, it's a approach on how you do security baked in from end to end, it just happens to collect it all under seven pillars, or seven buckets, you know, from that perspective. And if you think of it that way, and you look at cloud from a, what is the thing I'm providing from a cloud perspective, then you can start to see which filters apply and how we want to account for that in the cloud architecture, whether it's, you know, a separate instance, in gov cloud, or a hybrid model, you know, on partially on prem or, you know, any of those combinations. And I think the biggest challenge that we have is working with the existing cloud deployments, to see how they back port to this Zero Trust modality rather than new who can follow this prescription and be much more aligned to our Zero Trust objectives. So I think that's the real issue. Are those services that have already deployed? Do they meet these mandates? Do they meet the objectives and under these pillars, and I would argue that those that don't are going to have the hardest time trying to convert in manipulate to alignment with Zero Trust? I think that's our biggest challenge.
Chuck Brooks
Right? Go back to Mitch on this too, because this is something that you've probably have to deal with. Since it's one of the bigger trends in government, what are your perspectives? And with it with each of these agencies have different challenges?
Mitch Herckis
Yeah, and, you know, the Zero Trust strategy was set up in a way that's supposed to be compatible, whether it's on prem, hybrid cloud, whatever the case may be, you know, it was set up to build these baselines across, whatever, whatever, right? As everybody here knows, like, ensuring policies are consistently implemented gets harder than increasing complexity that you have in place. So when you move to something like hybrid, you're going to need different skill sets for cloud on prem, bring those together, ensuring you have all the right people who have all the right skill sets and also like just making sure you're that much better right? As complexity gets harder. So I would say you know, if you kind of to move towards, like, how do you take an approach, there's a lot of different ways to go, what we tried to do is kind of build in some elements that worked with everything. But there's a reason we spent the lion's share of our time on identity for a reason. It's kind of first among equals, right? And it's really that way, because it's extraordinarily hard to do. And it becomes, exceedingly, you know, extremely hard to do unless you are really building a modern robot centralized identity solution. And that has to be the first step, whether it's any of those, but particularly when you're building a hybrid cloud solution, that would be kind of my answer to that, I guess, it's a complex question. But.
Chuck Brooks
Yeah, not say it's a good answer to it's good. Scott, do you have anything to add to that?
Scott Davis
Sure. So I think, like Mitch was saying, you know, that, that whether it's on prem hybrid or in cloud, we have to secure it all. So it doesn't really matter. It's part of our jobs as CISOs or security professionals to make sure that it's secure either way. Obviously, there's, there's a whole separate, separate but distinct cloud set of controls. But within CBP, we work with different cloud service providers, we also have cloud service providers for, for example, identity solutions, and other solutions that are leveraged via cloud. Part of that is the FedRAMP. Program, making sure so they've got their own program that they're working through. And of course, you have to get a certification. And then there's an ongoing assessment with third party assessment organizations and making sure that within the team that I work with that we're going through and making sure whether it's physical and in our on prem, we have to do the same thing, we have to make sure that things are configured correctly, that people are doing the right things. Zero Trust means Zero Trust doesn't matter if it's an on prem or if it's in the cloud, whether it's an employee of CVP, or an employee of one of the cloud service providers. It's all of those continual checks. And that's one of the things with identity that we'll be moving forward is not just MFA multi factor authentication, but it's continual. So I'm not just plugging in my piff card or my CAC, once logging in, and I'm done, it's continual throughout the day. And that goes, whether or not your standard user are privileged user, there's differences in those as well. And we're putting things in place to make sure that at all levels, we're checking and checking continually.
Chuck Brooks
Right, very comprehensive, which is very good to see. It seems like all the elements have been worked out. Great, Elizabeth, anything to add on this too.
