In the spring of 2018, I spoke to Ryan Tappis about the NIST Cybersecurity Framework (CSF) and its adoption in the public and private sectors.
Ryan is a managing director and cybersecurity practice lead for Northramp LLC — a management consulting firm based in Reston, Va. In his 15+ year career, Ryan has provided cybersecurity advisory services to clients across the federal government and commercial sector.
He is widely recognized as a subject matter expert in all things related to (non-military) federal cybersecurity — from Federal Information Security Modernization Act (FISMA) compliance, to the DHS CDM program, to TIC and the OMB cloud first initiative. Like many top cyber pros, his resume reads like “alphabet soup,” with CISSP, CISM, PMP, CRISC, and SCCISP certifications.
Beyond his technical expertise, I often turn to Ryan for answers because he offers plain-spoken, practical advice on matters related to federal government programs and projects.
Following up on that first discussion, I recently reached out to get Ryan’s take on the current public sector cybersecurity landscape in Washington, D.C. Even if you have no public sector experience or interest, I encourage you to continue reading to learn more. What I found interesting was that the public sector challenges, pain points, and lessons learned that Ryan described are truly universal across any industry.
Before we jump in, Ryan asked that I provide these two caveats:
First, his experience is exclusively in the civilian sector of the government. He doesn’t speak on cybersecurity topics within the U.S. Department of Defense (DoD) or Intelligence Communities.
Second, the stories below are true, but the client names have been left out to protect the innocent.
Interview Between Dan Lohrmann and Ryan Tappis
Dan Lohrmann (DL) – For most people, the first challenge that comes to mind with government is red tape and bureaucracy. How does this impact cybersecurity – a field this is rapidly changing and evolving?
Ryan Tappis (RT) – Painting with a very broad stroke, in my experience, the government is a bit behind the private sector in regards to the pace of technology adoption. But I do see reason for hope as programs like 18F and the US Digital Service (USDS) are making great strides in bridging that gap. We currently support an agency that has embraced the USDS methodologies and technologies. As I’ve recruited resources from the private sector to support the project, they’ve been floored at some of the technology and processes being employed.
DL: Is your experience that the government is just too risk averse to take advantage of new technology?
RT: I’ve personally found that while the government isn’t always the first to embrace new technology, when presented with it, they’re excited about the possibilities.
Case in point: One of my first clients as a new cybersecurity engineer out of college asked us to design an air-gapped secure network. The system was intended to allow for users throughout the organization to access the agency’s most sensitive information. Because the user group was expected to constantly change, we determined that running secondary ethernet drops to cubes was too expensive – so we proposed going wireless. While I’ll probably date myself, at the time of this project, the terms ‘security’ and ‘wireless’ were considered oxymorons. It took a lot of convincing, but in the end, the government bought off on a pilot and eventually expanded the network to several floors of the building. Once they were presented with the benefits of secure wireless, they were ecstatic about the cost savings and excited to be using cutting-edge (it was at the time!) technology.
Another example is blockchain. Not exactly cutting edge, but I’m just starting to see an uptick in federal interest in blockchain-related projects.
DL: Are there any common challenges you see in both your private and public sector clients?
RT: I know it sounds cliché, but time and time again I work with clients that are searching for the silver-bullet solution to solve their cybersecurity woes. Budgets are tight, the cybersecurity talent pool is sparse, and CISOs are overwhelmed. Cybersecurity 101 tells us that cybersecurity programs should be balanced between people, process, and technology and that more often than not, breaches start via a social engineering attack. Every cybersecurity professional knows this. Yet, in both our private and public sector clients, I don’t see spending and hiring decisions that reflect this.
There’s also the idea that cybersecurity tends to be reactive versus proactive. Just as it (all too often) takes a massive breach for a private sector organization to take cybersecurity seriously, the government operates the same way.
After the OPM breach, for example, the government refocused its attention on cyber through the cybersprint initiative. Among other things, the cybersprint required agencies to remediate critical vulnerabilities within 30 days and increased the tempo for multi-factor authentication implementation – two best practices that should have been vigorously enforced prior to any large-scale breach.
DL: I’ve seen a ton of attention paid to supply chain risk management lately. Is this also hot in the government space?
RT: In the government world especially, understanding supply chain risk and third-party security posture is critical. So much of the government’s work is outsourced to private organizations; understanding where these firms are from a cyber standpoint is imperative. And yet, in my experience, third-party security doesn’t get the support and funding that it desperately needs.
One of my previous clients struggled with this exact problem. This client contracted a chunk of its crucial functions as the agency just didn’t have the expertise in-house to support the projects. Outsourcing meant that government-owned data was stored on-premise at these private entities. Despite numerous alternatives analyses and benchmark data highlighting third-party risk, my CISO could never obtain the funding necessary to stand up a third-party audit program.
A funding request for a state of the art new firewall purchase for our on-site data center? No problem! A funding request to audit the third parties storing and processing the organization’s data? No dice! Unfortunately, in my experience, this kind of thinking is prevalent.
I will say that DFARS and NIST SP 800-171 are a huge step in the right direction to solving this problem in the public sector.
DL: What are some common misconceptions you’d like to clear up about cybersecurity in the public sector?
RT: Some of the smartest people I’ve ever worked with work in the government. The idea that the government is staffed by unqualified, overpaid resources, even in the cybersecurity sector, is just not true. I’ve had numerous colleagues ‘flip’ from the private sector to work directly as a federal employee. There’s something to be said for supporting your country as a public servant.
In addition, while the government may be a bit behind technology wise, I actually think a lot of the federal guidance and frameworks that are published are fantastic. Obviously the NIST SP 800 series and the NIST CSF are well known and understood.
But ideas like re-using cloud security assessments (as described in the FedRAMP program), mandating that critical systems are identified and put through rigorous testing (as defined in the High Value Asset initiative), and ensuring enterprise-wide visibility for cyber risk (through the Continuous Diagnostics and Mitigation program) are simple, yet intelligently assembled processes that public or private organizations could really benefit from.
DL: I’d like to thank Ryan for being willing to be interviewed again on his experience with public sector cybersecurity in Washington D.C.
The YouTube video below highlights some of the main players and hot topics in the current federal government cybersecurity landscape from the Federal Executive Forum in August, 2019.
This past week has seen a major focus on the Texas local governments who were hit with ransomware. While the situation remains fluid and very active, I urge readers to follow this topic closely and take action as needed – as I have written several times in the past 18 months.
I encourage readers to read this Associated Press story on the Federal News Network, entitled “Cyberattacks on Texas cities put other governments on guard,” which highlights current activities affecting many governments globally.
The article includes several observations from Dr. Alan Shark, executive director of the Public Technology Institute, such as: “I think we’re entering an epidemic stage.”
Also, I was interviewed and quoted by Kathleen Foody. For example, I said: “Elected officials are getting the message that this is not just a technology issue or a security issue but a government competence issue.”
Look for more coverage on this local government ransomware topic in September.