With the Executive Order on Strengthening Cybersecurity in our rear-view mirror, Samsung Business Insights sat down with Brian Wood, one of Samsung’s Security R&D program managers, to hear his advice on the best path forward to meet cybersecurity threats and strengthen federal information security.
Q: The Office of Personnel and Management (OPM) breach really changed how we think about threats to federal information security, didn’t it?
Wood: Absolutely. Our online enemies are obviously looking for soft targets and personally identifiable information (PII) across the entire federal ecosystem. Traditional targets, such as the Intelligence Community and DoD are still part of the picture, and hackers still want to steal credit card numbers and plant ransomware. But now any piece of private information held by a federal agency is a target.
The attacks themselves are evolving as well. We’re not just facing monetary losses or data theft from nation states — we’re now dealing with the weaponization of information to influence public opinion. We’re worried about adversaries gaining control of our critical infrastructure and voting systems. We’re talking about defending bedrock institutions of our national security and democracy.
Q: With that in mind, what has to change? How do we improve federal cybersecurity and compliance at every level?
Wood: As cybersecurity threats evolve in both breadth and sophistication, our procurement and compliance processes have to keep pace. This means being able to acquire and absorb the latest security innovation to counter these threats and stay one step ahead of our adversaries.
Q: Thinking about federal IT, we’re talking about everyone from DoD and NSA to the Parks Service and Commerce Department. How can we bridge that broad range?
Wood: The first step is getting everyone on the same page, speaking the same information security language. We need a common understanding of concepts, strategies and requirements. Then we apply that understanding to cybersecurity threats.
The federal government has already done a lot of work on this. Common guidelines such as the NIST Cybersecurity Framework and strategies such the SP800-53 Security and Privacy Controls are a critical first step to ensuring common requirements and maximizing collaboration across stakeholders.
It’s also important to extend this arc within each agency, all the way from IT managers and strategy teams to procurement and compliance groups. Getting that common understanding, even at the level of acronyms and definitions, puts us on the road to a more comprehensive approach to federal cybersecurity.
Q: That’s so true. So many times, we’ve seen problems crop up when IT experts aren’t communicating clearly with each other. But do we need to talk about procurement now?
Wood: Absolutely we do. How do you expect to meet tomorrow’s threats with technologies from 10 years ago? Cybersecurity threats evolve fast, in breadth and in sophistication. We have to acquire and absorb the latest security innovation to counter these threats and stay ahead of our adversaries. Clearly, infosecurity teams have to keep up, but it’s just as important for procurement and compliance processes be there too.
Q: That’s a tall order. We’re not talking about small businesses and office supplies.
Wood: Obviously, federal agencies have challenges, especially given the thorough and meticulous compliance and procurement processes they follow when evaluating new technologies. But there’s no alternative. Our adversaries are moving quickly. We all know that modern systems with significant cybersecurity components are extremely complex, which makes it difficult for the federal acquisition community to understand and recognize risk in their procurement strategies.
That’s why federal IT managers must have 360-degree agency interaction. They have to communicate the big picture. Cybersecurity requirements cannot be just an acquisition checkbox, but must be part of a carefully considered and communicated strategic vision.
Q: It sounds like the public sector is facing a large adoption curve.
Wood: No, not true. The private sector has been an enthusiastic adopter of NIST’s cybersecurity work and looks to the federal government for cybersecurity leadership. These common languages bridge across public and private sectors. In other words, these are broad best practices that we should be implementing as a nation that aren’t necessarily industry-specific.
Now the federal government is absolutely unique when it comes to the procurement of cyber solutions. We rightly have compliance processes in place to ensure we’re making the absolute best use of taxpayer dollars — but government shares more cyber risk in common with the private sector than is normally acknowledged. The major capability and functionality needs are essentially the same, with some variation at the edges.
For example, FIPS 140-2 cryptographic standards meet the requirements of both private sector and public sector systems. NIST is making updates to the cryptographic testing program to encourage testing of non-government systems to verify correct algorithm implementations.
Q: I see how NIST’s work begins to lay some common ground, and I know that they get significant private sector input, but that’s driven by the federal side. What about a more balanced collaboration? How can we get federal input into industry standards?
Wood: True collaboration between public and private sector has always been important, and we need to keep that up. federal leaders should continue to find opportunities to participate and collaborate in industry groups and programs alongside other major private sector enterprises. A few good examples today include the FIDO Alliance, the Cloud Security Alliance and the PCI Security Standards Council. These targeted industry forums empower federal agencies to learn from commercial expertise and knowledge.
On the industry side of things, it will help us design products that are “federal-ready.” This increased collaboration and transparency will help vendors ensure early design specs and that their products adhere to unified standards across customers and industries, including the federal government. For the majority of federal deployments, having common requirements with the private sector would mean vendors are building systems and solutions that meet federal needs up front, and not as special versions with extensive modifications, which always increases cost.
Moreover, this would meet federal technology needs earlier and more continually. The result is a win-win that saves time and cost on both sides, and transforms our nation’s cyber posture through the rapid adoption of the latest technology solutions.
Brian Wood joined the Security R&D team at Samsung to build a mobility security certification program to support government and enterprise sales. As the program manager for Common Criteria and FIPS evaluations, he has led Samsung through more than 20 successful Common Criteria evaluations and supporting FIPS certifications, integrating the program into the development cycle instead of one-off certifications. He also acts as the Samsung representative for several Common Criteria Technical Communities, both through NIAP and the broader international community.
Our government technology solutions are ready to assist government agencies with their digital transformation efforts.