The federal government continues to face a number of complex challenges in terms of how it protects itself from cyberattacks. On this week's episode, Eric and Arika are joined by Jason Miller of Federal News Network to discuss the current state of government cybersecurity. What is the government doing well? What could it be doing better? How does the lack of skilled cybersecurity workers impact government cybersecurity?

… and don’t forget to sign up for upcoming episode alerts!

How to Listen

Episode Table of Contents

• The Three P's: Policy, Programs, and People
• The Government Is Not Getting Enough Credit
• Find A Way To Incentivize Cyber Professionals
• Where The Government Can Make Progress
• A Noble Process
• Tune in to Ask the CIO Podcast

Meet Our Guest Jason Miller

Arika: Hi, and welcome back to To The Point Cybersecurity, this is episode number 24 and I'm your host Arika Pierce joined as always by Eric Trexler. How are you doing, Eric?

Eric: Doing great, Arika. I always love when we have journalists and personnel from the media involved.

Arika: Me too. In my next life, I want to actually be a journalist. I'm fascinated by that life. So, we're excited to have Jason Miller from the Federal News Network with us this week. Hi, Jason.

Jason: Hey, thanks for inviting me.

Eric: Jason, I'm just going to say, I'm a huge fan of Ask the CIO and some of the reporting you do. So, full disclaimer to our audience upfront.

Arika: Well, I'm sure most people that are listening have probably read a lot of the things that you do. I also I'm a fan of Ask the CIO and your Reporters Notebook. So, excited to talk to you today and we have a simple topic and that is just the state of government cybersecurity. So, we're excited just to get your take on a couple of exciting things and crazy things that are happening in the area of government cybersecurity. So, let's get started. Let's get to the point.

Arika: So Eric, I'll let you kick it off. You always have lots of good questions.

Preamble: The Current State Of Government Cybersecurity

Eric: Oh, boy, where do I go? Once again, back to the journalism component. When I look at the famous journalists of our time that are really looking at this type of cybersecurity in general, I put you up there with Brian Krebs, David Sanger, who wrote The Perfect Weapon, Ted Koppel, I think you come at it from a dispassionate perspective, or a less passionate perspective.

When we talk to our government contacts, they're very passionate about what they're doing, which is awesome, but they see the world in their way.

When you come at it from a vendor perspective, exact same thing. We see the world in from our lens. I think, you probably have an amazing perspective. I know as I listen to your interviews and I read your write ups, you're somewhat removed and can take a perspective agnostic approach almost, Jason. So, with that said, How are we doing? Where are we?

Arika: Easy question to start with, huh?

Eric: Long preamble, but let's do it.

The Three P's: Policy, Programs, and People

Jason: So, one of the things that we like to talk about when we talk about what we do and the Federal News Network, and this is becoming my theory about the coverage of the federal government for the last 20 plus years is, we want to look at it from the three P's of government. Policy, programs, and people. From that perspective, that allows you to be dispassionate to a certain extent and not get involved. I mean, let's be clear. I love what I do. I mean, I'm one of those people who looks forward to Monday mornings, who looks forward to getting up and meeting the next people, doing the next story, talking about the next policy.

So, I kind of nerd out that way, but at the same time we don't get into the bits and the bites and we don't deal with the politics side. Whatever the policy is, that's the policy of that administration, of that Congress, of that lawmaker and I think that helps us kind of really focus on who our audiences, which is federal employees and contractors.

The Government's Bad Rap

WannaCry 2017

Jason: Now, that being said, where are we? What are we doing? How are we doing? I would tell you the government actually gets a pretty bad rap, they're much better, much more secure than people think. And I can point it to two reasons why or two examples. The first one is a pretty easy one, one we've talked about maybe many times over the last few years. But when the WannaCry virus really infected 300,000 computers, 600,000 computers across the entire world, and I think it was 2017, the government wasn't affected at all. And that goes back to, if you will, I did some reporting on this and then the answer that came up was, the government decision to get off, I think it was Windows XP back in 2014, 2015 time frame. And that's what WannaCry really got into.

Big Breach 2014

Jason: Now, I will fully admit. I am not a cyber expert so you'll forgive me if I'm kind of conflating two things here, but that type of example shows that the government's not this behind the scenes, old technology, still live in the client server environment. There are definitely good things that are happening specifically around cybersecurity.

The second one I'll just point to is, I know the office of personnel management gets a really bad rap for the big breach that happened in 2014, 21 million, the data of 21 million feds and retirees we're lost, stolen, potentially by the Chinese, but what people don't get now is how far OPM has come, I think it's a testament to not just those folks at OPM, but really to where the government has come as a whole when it comes to the state of cybersecurity. So, my long winded answer for your long winded question.

