Exit Interview: Trevor Rudolph

The former Office of Management and Budget lead on CyberStat and other civilian agency cybersecurity issues sounds off on Congress, the fabled sprint and the new federal CISO role.

Trevor Rudolph
 

Trevor Rudolph, who served the Obama administration for four years as Chief of the Cyber and National Security Unit Office housed at the Office of Management and Budget, presided over some key security initiatives designed to protect federal civilian systems, including the sprint to implement two-factor authentication in the wake of the hack of the Office of Personnel Management and the CyberStat program designed to identify and remediate weaknesses on agency networks and systems.

Rudolph, a two-time Fed 100 honoree, resigned from government service in November and is now chief operating officer at WhiteHawk, a firm focused on helping small- and medium-sized business select cybersecurity products and services based on their specific needs.

He spoke with FCW's Adam Mazmanian on Dec. 20. This transcript has been edited for length and clarity.

Tell me about CyberStat. What were those meetings like? How did they evolve? How do you get buy-in from agencies?

I think what would be helpful is to give you a little bit of background on where CyberStats were before we created the Cyber National Security Team at OMB, and how they've evolved over time.

If you go back to 2014, it was basically a couple of people inside [the National Security Council], OMB, and [the Department of Homeland Security] where we performed, I think, six CyberStats in all of 2014 with very limited resources.

All we were doing was looking at the vulnerabilities and hitting agencies over the head, really in a pretty combative tone, and saying, "You should fix this. You're not doing well enough on that or you're not doing well enough on asset management."

Everyone would take their beating, and then they would go home and do absolutely nothing about it.

You're checking a box.

It was checking the box on both ends. It was checking the box on the White House end, saying, "Yeah, we beat somebody over the head," regardless of the actual outcome, and it was checking the box on the agency's side saying, "We went to OMB, we went to the White House and said we would do all these things to placate them, and then we left, went home and did nothing with zero outcome."

That's essentially the actions or the mechanics at the time. I said specifically, "This isn't a very smart process. This isn't an effective and efficient use of resources. We need to bolster our capability in this area."

What we found was, without those deep relationships within agencies, and that touchpoint in the form of a CyberStat, we were limited in terms of our intel that we had of the agencies.

Then the depth of the relationships wasn't there to actually get the information we needed to do our jobs. What we did in building this cyber team at OMB was we focused, in part, on the cyber stat process. What you saw was, in 2015, a ramp-up of 14 cyber stats from six. Then in 2016, we just wrapped up, I think, either 24 or 25.

What that means is it's not just a number that's growing. It's actually intelligence and a clear context around the state of each agency's cybersecurity posture.

We went from looking at [self-reported metrics] to looking at the whole picture, from data the DHS had on incidents, the magnitude of those incidents, to open critical vulnerabilities, to scores on the President's Management Council assessment, which of course realigns the new cybersecurity framework.

We were starting to paint a much more detailed, and frankly helpful, picture of where agencies sat. Then the sessions themselves became much more collaborative. It was [federal CIO] Tony Scott saying, "Where do you have issues? I know you have issues, because everyone has issues. How can we actually help?"

Then the discussion became more along the lines of, "Where do you need resources? Where do you need top cover?" On a more tactical level, "Could we send you a person for 30 days to help you fix a discreet problem that you may have?"

Is that something that happened frequently?

Yes, I'm talking, like, once a week. In order to do 25 sessions, that's a lot of prep work, because I mentioned all those data sources.

Those are humans compiling all that information, synthesizing it, coming up with a session deck that's going to be value added, having the session, and then there are all kinds of action items and follow‑ups that come from it as well.

To do 25 in a 12‑month period, it's pretty aggressive. It was at least once a week or every other week.

How can the incoming administration leverage this effort?

We started prepping our impact and value statements on CyberStat. How have these been helpful, quantitatively, in the past? We started developing these papers many months ago with the idea of having something buttoned up to present to these teams.

In the agency context, how do you make something like a CyberStat stick? Just to open the book a little bit, one of the things that we've done was, because we've done so many sessions, each one has had so many detailed follow‑ups and we've actually documented in formal memos what those follow‑ups are, some of these sessions have a long tail. They're going to go into the next administration.

Assuming that the next CIO, the next [deputy director of management], or both prioritize this follow‑up, because these are very important things that need to be done for the security of our country, the documentation is there, and that infrastructure has already been built.

It's going to be difficult to dismantle, if anyone were to make such a foolish decision.