Elizabeth Schweinsberg
I concur with my learned colleagues; it all starts with identity and works its way down. But it does give us agencies the chance to as we are upgrading, say, going from an on prem Active Directory to Azure AD, or a similar process with a different identity provider to evaluate tools and find ones that really support the components of Zero Trust, like the ability to grant least privileged access to start making other components of Zero Trust for implementation easier. And we're talking a lot about on prem, traditional Well, server technology to the cloud, which is a pretty small job. But I also have another working at centers for medicare technical challenge around mainframes, like what is Zero Trust even mean, for mainframes, there's like at least half a dozen agencies that had the same problem, let alone you know, banking, insurance, airlines, only the vendors are talking about Zero Trust for mainframes and we really need more agnostic sources for this information. That is an area that I look forward to digging into more overtime.
Chuck Brooks
That's a good transition to our next question. Obviously, there's an issue with legacy systems, which are challenging themselves. What about the new technologies coming along, too, you have adversaries out there that have access to machine learning, artificial intelligence, 5g capabilities, and eventually Quantum? And so, you know, what do we do in terms of looking at a Zero Trust paradigm? You know, what do we need to do to fill those gaps to protect against these sorts of technological breakthroughs that could certainly imbalance our security capabilities? If they're, you know, the thing about technology is a double-edged sword is be used for good or for bad, but obviously, some of these, these gangs are very sophisticated, including using deep fakes and artificial intelligence are ready for phishing attacks. So I'll go to Aaron on this again. What are your thoughts on these emerging technologies and their impact? And do we need to fill gaps on the next iteration of Zero Trust to deal with those threats?
Aaron Bishop
So passionate area of mine so as you will know, and so, one of the challenges that I'm seeing is, as we tried to see the value of ml AI, remote process automations through the network, etc. I have a famous quote that I like to say is just Like the original Jurassic Park movie, the Jeff Goldblum character said, you’re so busy trying to see if you could do it. You never asked the question, should you, do it? Right? So I asked the question like, to my teams who are putting RPAS on the network, hey, we're automating these things, and we're letting it loose, and it's doing great, you know, scaling functions. Awesome. I said, so did you coordinate that with our sock to make sure that they understand that unauthenticated process is not a bot that's running around on the network. And then they sat there and went, hmm, I didn't think about that. I'm like, that's our challenge with new emerging technologies. They're too busy trying to get it onto the network or getting it into production so that we can see the value of it, no one's bothered to understand what the impact is. Zero Trust will help us from a perspective of I can do SD, Wan, I can do micro segmentation, I can put it in a protected environment. And then we can start to understand that better, while they're busy seeing the value come to realization, rather than put it out on my big network, and, you know, take me down because they didn't realize what they were doing. So I see value in those technologies, both from an offensive and defensive perspective. But we have to also think in terms of how do we protect ourselves from ourselves. And in doing so we protect ourselves from our enemies to try to leverage it as well. Over.
Chuck Brooks
Excellent, excellent. It's got I mean, same question. Also, I think, the Internet of Things is another thing that you have to consider with all the devices that a lot of particular agents and individuals may have in your agency, you know, what are your thoughts on what needs to be augmented with Zero Trust and dealing with those emerging technologies?
Scott Davis
Yeah, there's so much brought up the technology modernization fund, CBP has been fortunate enough to receive some of that TMF funding has been huge for us to get legacy advanced to the point where we can do some things with Zero Trust, will, I'm sure be continuing to submit 14 funding because there's a lot of legacy that we have to modernize, whether it's an application, or I mentioned operational technology, things that have to be modernized before we can actually work Zero Trust for them. And then Elizabeth mentioned mainframes, you know, I think there's probably going to be caffeine as a service. Now, there's, there's mainframe as a service. And so those are some of the things that we're working within CBP. But everything is going as a service. And those are some of the things that within CBP, and I'm sure lots of federal agencies are leveraging is those new technologies to be able to get out of the legacy portions. I also wanted to mention, with Aaron was talking about the different things that AI ml, artificial intelligence, machine learning. So I thought that we are fortunate enough within the cyber team that I've been able to build out a cyber threat intelligence and a cyber threat hunt team. And so those are things that we can use to be proactive. So to synthesize what we're seeing from the advanced persistent threat, the bad actors that are out there using things, I'll use another acronym KTV, known exploiting vulnerabilities. So our team is able to see those things and integrate with blocks and indicators of compromised to scan our network to make sure that we're protected. And then we've got that cyber threat hunt team that's more proactive to deep dive across our IT enterprise to find the things that are a little more deeper rooted and a little more technically able to be exploited, but not easily found. And so those are some of the things that we're doing that and of course, going on in the dark web and looking for things that are being spoken about keyword searches and things like that, all of that is going to feed into that overall Zero Trust enterprise. It's not necessarily in a pillar, but those are capabilities that we're leveraging now that we want to continue to expand on to make sure that once we have the architecture in place, we've got something behind it, that we can actually leverage it.