Arika: So, better than we think.

Eric: We're not there yet, but we're making progress.

The Government Is Not Getting Enough Credit

Jason: Well, it's like a good GAO report, right?. Make the joke. Progress made more progress needed, but I think there are better pockets of success in the government and that they don't get enough credit for and

I know there's a lot of frustration and things are never perfect, but the state of cybersecurity in the government I would tell you is fairly strong.

Eric: Yeah, in my travels, I meet with a lot of executives on the government side, we meet with people on the hill, meet with the actual workers getting the work done, meet with contractors, and I'll tell you, one thing I notice, the passion, the focus on mission across the government is amazing. People want to do good things. Sometimes the process or system gets in the way, but they really want to do the right things and they try hard.

Why the government love covering what they do

Jason: And I think that's one of the reasons we love covering what we do is because you get to meet the people and get to understand what they're trying to do. My wife always kind of makes fun of me and says, "Well, you're an apologist." Whenever someone says, "Oh, that government." I'm always quick to be like, "Oh, do you mean the Congress or do you mean the government?" And a lot of times what you find is, "Oh, yeah, yeah those people on capital or the Congress. So, I think you're right, Eric, that the folks in the agencies, and the folks that are working these problems, they care a lot and they want to do the right thing.

Many times they are doing the right thing and we just don't get a chance to know about it enough.

Eric: I agree. I mean, nobody comes to work saying, "I want to do a really crappy job today."

Arika: Well, we hope not.

Eric: Okay, maybe a few people. But across the board, the system can slow them down, it can get in the way, it can inhibit their ability to get the job done, but they really do care about the mission of serving the people.

The lack of sense of urgency

Arika: So, I'll ask you both this, I actually, I read an article this week that was talking about government cybersecurity and really focused on the fact that one of the challenges has been the lack of a sense of urgency in terms of moving some of the initiatives forward. Do you guys see or think that tide is changing where the need in terms of we've got to keep up with what's happening on the other side and invoking more and utilizing more cutting edge technologies, things like that. Do you think that government is starting to accelerate in that area as well?

Jason: I would tell you that there is a sense of urgency and there has been a sense of urgency since, I'll go back to 2006 when the VA lost the date of 26 million veterans. That's when you really saw the huge ramp up. Now, are there ebbs and flows? Absolutely. Are there pockets that, I can't believe we're still doing this. Yes, of course. And are there policies and laws that stand in the way? Sure. But I think you can point to that effort, that incident and then the OPM hack is too kind of big incidence that have pushed the sense of urgency and you continue to see with this administration, they released the high value asset update policy, agencies are really being pushed toward protect what's the most critical assets, stop trying to protect everything. And I think that message is starting to come across.

The cloud is now part of our everyday life

Jason: And you're also seeing it with updates to, for instance, the trust internet connection, the tech policy, they're recognizing that the cloud, we always talk about the cloud, the cloud is now part of everyday life for agencies. So, how do we ensure that the data, the system is protected, but not have this arduous policy and requirements that are pushed on agencies that provide latency and problems and challenges that maybe aren't needed or are providing the value that they thought they once were? So, I would argue that whoever wrote that article maybe doesn't understand the topic.

Eric: No, I'm definitely seeing more of a focus on risk and understanding risk. I was moderating a panel at RSA last week, it was cyber risk framework and aligning it to agency mission. A lot of the discussion was around, how do we prioritize, right? You can't do everything at once. But we're seeing that. You've got to remember the government is like a very large supertanker. It doesn't turn overnight. It takes time to make that turn, but when it does it moves very quickly. Jason, your example of Windows, getting off of windows 7 and Windows XP, moving to Windows 10 and the DOD, I mean, that was a massive effort that they're still working on, but they've made so much progress but that took several years. You got to remember, this is the largest enterprise in the world.

Arika: Right.

Do not put everybody in the same bag

Jason: One of the things I'll just also highlight is, remember, when we talk about the government, I think it's kind of unfair just to kind of put everybody in the same bag. There are so many pockets. I mean, if you think about, let me offer you an example. The State Department was doing continuous monitoring or continuous diagnostics and mitigation, whatever we're calling it now, back in 2006, 2007 time frame. They were giving scoreboards, they were offering this. You have great pockets and other agencies that have set up security operations centers that are giving the 24 by seven. So, this idea that they're not doing certain things or there's not this sense of urgency, I think is a little bit of a misnomer.

Jason: Now, are their pockets? Sure. Are there problems at agencies that are head scratchers? Yeah. But I think generally speaking, the government has come around to definitely take this idea of cybersecurity, data, PII much more seriously, and then they're doing a pretty good job. Not perfect, but pretty good job.

