Evolving from a “list of bad guys” approach to cybersecurity to one that takes into account more sophisticated threats is a best practice that Ann Lewis, director of the General Services Administration’s Technology Transformation Services, said “doesn’t get enough air time.”
Lewis, speaking on a panel at Scoop News Group’s CyberTalks event Thursday, said “the way in which agencies make risk-based decisions has a significant impact on how cybersecurity work can be done.”
Specifically, she pointed to the tendency among agencies to approach risk and security by making and updating a list of “bad guys” and thinking that as long as the list is checked when allowing access to a system, it’s safe.
“Obviously we know this is not how threat analysis works,” Lewis said. “And to be effective in an ever-evolving landscape, especially as AI-based tools help our attackers develop more sophisticated ways of breaking in, we need to think about … how to evolve from a list of bad guys to, this is an ongoing threat landscape, it’s going to be constantly changing, and we need to invest in it at all levels.”
Lewis said it could be an opportunity for decision-makers and cyber professionals at agencies to work more closely with their legal offices on adapting guidance.
The default way of making decisions in government involves looking at the rules and what agencies can and can’t do, and turning that into a risk-based decision framework, Lewis said. But that doesn’t set agencies up for success “when we think about cybersecurity preparedness overall,” she said.
Improving cybersecurity has been a priority for the Biden administration. A 2021 executive order outlined specific steps agencies were to take to improve security and the March 2023 release of a national cybersecurity strategy built upon the order. Earlier on Thursday, the Office of Management and Budget’s Chris DeRusha teased a follow-up to that implementation plan.
Lewis also noted that what services agencies choose to use can impact cybersecurity.
The way funding and decision-making are distributed across government unintentionally creates silos, she said, which leads to “a lot of little one-off implementations that perhaps should be using common solutions, shared services, off-the-shelf tools.”
One example of that is authentication tools, she said. “Every single agency has hundreds and hundreds of custom authentication implementations and nobody should be writing that code in this day and age.”
Lewis pointed to Login.gov, which was developed by the GSA’s 18F and U.S. Digital Service, as an available service that already has security hardening built into it.
Implementation of Login.gov and other shared services can “significantly reduce the attack surface area because you have fewer custom one-off implementations that have a tendency to proliferate organically,” she said.