Let's say you'd done a 2016-style CyberStat on OPM and the Interior business systems that were the target of the hack of the OPM data. What would those have looked like to you? Would you have seen some red flags there?

We certainly would have seen some red flags. With the benefit of hindsight, we now have a better idea of how things happen and what some of the weaknesses were. I don't think that you could have done a CyberStat of OPM and in isolation identified all the issues and then actually remediated all those issues in, let's say, a six‑month time frame.

It's important to point out that what happened at OPM was a systemic failure across the board. Everyone shares blame in what happened at OPM. It was in part Congress's fault for not properly resourcing the agency. It was in part OMB's fault for not prioritizing funding for the agency for many years. It was OPM's fault for not effectively prioritizing IT and cybersecurity upgrades.

Everyone shared in the responsibility, including Congress, including OMB, including OPM. To say one session would have identified all the red flags and then we would have been on a path to fixing them is overly simplistic, given the magnitude of what was brewing there. It wasn't just one person that was responsible for OPM.

Given that, did you find any similar risk profiles in the course of your work? Did you find federal systems that were in the same place as OPM?

Sure. Part of the value of having these sessions is developing a better picture, a more comprehensive picture, of not just the strengths, but the weaknesses and challenges at every agency.

We would find these things all the time. There would oftentimes be legitimate reasons. Let's say, on a tactical level, this patch is going to break a system. We've taken some sort of other compensating control. Let's talk about that. What does that look like?

At a more strategic level, you could have a conversation like, "OK, yes, we need to move from this operating system to the next operating system, but we don't have the funds to do it. Something's going to take a hit if we do in fact fund this." That was a bigger, more strategic conversation.

To answer your question directly, there are strengths and weaknesses across the board.

Was the idea for the IT Modernization Fund legislation a direct outgrowth of what you found in this work?

To back up on ITMF, I think it's important to start with a little bit of background and context to say that ITMF is a part of the President's Cybersecurity National Action Plan.

We, more or less, as a government, and especially in the White House, had a come‑to‑Jesus moment where we said, "We really need to think hard about the root cause to all of the problems that we find ourselves dealing with on a daily basis."

That's when we came up with this model, frankly through Tony's leadership, of we know we've got a legacy IT problem that's fundamental. We know we have a workforce problem that is fundamental. Of course, the way we do IT, how fragmented it is by agency and by bureau just doesn't make sense. It's not an enterprise‑wide view of how we should be doing things.

That's how ITMF was born. Identify root cause and then come up with a concrete, implementable proposal to solve that particular problem. That's where ITMF came from.

I guess in that vein, what was your take on the $9 billion CBO score that took IT reform off the table for this session of Congress?

I've got a pretty strong opinion here. Folks listening to this interview may respond to it by saying it's an overly simplistic view. On this front, it's pretty black and white to me.

First point is, I was pleased at the broad bipartisan agreement on the fact that we should have the authorization to do something like the ITMF. There wasn't any real disagreement that we should authorize the capability. Of course, the disagreement came around the funding mechanism and the funding amount, and then, of course, the CBO score was an input or a factor there.

The second big point is, regardless of how this is scored ‑‑ frankly, I don't care how it's scored ‑‑ this needs to be seen as an investment for our future.

If folks in Congress, if the American people want to really get ahead of the cybersecurity challenges that we're going to face today, tomorrow, and 10 years from now, this is one of the key ways we can actually make a down payment on our future.

In terms of the exposure of dot-gov to cybersecurity risk, are things better now since the cyber sprint?

In my oh‑so‑humble opinion, there's not a doubt in my mind that we are better. If you just look at the data post‑sprint, not just on the increase in [personal identity verification card] usage, but in the fact that we actually, for the first time ever, as an enterprise, looked at our privileged user community and had a discussion inside every agency.

Who are these people? What privileges do they have? Should they have them moving forward? That is our primary risk surface that we were able to gain better insight into as a result of the sprint.

Other basic things, like agencies regularly scanning for indicators of compromise on their network, were not a routine activity at every agency. I do believe that it is now a routine activity at every agency.

Is it a routine human activity or a routine automated activity?

I think it probably depends. There needs to be a combination of the use of tools and then the actual use of humans to analyze the information coming from those tools.

Then the other point I'd make as far as data, that shows we've improved, is there was a 99 percent reduction in open, unpatched or unmitigated critical vulnerabilities post‑sprint. You can't look at those numbers and say, "We're not better off now."