Find A Way To Incentivize Cyber Professionals

Eric: Now, we still have things like workforce challenges, Arika.

Arika: I was getting ready to say that. Yeah.

Eric: That's a problem, right? I mean, when we hire somebody from government, especially out of the military, you're paying them two, three times what they were making in the public sector. Especially the military if you're hiring. That's a real problem. We've got to find a way to incentivize these cyber professionals to come into the government, whether it's through the military, civilian agencies, or however it may be, and want to serve. There just aren't enough people as we've talked about at length week after week.

The initiative to increase cyber workforce applicants

Arika: Yeah, and Jason, I know this has been an issue that you've covered. So, what are your thoughts there? I mean, what can really be done to make sure that this cyber workforce within government is strengthened? I mean, there's been some recent initiatives that we've seen with the cyber workforce sort of Academy that they were rolling out, OMB was rolling out. It looks like they had good results. I was actually shocked that they only had 1,500 applicants. Does that seem like a low or high number to you guys?

Jason: For me I thought it was a pretty decent number. Especially with an administration that the federal employees are a little hesitant to trust, and I think that when they roll out a re-skilling Academy, what's that really mean, I think it's a brand new initiative. So, 1,500, I don't know. To me I thought that was a pretty decent number. I wasn't shocked but I wasn't like underwhelmed either.

Arika: Okay.

Jason: That's a good start.

Arika: Yeah, and it's a great initiative. I mean, I think it's an outside the box thinking which is what we need so.

Jason: And I'm an optimist about things. So, who knows.

Where The Government Can Make Progress

Eric: You know, one of the areas I think they can make some progress, the government is massive. They have clusters where you look at like Huntsville and some of the work in Kansas City, there are regional centers where the government is very strong and you have a lot of career movement when you join the government. These jobs can be done from many locations.

So, as far as retraining, re-skilling the workforce, training new people in areas where, let's say I live in Kansas, and I don't want to move to DC, or I don't want to move somewhere else, there are government jobs that can be performed there in cybersecurity where the entire country can come together and actually benefit everybody. Benefit, but government jobs. So, there are things we can do and I'm hoping that we make a lot more progress over the next couple of years.

Jason: I think the two other things that I would also highlight is the incentive for getting people into cybersecurity is tough. I mean, I have two teenage kids and my daughter is one of those people who knows math, knows science, she's the perfect stem candidate. And I've said to her, "You should look at computers." "No, I'm not interested." And I'm sure the government needs to do something about that, but I think that there are people who have that, that you have to,

The government has a challenge and always has a challenge of promoting themselves, of getting out and saying, here's all the cool things we do and really be more aggressive. I think you see some of that from the National Security Agency because they kind of have to-

Eric: They're excellent at it.

Getting the word out

Jason: ... but the Commerce Department, or the Interior Department, or pick your agency, justice, they do some cool things too, but they don't talk about it. And when you go back to the beginning of our conversation, one of our roles as journalists and one of the things we do as a business to business news organization is try to get that word out, try to educate the agencies, but also the contractors and then you hope that kind of trickles down out into the general public. But if they talked about the good news and all the work that they did, I think that would help recruit people.

The government can't compete

Jason: The other thing is money. I mean, if somebody can spend more money, double your salary or triple your salary, maybe the government's got a step back and say, for certain professions, we'll see what the market is and spend the money at that market levels, and there's been some push to do that. [inaudible 00:15:01] authority, DHS has offered some incentives like a signing bonus or retention bonus. But listen, I mean, if you can go to a big company and get paid $200,000, $300,000, $400,000 a year because you have certain set of cyber skills, the government just can't compete and I think that's a mistake that they think they can't compete. That Congress has to give them the tools to compete because mission, and the feeling of doing good will only get you so far.

Eric: And at some point they're, as a consumer of these capabilities, these products, these services, they're covering the salaries anyway. The salaries are being paid, they're being paid by companies that are in many cases making money, they're profitable, So they have to pay their employees. So, the money is being spent, it's just being outsourced in some cases.

Pay what the market is asking for

Jason: Right. But that's easier because I can tell you, well, I'm paying that contractor money and how they spend their money is their problem, but if it's "taxpayer money" that's being spent, then that's the harder sell, but I think the opposite is, well, listen, if you don't want OPM hacks to happen again, if you don't want VA to lose data again, if you don't want all these consistent problems that pop up, we need to pay what the market is basically asking for. So, listen, I'm not all ... I'm a journalist for goodness sake. I'm not all about the money. But you always, let's call it like it is. There's a market, the government's got to meet what the market is. They can't come under all the time.