Chuck Brooks
That's good. It's a great forward looking perspective, and doing it in the right order. It's encouraging to hear, Mitch, your thoughts on this.
Mitch Herckis
Yeah, it's, you know, constant change is just part of the cybersecurity fun that we all manage day in day out, you know, threat landscape changes, emerging technologies occur, you know, and we have to stay on top of that weather at all levels, right? Quantum Computing is already kind of infusing what we are thinking on security NSM, 10, came out on May 4, and that's talking about managing the transition to quantum resistant cryptography. That won't be anything like a small task, it's going to be a huge thing that will not happen overnight. But we have to start thinking about that now. You know, the threats kind of outline that we've talked about here, whether it be AI, you know, artificial intelligence, you know, ontem, this kind of has to deal with connectivity and computing power and things like that. And there's other, there's gonna be other things too, that don't relate to those kinds of innovations that, you know, security is just part of a tapestry of this larger kind of human machine interaction that we all have day to day now in our lives. And, you know, one of my old bosses used to talk about security like chess, right? The technology Is the chess board and the pieces on the chess board. But there's humans behind all of this. And as culture changes as how people use technology changes, the threat landscape is going to change and how people try and manipulate people into their preferences and practices being manipulated into making mistakes is going to change. And people are going to find new and creative ways to rethink and try and access what they want and variously, and we're just going to have to keep adapting to that. So yes, there is the technology, and we kind of keep looking at those policies. But we also have to be thinking about how the threat landscape and our whole community is changing. That's why culture change is so important along with it.
Chuck Brooks
Yeah, that identifies the fact that Zero Trust is not a static process, that it's constantly evolving. And the challenges that we're seeing now may be even more in the future with some of these technologies. I'd be remiss if I didn't ask Aaron, and his thoughts on quantum technologies. I mean, there's a debate of how close they are. But as Mitch just said, that, you know, the quantum algorithms requirement to be quantum proof, or quantum resistant, are already in process in is this something that could use serve the whole security balance, if we don't focus on being a step ahead in integrating our quantum technologies early on, rather than wait till it's too late?
Aaron Bishop
From a quantum discussion perspective, we're too myopically focused on breaking algorithms. So quantum horsepower, if you will, is the threat that we all know, and we're trying to pace ourselves to be ready for it. But I argue that quantum is a bigger threat than just the breaking of encryption, and cryptography. You know, for instance, let me give you an example. If today, the kill chain for cyber-attack is someone's messing with our system to find the vulnerability and be able to use that vulnerability for to gain unauthorized access. And we depend on the fact that we can watch for that activity and stop that activity before they get to the crown jewels, that kind of model. But what if the poking around and assessing vulnerabilities of a system, which normally takes time could be done in the instance, you know, with quantum computing, now, we have no ability to stop the kill chain, and a adversary would go blip. And now they know everything about our network, and then come back a couple days later and be able to exploit it without us recognizing that that activity has happened. That's the power of what quantum could do for us. It's that kind of threat, if we think about the realities of quantum, that really scares me a little bit. And then if you kind of look at what is happening in the world, in quantum sensing and quantum networks and start, you know, just expanding beyond just computational horsepower, I think the threat landscape is a whole lot bigger than we realize. But that's not to take the eye off the ball of our cryptography upgrades. No, no argument. But I also think, you know, cryptography is not going to be one of these, oh, it's aes 256. For the next 30 years, I think it's cryptography is going to become a much more fluid, almost a patching methodology to upgrade cryptography as new threats emerge in breaking these types of encryption. So I think the future is going to change quite a bit because of quantum. So I'm curious to watch and see how it plays out.
