FEDTECH: What impact has the wave of IT-related executive orders, combined with the increase in cyber threats, had on your IT planning?
Jones: One of the great challenges at the State Department is that we are constantly under attack from adversaries. So we try to stay one step ahead of them. We are looking at multi-factor authentication and making sure we have encryption with data in transit and at rest. He enters this state of zero trust in the entire department.
Ensuring that our priorities are aligned to support these initiatives is critically important. As I told our leaders, there are things we need to take corrective action on. We cannot do it overnight. This is something we continue to develop and ensure that if and when we identify any gaps, we mitigate those risks in close coordination with all of our partners, including the Cybersecurity and Infrastructure Security Agency.
Hyssen: That’s a lot to follow. That said, cyber EO is incredibly ambitious. This could have an incredible impact on strengthening federal cybersecurity. The industry has experienced three major flaws over the past year: SolarWinds, Microsoft Exchange, and Log4j.
What’s important is that we see each as an opportunity to learn critical lessons and improve our defenses. SolarWinds taught us the need for a true zero-trust architecture and increased visibility into our cloud environments – and we’re implementing it. Log4j highlighted the need to have a better understanding of the content of our software. It made us realize why we need to better understand where the software we put on our networks comes from in a much more actionable way.
It moved our conversations forward in space. While difficult, I am encouraged by how we view each incident as an opportunity to respond professionally across government and continue to evolve our defenses.
Dunkins: EOs are a double-edged sword. They are almost always full of good things we should be doing. In some cases, we already do them. The challenge is that OEs don’t come with money. Money may follow, but they are almost never accompanied by a pot of money.
The price of cyber EO is considerably higher than the funding we received. Also, I can’t hire enough people to do the job. We’re going to do what we can with the money and the people we have and tackle our biggest risks first. Every year we will do better and do more.
DIVE DEEPER: The Navy is moving to a cloud-based Microsoft Office 365 solution.
FEDTECH: What project from another agency impresses or inspires you, and why?
Dunkins: What inspires me are all the projects that we never hear about, because what we hear about are projects worth 100, 500 or 7 billion dollars that are in difficulty. You don’t hear about the little things people do every day to make government better, and that’s what inspires me.
I recently went online to renew my trusted traveler status. CBP has a brand new website. It integrates with my government ID, and because I did, the system basically said, “We know who she is. We know she has security clearance,” and I was cleared overnight.
This sort of thing happens all over government. People make government friendlier and more efficient. But what you hear about are the big ugly things that fail. For me, inspiration comes from all the things we don’t know or have just browsed, like the CBP website.
Hyssen: I’ll give credit to Keith at the State Department. During Afghan resettlement and evacuation efforts, the State Department put in place a number of systems incredibly quickly, first to identify and contact Americans who were living in Afghanistan to help them get out, and then to monitor the progress of resettlement. They built this incredibly quickly, using out-of-the-box platforms and really responding to the needs of the state as well as other agencies to coordinate the effort.
Jones: I’ve been so focused on the department here that I really haven’t seen a lot of outside projects. From an acquisition perspective, looking at DHS best practices as well as the work of US Digital Service is always impressive. We may consider building our own digital services team in the future.