Eric: Well, in fairness, a lot of people in cybersecurity are really focused on solving the problem. They really care about the problem. When I meet with government customers across the board, I mean, they care about mission, they care about what the business of that agency that they represent or service branch or whatever is. They're there in almost all cases because there's something higher than money.

Jason: Well, I absolutely agree with you. And I think that is the overarching thing, and that's where it gets back to my initial point of getting agencies to talk about the cool work they do.

Showcasing the work happening behind the scenes

Arika: Well, and that's how I was going to say. I think that's such a great point, Jason, is that, as part, I've never really thought about that as being part of the work as a journalist. That you're actually elevating and kind of showcasing the work that's happening behind the scenes that they're just for whatever reason, aren't able to talk about and that could have the may be unintended consequence of attracting more folks into the government is to do that type of cool work.

Eric: They do [crosstalk 00:17:29]. Go ahead, Jason.

Jason: No, what I was saying is, to get them to talk about is so difficult. It's not like we're under covering doing investigations. Like, I wrote a story the other day, I'll give you a perfect example. An agency was doing a cyber escaper.

Eric: I read that.

A Noble Process

Jason: I thought that was fascinating idea to train employees about how to deal with cybersecurity. And you couldn't quite tell which employees, but even if it's all employees, I gave them, hey, this is a noble process. This is something different. They're trying something new. They called me up and they said, "Well, you got these things wrong." I was like, "Well, this is a good news story."

Arika: Right. Yeah. That's a really cool thing that's happening. Yeah.

Jason: [crosstalk 00:18:10] Like, they were so defensive. And I said to the person on the phone, I was like, "I'm sorry, I made the mistakes, I'll fix them. But you sound really defensive." He was like, "Well, I just want to ... we had some things." I'm like, "I get it, I get it, I get it." It kind of flows downhill to me. So.

Eric: The government doesn't really have marketing departments, right? So, you're looking at, this is an amazing story we're getting out to people.

Arika: Yeah.

Jason: And I guess that other agencies could read that story and go, "Oh, I could do a cybersecurity [crosstalk 00:18:38].

Arika: We could do something else, yeah.

There's no new ideas out there

Jason: I could beg, borrow, steal that idea. Because, I don't know. I'd argue, there's no new ideas out there. We just recycle them. I mean, you see that in the movies all the time. I mean, a star is born. How many times has that been remade? [inaudible 00:18:50], and we're down the other path.

Arika: Well, Jason, this has been fascinating. So, we don't usually do this, but I do have a total off the record question for you because I let our viewers know-

Jason: [inaudible 00:19:03] off the record or on the podcast.

Eric: Especially when we're recording it.

I Can't Help But Fall in Love With You

Arika: Well, just a behind-the-scenes I should to say insight, not off the record. So, I'll let our listeners know, we actually record by Skype so the three of us can see each other when we record. So, I'm curious Jason, the record that you have framed behind you, what's the backstory there? Are you a sort of platinum record for a band that you have that we don't know about?

Jason: Even better. So, my wife and I was our 20th anniversary this year and the present that she gave me for the house, I should say, is she got a record that was framed and it was a, on one, I have to even look at it now, but it's the song too far first dance which is Elvis, I Can't Help But Fall in Love With You.

And it's also a couple other songs that kind of are meaningful in our time together, like we'd met at the Pink Floyd show back in '92, but we had met before but it's a long story. We walked down the aisle to the U2 song One. What was the other one? I think she had a couple others like, I was part of our family, We Are Family from the Pointer Sisters. And, what's the last one? Just The Way You Are Billy Joel because you know kind of ... Well, as you know you're always silly with your partner, so.

Eric: That is amazing.

Arika: That is-

Jason: I wrote that.

Arika: ... a very impressive gift. Wow. Okay. I just had to ask, I was looking at it while we're talking and I'm like, you don't usually see an actual frame record anymore in someone's place.

Tune in to Ask the CIO Podcast

Jason: Right. And I'll [inaudible 00:20:42]. She's working from home today so I'll let her know that you guys saw that and were impressed.

Arika: Yes.

Eric: Jason, that was a great story and the stories you tell, reading the podcast, just keep doing it.

Jason: Well, thank you.

Eric: You do a great work. Love listening to it on my drive in or home at night. Love reading your articles. So, just keep telling stories boss.

Arika: Yeah, keep doing the good work.

Arika: It's not easy. We know.

Jason: You know, if the government would just want to tell those good news stories, we'd love to be able to listen and retail them. So, I'll leave it there. But thank you very much. This has been a lot of fun.

Arika: Thanks, Jason. Thanks, Eric. And thanks to all the listeners. Please continue to tune in each week and we will always keep it to the point.