Chuck Brooks
Yeah, that's good. I think all of you in your roles really have to be forward thinking, just because the technology is coming on so fast. And it's very dangerous to underestimate our adversaries, as we did with hyperkinetic involvement with some of their capabilities. So I think with in terms of cybersecurity and quantum and everything we're looking at, you know, I think one of the values of Zero Trust initiative, is it each of you said it causes us to look within and look without too with what we don't have what we need. And just from that question alone, and I skipped it earlier, but is there anything that you think, personally, that should be added or augmented to the Zero Trust mandate? Now, that should be looked at by agencies? And I'll start, you know, I think Mitch probably could, you know, since you're probably looking at different levels of involvement, what goes next could probably talk about this.
Mitch Herckis
I'm happy to be put on the spot here a little. You know, I think when it comes to, you know, obviously, OMB makes no mistakes. And we're done with our Oh, no. The reality is that, you know, change this is really set up to kind of think about Zero Trust over a two-year timeframe, right. It focuses intentionally focuses on 20 steps and 2209 focuses on you know, baby, two dozen, 20, whatever it may be number of steps that agencies should be taking between FY 22 And fy 24. And the plan is to learn from that implementation have opportunities to issue new policy for a new phase sometime in the future when we learn from those lessons that we've seen over the two year process, you know, federal Zero Trust strategy is not supposed to be a check the Box exercise, it's supposed to be getting agencies to this baseline. And you know, of course, there's going to be gaps, and there's going to be more things to kind of address as we move forward in the future, that journey is going to continue, you know, and we're going to kind of think through the other pieces. Like, for instance, in March, we ordered agencies to implement the Secure Software Development Framework, and we released it, you know, not too long ago, September, the end 2218, which is secure software development for the supply chain, and how they'll be leveraging software producers, ensuring that the software producers that they work with are utilizing sound DevSecOps. So, you know, that's at very least complimentary and fundamental to Zero Trust, there's always going to be elements like that, that we're going to need to continue forward on.
Chuck Brooks
That makes sense. I mean, one thing you just brought up, which I neglected to talk about earlier, is really the supply chain. And a lot of this activity we're facing right now came through, basically, you know, breaches in the supply chain, you know, including solar winds or Colonial Pipeline, all those have implications with vendors, particularly looking at working with the federal government or with critical infrastructure. So your thoughts, and this is not scripted or anything, but how important is securing the supply chain? And is there anything else that needs to be done outside the Zero Trust mandate for doing that, obviously, knowing where your device is connected and people connected are important, but other elements too. And I'll go back to Scott on that.
Scott Davis
If we didn't learn anything from the last couple of Decembers whether it's with SolarWinds, or log for j. So supply chain is very, very critical. So making sure that we have an understanding of that is going to be very, very necessary. within DHS, there's an effort to do some certifications or some understanding of our supply chain. Courses, the further back you peel the onion, the more information you get. But it is also a challenge to do that. One thing that I do want to add on what Mitch was saying, first off, my cup runneth over with the Zero Trust getting to fy 24. It's going to be a challenge. One of the things that I've been talking to the team about us, we will make sure that we check the Box as far as the goals to get to Zero Trust, it's whether or not we're checking in with a pencil, or with a Sharpie. We're already leaning forward in a lot of those different areas. But it's not going to be fy 24. Cool, we're done. This is going to go well beyond fy 24. It's going to evolve as the group isn't has said, technology is going to involve evolve, the threats going to evolve, including supply chain, we'll have to be continually and ever more vigilant and the discussion of funding. And do we have enough budget. Like Elizabeth said, you can never have enough budget, but we also don't want to gold plate cybersecurity, where it just becomes back the dump truck full of cash up, it's all going into cyber, we need to be able to demonstrate that we're actually buying down risk, and proving that what we're doing is effective. And so those things, it shouldn't just be a blank check as much as I've loved one for cyber, it should be put in the right areas and focused and prioritize and supply chain is definitely one of those areas that we need to be focusing on. I'll go back to operational technology. That's probably one of our areas that we need additional assistance, guidance, things of that nature, so that we can consider and then start defending against attacks on the operational technology side as well.