I will argue that it's remarkable the federal government is doing as well as it is in the cybersecurity and IT space, given that, in my opinion, the system is broken. If you look down the line in terms of the discipline's work force, you can't hire people as quickly as you need to do.

Acquisition, it's so difficult to actually bring in the tools in a reasonable period of time that you need to actually execute, all the way down to budget and legal challenges. How can you actually get ahead of this challenge with one‑year funds that are so hard to get in the first place?

Then if you look at things like the fragmentation within agencies, even post‑FITARA, a lot of these CIOs and CISOs don't own the money that they need to actually fight our adversaries. They have to beg, borrow and steal from the program offices that are actually getting the appropriated dollars.

The cyber commission report just came out. What did you see there that you liked?

I thought the most important recommendation was the one that said we need to have a central agency, a new agency, responsible for IT and cybersecurity in the federal government. What that would allow the government to do, is start to get around some of those systemic issues.

I'll use [Continuous Diagnostics and Mitigation] as an example. If you were to deploy CDM at a brand new agency with centralized authorities, you wouldn't have to deal with the same problem that GSA and DHS deal with today, where they want to go an agency and give them "free" tools, and I'm using free in quotation marks.

They have to basically beg an agency to take free tools. The agency can say, "You're not the boss of me. I don't have to do this."

Of course, I think in the centralized model, you can start to get around some of those systemic issues to build an environment that is closer to security by design from day one. We can talk in a little bit more detail as to how practical that is, but I've got some ideas there on how it could be implementable.

The single dot-gov network and the dedicated IT agency look like pieces of the same puzzle. How would they work together and what is the timeline for making a move like that?

First, a couple of bullet points on context. This idea that came from the commission report is not new. To my knowledge, this idea dates back to early Obama administration, probably even before that.

The hang up was always, of course, how do you fund something like this? There were literally $500 million ideas in the earlier parts of this administration that just fell flat because of the scope, and the scale, and then the size of the ask.

In my opinion, the best way to actually execute this idea, which I think is the best idea from the report on the dot-gov side, is to start with something small. That's actually what we've started to do at the tail end of my tenure at OMB, was we developed a set of options for how to prove out this concept. To start with, "The whole dot-gov's going to go to one network overnight," is probably not feasible.

If you start with, let's say, a network or a consolidated environment, where you share networking capabilities, collaboration tools, email, you name it. Between, let's say, an environment that's good for 500 people.

Two or three or four small agencies, and you prove out that concept, and you prove you can actually get better performance, you can get better costs, and you can build out better security all‑in‑one environment, then you can make the argument to Congress and to other agencies, "You need to come this environment and you need to give up a little bit of your autonomy for the greater good of the federal environment."

The federal CISO position also came out of CNAP. Was that a good idea? What's the best way to leverage that authority?

The CISO position is a tough one to unpack. On the one hand -- a great idea. It should have been done. But on the other hand, though, the position itself, and I'm not talking about the person who's in the role. I've got a great deal of respect and admiration for Gen. Touhill. The position itself was rushed. There was not broad federal-wide agreement on the authorities of the position.

You see that reflected now in this ambiguous nature of what is the CISO? What can they do? What can they not do? Do they have budget authority over agencies cyber budgets? Do they have the ability to unplug a system when users are not following proper policies?"

Is it an offense position? Purely defensive position? How do they play with national security systems? How do they not play with national security systems? What's the relationship to DOD? None of those questions were answered in the lead up to the roll out of that particular position.

In my opinion, having a detailed and robust discussion about authorities is helpful, but largely will result in a waste of time. Thinking through the proper placement in the White House for this position, or even the cyber coordinator position, is largely a waste of time.

In my opinion, the way to fix some of these complex policy legal or authorities issues is actually to spend the time on that single agency network concept. As you bring more and more agencies into that shared environment, you turn the CISO of that environment into the federal CISO. It becomes an operational position where you can test out things like new policies, new technology. When folks aren't abiding by the rules that you've established, you can unplug a box and say, "Thou shall not do this again."

My opinion, the federal CISO should be an operational position in charge of the federal-wide environment.

Now, of course, I'm talking 10 years down the road. This is the nirvana state. We're going to have to solve a lot of these authorities issues in the short term. I think that's the appropriate way to spend our time over the next couple years.

Now, one of the things we learned about the DNC hack and the FBI making a phone call, and all that...

Yeah, that was a good article. [laughs]

That the sort of lanes for our government to respond are not really mature, let's say. What was your work on that at OMB and at the White House, and what would ‑‑ kind of fully flushed out, if you implemented PPD‑41 ‑‑ mean for an event like that?

