2020 Performance Review
Name: US Government Cybersecurity Community
Period of Performance: 1/1/20 – 12/31/20
Overall Rating: Did Not Meet Goals
During the period of performance, the US Government Cybersecurity Community failed to protect critical and national infrastructure from a serious nation-state cyber campaign accomplished through third-party software. In the wake of the most consequential cyber-attack of all time, the US Government will be placed on a Performance Improvement Plan (PIP).
Election Security – The 2020 National Election was held successfully without evidence of nation-state or hacker influence. Such security protection held up through multiple court challenges and great political pressure. This success is to be commended.
Vaccine Research – Attempts by malicious cyber actors to compromise private intellectual property related to vaccine research and manufacturing were thwarted through preventive and detection-based means. This is also to be commended.
Encryption – NSA led several strong initiatives to identify and begin planning for improvement of existing weak encryption that will be vulnerable to quantum attacks. This is good advance planning for the US.
2020 Areas of Weakness
Nation-State Attack – A nation-state actor was successful in infiltrating a massive list of critical and national systems (including nuclear agencies) and appears to have created an unprecedented cyber mess that will require years to address – if this is even possible. This was a Code Red event and must be viewed as a total failure in cyber protection. No list of accomplishments can balance this complete breakdown – and this is the basis for the Performance Improvement Plan (PIP). If sufficient improvements are not put in place, then management action for the employee must be taken.
Unstable Leadership – In the days leading up to public disclosure of one of the most consequential cyber attacks of all time targeting its infrastructure, the US Government initiated a public firing of its most senior cyber security leader at CISA. This unusual management decision left the US Government without a senior leader during a time when coordinated incident response was most crucial.
Goals for 2021
Security Architectural Objectives – The US Government must advance a program of simplification, virtualization, and distribution of its critical infrastructure. Lateral traversal paths must be replaced with zero trust security, perimeter-based enterprise must be replaced with segmented micro-services, and complicated legacy software must be replaced with simpler, lighter workloads hosted securely in protected cloud systems.
Compliance and Response Objectives – Security compliance programs for US Government must be simplified to a single framework – preferably NIST CSF (800-53 rev 5). Furthermore, federal initiatives to punish, fine, and even convict CISOs on the frontlines of cyber security should be replaced with focused initiatives designed to assist, guide, and support these private professionals in their difficult task.
People and Recruitment Objectives – The US Government must massively expand a new Cyber Corps program to encourage more college students to study computer science and related topic areas, and to agree to serve in critical infrastructure IT and cyber security roles in exchange for full tuition remission.
Dr. Edward Amoroso, TAG Cyber