Call for streamlined communication, advanced technology procurement, increased collaboration between public and private partners in cyber space

WASHINGTON, D.C. — This week, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, led by Chairman Andrew Garbarino (R-NY), held a hearing to examine the Cybersecurity and Infrastructure Security Agency’s (CISA) Federal Civilian Executive Branch (FCEB) cybersecurity programs, specifically the National Cybersecurity Protection System (NCPS) and the Continuous Diagnostics and Mitigation Program (CDM). Brian Gumbel, President of Armis; Stephen Zakowicz, Vice President of CGI Federal; Joe Head, Chief Technology Officer at Intrusion; and Rob Sheldon, Director of Public Policy & Strategy at CrowdStrike provided witness testimony. 

Chairman Garbarino questioned Mr. Gumbel on asset management challenges for cybersecurity stakeholders like Armis:

“For a long time, agencies have been required to maintain asset inventories. The base layer of CDM was meant to help this. You can’t defend what he can’t see. But even with a requirement in FISMA and tools in CDM meant to help identify and manage assets, agencies consistently struggle to accurately and continuously maintain asset inventories. CISA even put out a binding operational directive at the beginning of this fiscal year again directing agencies to better manage their assets. What more can the CDM program do to help agencies get this right?”

Mr. Gumbel answered:

“We need to create a more transparent and collaborative technology assessment process. … [T]he procurement process within the federal government is not easy to get through, and it also excludes some of the newer technologies, the cloud-based technologies and geared towards legacy technologies. So, I think improvements there within the procurement process will absolutely help out. There’s also a lot that can be learned from the private sector. The private sector has done incredible advancements around cloud-based technologies, around end to end solutions that offer full visibility into unmanaged devices. I submitted in my written testimony a bar chart to show the explosion of unmanaged devices, those devices being the ones that you can’t see traditionally. IP cameras, HVAC systems, building management systems, and printers—those things need to be looked at when we are looking at securing the American public.”

Rep. Laurel Lee (R-FL) questioned witnesses on the advancements needed to ensure both the federal government and private stakeholders can combat the evolving cyber threats of tomorrow:

“You have given us some very useful information today about our general status at this point, that we have done a lot of work on endpoint detection, but, as the attack surface continues to grow, so do our defenses and our preparation need to evolve. I’m interested in what capabilities we need to be integrating into CADS, to improve analytics and increase visibility as you’ve been testifying about and, specifically, do we need to pay particular attention to the concept of encrypted communication? Are we capturing that now? Is there anything we need to be doing in that space?”

Mr. Gumbel answered:

“The thing that we still need to do, once you have a holistic view of an entire environment you have to look at other vectors too … Encryption is definitely of utmost importance and making sure that the encryption standards that the federal government holds across all agencies are kept up to date. We also have to make sure that you’re looking at legacy providers and technologies that have been built ten, 20 years ago, are they really up to date? Are they really current today if they’re not modern in their approach, because the adversaries going to come forth with something new, and they’re going to bypass and get past those networks that are being defended today by legacy contracts.”

Rep. Carlos Gimenez (R-FL) asked Mr. Head about the dangers of a reactive security posture amid increasing threats from cyber adversaries:

“Were you saying basically that the United States’ cybersecurity efforts are mainly and not exclusively defensive in nature?”

Mr. Head answered:

“I would say that we’re reactive defensive in that we’re not taking actions tostop it before it happens. … My comment was more on the side of: Don’t just wait until something happens, and develop a process to know about it and report it sooner—work on the technologies that will stop the attack in the first place.”