Chuck Brooks
Yeah, great points. Great points. Did you want to say anything, Aaron, on this?
Aaron Bishop
It's a difficult problem. When the DoD has over 300,000 vendors and suppliers that we have to kind of figure out what we want to do as far as supply chain risk management goes. What I'll say is, obviously, Bill of Materials is a key aspect, not only the software side, but the hardware side as well. From there, we'll leave it to our partners in the scrim world to look at the other aspects like you know, foreign influence and other types of issues. But just having the inventory is key, because now we can react better when there's an incident response, we have a better understanding of the vulnerabilities we've inherited. We have put better management plans in place. I mean, look at from a technical debt perspective, I don't think there's a federal agency that can raise their hand and say they're 100% modern, right. So there's technical debt that needs to be managed. So that kind of gets to our point today about Zero Trust is we need to ID the need in this new paradigm of Zero Trust. But we got to align it with the programs that own these capabilities. Are they planning their upgrades? Where are they in that process? Because I don't need to duplicate money there. Let them continue their effort in understanding where that is, and then find those gaps that no one's planning for that will be our Achilles heel that we need to go and figure out. Now we have the list of gaps which one's the highest priority either through mission needs Eat technical risk, supply chain risk, whatever that might be in order to start buying down. And just like Scott said, You can't do it all, you can't fund it all. But you certainly can start to understand it better so that you can make better decisions.
Chuck Brooks
That makes a lot of great sense. So actually, this was another question that came to mind. I mean, the ones you're talking about both of you, but Scott, and Aaron, when you talked about your specific agencies, the lessons learned, what you're doing, what's working, what's not, what your challenges are, you know, one of the things that government has always been lacking is a coordination and interagency talking about, you know, this kind of thing, usually in intelligence world, particularly, but, but now with this new mandate, it seems to me and this is probably a question for both Mitch and Elizabeth, because it's really a communications question. How is oenb? You know, taking all these lessons learned and, you know, monitoring these agencies bringing it together, looking where there can be improvements, or where there are gaps. And that's a huge endeavor, obviously, but is it something that that you're looking at right now, both Mitch and Elizabeth.
Mitch Herckis
I can kick this one off. So yes, short answer. Yes, certainly, we are kind of doing this a bunch of different ways. As I mentioned, we didn't just do one deep dive with agencies, we continued the conversation within our office, every single agency as a desk officer who's continuing to work with them. We've also done a our continued work, we receive quarterly metrics from every single agency. And we utilize those to see how things are going around Zero Trust strategy as a starting point for the conversation. So we can ask questions and come from a common standpoint of where things are on specific efforts across the federal government. In addition to that, you know, we want to ensure that when agencies are driving forward and having successes, we're able to facilitate that and power that forward and share that, frankly. So we've set up some communities of practice for started with one around multifactor authentication, phishing resistant multi factor authentication, specifically, around phyto. Two and some of the other means to web auth, and so on to really provide token base or other, you know, biometric based whatever it may be, for a, you know, multi factor approach that goes beyond just using kids and PKI. And really driving new successes and innovations at a multiple different agencies. Those agencies are initiating pilots, we brought in lots of experts to support those pilots, and for them to share ideas and challenges and successes. And it's going really well, we intend to kind of utilize that model multiple times over. It's exciting. It's great to see those successes, and we hope other agencies are going to be able to learn from them as well. Right?
Elizabeth Schweinsberg
Yeah, being part of the community of practice for the Fido, as an organization that wants to expand our Fido is really useful to help learn from some of the things that our partners have done, and then expanding on that. So Oregon Centers for Medicare, we are a operational division within HHS, HHS provides some of our IT services. And then as they do for our peers, like Centers for Disease Control, National Institute of Health. So as we are, there's a new working group for HHS, folks, also, to make sure that we can share what we've learned about our different Zero Trust journeys.
