Critical infrastructure group launches effort to aid federal agencies’ cyber defenses

A leading critical infrastructure cybersecurity institute is honing its focus on defending federal civilian agencies, following several headline-making cyber incidents that have targeted and compromised agency workers’ data and systems.

The multiyear initiative, dubbed the Center for Federal Civilian Executive Branch Resilience and launched Thursday by the Institute for Critical Infrastructure Technology, aims to overhaul standards and procedures used to shore up the cyberdefenses of government agencies that are frequently a hot commodity for cybercriminals and nation-state hackers.

Federal workers are “fair game” to foreign adversaries, even if those workers had previously left the government for private sector jobs, said Paula Ann Doyle, a former counterintelligence official in the Office of the Director of National Intelligence, who spoke at the institute’s launch event for the initiative. “You are the intellectual property of interest.”

Numerous cyberattacks have proven her point, namely the 2020 SolarWinds incident that compromised numerous federal agencies. And just this past year, Russian, Chinese, North Korean and Iranian cyberattacks targeting sensitive government assets have underscored a governmentwide need to augment its own digital posture.

One of those attacks carried out via a Chinese intrusion last summer compromised the email inboxes of major U.S. officials, including Commerce Secretary Gina Raimondo, and led to a scathing DHS report released in April.

“I would characterize today as a really good time to step back and just examine the current landscape of threat trends and technology,” Chris DeRusha, the former federal CISO, told Nextgov/FCW on the sidelines of the event.

“What’s the current posture of civilian enterprise today and how do we help it move up together?” said DeRusha, who now heads Google Cloud’s public sector compliance work.

Government services and facilities are a designated critical infrastructure sector under U.S. law on grounds that they help enable nationwide business transactions and process “highly sensitive information, materials, processes, and equipment,” according to the Cybersecurity and Infrastructure Security Agency.

The new ICIT center, in turn, would aim to strengthen the digital shielding of federal agencies by educating leaders about technology solutions and developing policy recommendations for lawmakers, said Cory Simpson, the group’s CEO.

The federal civilian agency landscape faces a September 30 deadline to adopt zero trust architecture, a security management methodology where users in a network are never trusted and should be regularly verified as they move across applications. Agency workers and contractors often transfer data between devices or take their work home with them, creating potential security risks if their networks are unsecured and compromised.

A first priority for the group will be identifying the most pressing cyber issues facing feds, said Mitch Herckis, a former branch director for federal cybersecurity in White House’s Office of the Federal CIO.

“I wish there was a magic switch we could pull, but this is always going to be a process,” he said, referring to past cyber incidents that helped galvanize focus on defending the federal sector.

The hope is to build on efforts the U.S. has already made to shield its government assets from hacking intrusions since the spotlight OPM hack disclosed in 2015 that compromised millions of federal workers, said Herckis, who now leads global government affairs at cloud security firm Wiz. 

“I think that we’re on a really good roadmap in all the hundred-plus agencies, but they all have slightly different needs, and there’s a lot more work to be done,” DeRusha said.