This post is a summary from a session at Adapt 2024: Reimagining Our Federal Cyber Future — our second annual one-day conference dedicated to unpacking the complex challenges facing Federal IT, cybersecurity, and operations teams.
Federal cyber pros must understand their assets more deeply than ever before to diffuse supply chain issues, AI-enabled challenges and workforce shortages.
Wouldn't it be nice if cybercriminals and nation-states took an extended vacation or a summer off? Teams defending agency networks could take a moment to catch their collective breath, implement more of their zero-trust plans, and generally batten down the hatches for what comes next.
Unfortunately, breaks don’t happen. Instead, defenders spend time fortifying insecure systems while adversaries experiment with cutting-edge technologies to develop novel methods of attack. It can be hard to prioritize current threats like remediating critical infrastructure and supply chain vulnerabilities with future disruptions from artificial intelligence and quantum computing.
At the 2024 Adapt conference in Washington, D.C., cyber experts from across industry and government discussed the emerging threats they're tracking and strategies for defending against them.
Taming the Chaos of Data in Cybersecurity
One of the most pressing problems agencies face is a deluge of system data from different sources with little context about their operations. Most security stacks feature dozens of tools and sensors that offer an incomplete picture of the network's users and assets.
"Today, we don't have a problem of a lack of data. We actually have a problem of an abundance of it—a chaos of it," Dean Sysman, Axonius co-founder and CEO, told the audience. "How do we take all of that data, all of those tools, all of those sensors and controls, and then actually understand how those different pieces of the puzzle work together."
Cyber professionals can benefit from a single view of their operating environment that gives them the right data to make effective decisions.
Where Cyber Meets Physical
Protecting critical infrastructure systems like power grids, water filtration systems and communications from malicious actors is crucial for maintaining national security. These systems are a favorite target of nation-states looking to disrupt essential services at some politically advantageous time.
The Navy faces similar challenges, albeit floating. The service maintains "ships that are self-contained cities with all of the internal, critical infrastructure that goes with that," Josh Reiter, deputy principal cyber advisor to the U.S. Navy, said. Tech teams are evaluating operational technology and industrial control systems that are crucial for operations but could open unexpected entries for attackers.
What Lurks in the Supply Chain
In addition to knowing network assets, cyber defenders need insights into their components. According to Michèle Flournoy, former Under Secretary of Defense for Policy and co-founder of WestExec Advisors, supply chain security in software and hardware must be addressed. Government officials need more transparency from their vendors so they can determine the origins of chips in the F-35 fighter jet, for example.
Agency officials should opt for components made in the U.S. or by a trusted ally to avoid Trojan horses or other compromises. One option is to write origin requirements into contracts, but the government will need assurance solutions and to foster domestic manufacturing capabilities.
Artificial Intelligence: Friend or Foe?
AI has been the most disruptive tech of the last year, sparking society's speculation about its potential benefits and drawbacks.
"We're spending a lot of time internally figuring out from the assessment standpoint how we can leverage this technology today, but then from the defender standpoint, how can we protect against this technology?" Davon Tyler,Department of Education chief information security officer, said.
Multiple cyber experts agree that AI-enabled cyber attacks will be an increasing challenge. Adversaries could leverage AI to automate the detection of vulnerabilities, move at machine speeds and potentially poison large language models to mislead AI-based decision-making systems. AI could also inject doubt into locations by manipulating precision timing and navigation systems.
To counter these threats, organizations should explore strategies that combine human intelligence with AI.
"I think what you're going to have is a greater human-machine pairing. And I don't mean that in a cyborg neural link kind of sci-fi way," Reiter said.
When Quantum Gets Real
The advent of functional quantum computers at scale could pose a significant threat to current encryption methods. Algorithms that currently seem impossible to break could be cracked in short order. Flournoy said agencies should explore quantum-resistant encryption options before quantum computers become a reality, which could be as soon as the end of the decade.
Rethinking the Cyber Workforce
Facing future threats requires a robust, skilled cyber workforce despite a shortage of qualified workers.
Considering candidates of many backgrounds can help expand the recruiting pool. Tyler took a traditional IT path, including stints at a help desk and as an engineer. "But I will tell you that one of my best people on my team—he's a police officer," he said.
The experts said investing in human capital, incentivizing desired behaviors, and developing clear career paths are essential for building an effective cyber workforce. So is creating an environment of continuous growth. Giving people a mission—whether it's to advance their careers or secure the nation—often trumps the salaries the private sector can offer.
"There's a fixation on money in terms of, you know, DOD can't keep people because the private sector can pay them more. You know what? We do cooler stuff. You can do stuff working for the DOD that would literally be illegal anywhere else," Reiter said. "Put a price on that."