Chuck Brooks
Very informative, actually, this is we're getting near the end, but I wanted to, you know, what I'm hearing a lot, particularly from government is, you know, because of Zero Trust, because of all these recent incursions and attacks, and because of threat levels going on. And also with the you're looking at Russia, Ukraine, conflict and lessons learned there to it, it seems that the CISO role is has been elevated and government, I don't know if it's just my, my perspective of being biased. But you know, it had always been, you know, the CIO, a running it and looking at all the issues. But it seems that the CISO role now is getting recognition. And particularly I think Zero Trust is enabling this. Is that your perspective to remind them off based on us. I'll start with Scott nodding. So scalability first.
Scott Davis
I've been very fortunate. So I've been with CBP for just over two years now and was first the deputy and now the CISO and the entire time security. Cybersecurity has been in the forefront, not just of the CIO, but leadership from the commissioner on down every time I've been briefing. I'm getting support agreement concurrence requests for more information. It's been very encouraging that across the organization, not just from the very senior leadership, but my boss's CIO, his peers. People see and I think some of it is because of the prevalence from the private sector. People in their private lives are seeing there's risk to their personal information. And they're bringing that into their work saying, hey, you know what, if I'm at risk here, I'm maybe risk at work. And if you think about it, even five years ago, not everybody had a smartphone. Now most people have, potentially to one personal on one work. And so they're seeing the mirror of it. And that's helping us with the education piece, the awareness piece, which is going to be critical, like I said earlier about Zero Trust. So I think that the CISO role has definitely been elevated in prominence, importance, key leadership and contribution to decisions, budgeting and, and programmatic. It's been very, very encouraging.
Chuck Brooks
That is really great to hear, because I think it really, you know, talking about filling gaps and voids in government, and I think that was one of the biggest ones, because it was usually just done with request for budget and running it backbone, but not so much on the threats. And I think the CISOs call attention to that. Aaron, your thoughts on that to being a CFO of two agencies.
Aaron Bishop
So what I'll say is, you know, obviously, from Claire Cohen and FISMA, the construct has been built that the CISOs function under the CIO, but I think, you know, Scott eloquently put all the leadership is focused on what does this really mean for me from, you know, information security perspective, a threat perspective, can I do my mission, which is highly connected today, if I get attacked or in a contested environment, or you know, from that perspective, the DoD, it's, it's even more critical because we're being attacked, and we are in conflict online. And, you know, they're like, can we continue doing our mission, if called upon, so I get called into the secretary's office, and our secretary happens to be quite focused on cyber, which is a great thing for me, which is unique in the sense that my CEO works with me and supports me, my secretary, you know, supports me. So I would argue that it's interesting to see, Will Congress and the White House and the administration look at elevating the CISO to a more equivalent role at the senior leader perspective like that you see the trend and industry of CISOs, reporting to CEOs and boards? Or is it going to remain in the construct? I don't know the answer to that. But what I am seeing is, barring that change, statutorily systems are getting much more prominence in discussions about, you know, what is their impact and influence across the government domain.
Chuck Brooks
Good. And that's a good trend up, we're nearing the end of the hour. And we've been fortunate to have a really, really great panel. This has really been informative for me, but I'm sure for the audience. And in big ways, too. So I just wanted to personally thank all of you for being here in the panelists. Again, it was just been great. If there's any final thoughts you have want to say, feel free to jump in to an open thing, and we'll be signing off just in a few minutes. Any final thoughts from anybody?
Scott Davis
We'll just take the opportunity for say thanks to chuck and thanks to the panel as well because I always learn from the people that I'm on the panels with the points that they have in a different perspective. So I appreciate the time.
Chuck Brooks
Okay, well thank you, everybody, for being with us. It was a great panel.
Corey Baumgartner
Thanks for listening and thank you to our guests Chuck Brooks, Aaron Bishop, Scott Davis, Mitch Herckis, and Elizabeth Schwartzberg. Don't forget to like, comment, and subscribe to care cast, and be sure to listen to our other discussions. If you'd like more information on how Juniper Networks can assist your organization, please visit www.carahsoft.com or email us at JuniperMarketing@carahsoft.com Thanks again for listening and have a great day.