That's a good question, but of course one that's difficult to answer, because we're still in our infancy in terms of seeing how PPD‑41 will be implemented over the long run.

My role, specifically on PPD‑41, was focusing heavily on the OMB sections, and ensuring that when there was a major or a significant incident on the dot-gov side, that we had mechanisms in place to, not just assess the national security implications of an incident, but to assess the resourcing implications to assess how you're going to reconstitute a system, especially if that system has broad federal‑wide use.

I will say more broadly that we still haven't figured out authorities in the dot-gov or the broader U.S. government space. There was a lot of squabbling, and there's still squabbling between certain agencies in terms of roles and responsibilities.

I would encourage the next administration to identify where that tension exists and just cut it out, immediately, because there's a lot of tax dollars being wasted on squabbling between agencies that share mission space here. Frankly, not every agency who is in this space today should be in this space tomorrow.

I won't give you specifics, because that'd be perhaps a little bit too provocative, but let's just say some agencies are really good at certain things, and just found themselves in the cyber space and probably shouldn't be there.

Let me come at that question from another side. There's the push by Jeh Johnson and others at DHS to reform to change and structure NPPD to be a more action‑oriented agency, and give them more of a profile -- of "this is your 911 phone call" -- in the event of a cyber‑emergency. Is that a good idea? Is that the right place for it?

The devil's in the details there. I don't think that's a bad idea. I think DHS still needs to spend a lot of time thinking through how they can execute their existing authorities, and add real value in the federal space, before we start thinking of any brand new ideas. That said, I think there's some merit to it.

I think DHS is capable of executing there, but we're still in the infancy of IT modernization. There are still programs that haven't been implemented fully, like the CDM program, which I'm a big fan of.

My position on that is focus on what you have today, prove that you can do that, and then let's talk big picture government.

You want to prove out what you can do in the dot-gov space, and maybe at the critical infrastructure, stuff that where the law is already and the authority is already there?

Right. If I were the next secretary of DHS, that's where I would focus.

Is the FBI an organization that's in the right place to do some of this?

I think so. If the FBI stays in the law enforcement lane, the deterrence lane, they can have a very productive and effective role in our ecosystem. That's the role they've played to date.

They have some of the most skilled technical people in our government. The NSA gets a lot of credit for that, but there's a lot of talent at both FBI and DHS.

The FBI also has an advantage of having, I don't recall the exact number, but they have over 50 field offices in the United States. They have offices across the world. Their reach is far and wide, and that gives them the ability to deploy in‑person when needed to provide assistance to victims. That's a capability we need as a country.

Bigger picture, how should the U.S. government treat cyber in the realm of international relations? Is it a matter of bringing cyber into the realm of everything you talk about in a foreign relationship?

Cyber is often siloed as this amorphous, nerd, computer science, technical thing, but to your point, it transcends all disciplines. You'll see that evolution, where it's brought into a broader discussion. Because if you're going to fix this issue from a national security perspective ‑‑ and this has been part of the Obama administration strategy ‑‑ you need to tackle it from not just a defensive perspective, ensuring that we have our own systems in alert, but a deterrence perspective, a law enforcement perspective, a diplomacy perspective.

The sanctions, of course, are a piece of deterrence in diplomacy. I've been a big proponent of the administration's multipronged approach in this area. We need to go a little bit further.

You can argue on the margins that maybe we didn't respond quick enough, or publicly enough, or in the right offensive manner to certain things over the last couple years, but as a whole the strategy was an appropriate one and one where we were starting to see some results. A lot of folks want faster results than were possible. The China relationship alone is showing that our effort's bearing some fruit, but there are other relationships where we've, perhaps, regressed.

Director of National Intelligence James Clapper and others have referred to some of the cyber espionage – whether it's the rosters of cleared personnel from OMB or stealing emails from a political organization -- as something that is in the game and legit from a spy-vs.-spy perspective. But does the information warfare we're seeing with the election raise the stakes?

I'm not sure that's answerable. What I will say is that the norms in this community, especially in terms of what constitutes information warfare, and what is out‑of‑bounds, and what's in‑bounds, are still up in the air.

The view that espionage is fair game and manipulating an election is nor fair game -- who's to say it is or it isn't? The norms are still being established. If we take a step back from the day‑to‑day and the specifics, it's an exciting space to be in because we're at the beginning of history in a lot of ways. We're getting to craft history as we speak, from a norms standpoint.