In mid-November 2016, the Federal CISO (Chief Information Security Officer), Gen. Gregory Touhill, highlighted in a blog post five key areas of his primary interest. They are harden the workforce; treat information as an asset; do the right things the right way; continuously innovate and invest; and make informed cyber risk decisions at the right level.
Harden cybersecurity professionals as a target
The very first item on his list addressed the need to make the cybersecurity professional within the US federal sector a hardened target. Both cyber criminals and nation states probe, evaluate, assess and determine the degree of hardness a given target may be compared to an equally attractive alternative target.
Once a determination is made as to whether the target is soft or hard, then an engagement plan is put in place and the soft target oftentimes finds itself being engaged to acquiring information or assets leading to access of sensitive information.
It is the goal of every counterintelligence professional to have those under his/her purview to be sufficiently educated and resourced to be considered a hard target by a potential adversary.
Training is key
In his missive, Touhill specifically called out the Federal National Strategy on Cybersecurity, which highlights four areas of interest
- Expand the Cybersecurity Workforce through Education and Training
- Recruit the Nation’s Best Cyber Talent for Federal Service
- Retain and Develop Highly Skilled Talent
- Identify Cybersecurity Workforce Needs
He notes the intent of his office to conduct an overhaul by “leveraging targeted education, training and exercises; improved recruiting and hiring practices; retention and development of highly skilled talent; and innovative best practices to heighten cyber risk awareness, that will help our workforce become “hard targets” that understand their roles and responsibilities and techniques that properly employ best practices to better protect the People’s information.”
A bit of a mouthful, but as the federal CISO, Touhill is correct in driving the investment in education and tactical cybersecurity exercises. While one may serve to open the eyes of the cybersecurity professional as to the very real threats they are facing and defending against. Touhill brings the concept of the tactical exercises, used over the years with excellent effect by the military in their wargame exercises, to the remainder of the government. As the breach at the Office of Personnel Management has shown sometimes the most valuable of information resides outside of the defense or intelligence footprint.
Tightening up the nation
Indeed, as the federal CISO, Touhill goes one step further, and reaches beyond the federal infrastructure, to the common man. Touhill continues, “we will look for opportunities to help educate every American to be “cyber risk aware” and “hardened” against cyber threats.”
Words are important, and Touhill’s words should leave no doubt he sees the need to extend the level of counterintelligence awareness to the citizens of the United States. As the incoming tide raises all boats, so too shall his efforts to raise the cybersecurity readiness on a national level.