Agencies need to trust the tech they buy from private industry is free of bugs and malware, but today’s approach to securing the federal IT supply chain is too narrow for any such guarantees, according to the country’s top cybersecurity official.
Over the last year, federal leaders have barred multiple companies from doing business with the government citing possible security risks. The Homeland Security Department and Congress both banned agencies from buying products from Kaspersky Lab, a Russian anti-virus company with potentially problematic ties to the Kremlin, and the 2018 National Defense Authorization Act placed similar prohibitions on the Chinese tech firms ZTE and Huawei.
But while those individual bans certainly made the federal supply chain safer, the government needs a much more scalable approach to stay ahead of the latest threats, said federal Chief Information Security Officer Grant Schneider.
“Those [were] good approaches to get at one-off solutions,” Schneider said Thursday at the McAfee Security Through Innovation Summit. “However, in my mind, they’re really whack-a-mole solutions to a challenge that we need a far more systemic approach to.”
Late last year, Congress passed legislation to create a federal council that would monitor threats to the government supply chain, which Schneider said could help the government respond to threats more proactively. The council, chaired by Schneider himself, will have access to classified information that would make it easier to flag compromised suppliers before their tech enters the federal IT ecosystem.
The Kaspersky ban was based entirely on publicly available information, he said, and had classified data been more readily available, “we might have done it several years ago as opposed to one year ago.”
Still, securing the supply chain remains one of the most persistent challenges facing the government as it works to defend against digital threats, and the White House is looking to industry for fresh ideas on incentivizing cybersecurity in the marketplace, he said. Bans on products from specific companies or countries have their place, he said, but incentivizing security by design is a far more sustainable approach.
Part of the challenge will be pushing consumers—agencies, corporations and individuals alike—away from buying the cheapest products and services, which are often the least secure, and toward paying up for more robust alternatives.
“Buying the cheapest [product] in cybersecurity is never going to garner the results we want,” he said. “We need to bake that in on every purchase that we’re making. How are we evaluating and actually using cybersecurity as a discriminator that may cost more. We need to all be willing to make those decisions.”
source: NextGov
