DHS CISO Talks About Authentication, Supply Chain and Internet Regulation

By Lloyd McCoy, Market Intelligence Manager

At a recent immixGroup vendor demo day, Paul Beckman, CISO at the Department of Homeland Security, touched on several technological challenges and frustrations that concern him – topics ranging from patching to supply chain risk to the inevitability of security regulations surrounding the internet.

“I want to get out of the patching business,” Beckman noted, asking, “why can’t I go to automatic updates?” “I don’t understand why we’re still relying on the selected pushing of patches,” he continued. A decade ago a service patch might have created the “blue screen of death” on machines, Beckman said, so that even today, “the ops side of the house is telling me, ‘what are we going to do if we get a bad patch?’”

“My response to them is that restore capability has matured greatly in the last decade. Something goes bad in the machine, push a button, you’re back to where you were at midnight last night.” Beckman added that technology has advanced to the point where the bad patch argument can be discounted and end points can go to automatic patching.

Beckman noted that he wouldn’t call for automatic patching on mission-essential systems, high-value assets or servers because of compatibility and other issues, “but on my end points, by all means, hook them up.”

Authentication will be another growing aspect of security, Beckman said. The advent of artificial intelligence and machine learning will cause authentication to go “through the roof,” he predicted.

“There’s going to be so many things that artificial intelligence and machine learning are going to be able to glean from us than our traditional standard behavior,” Beckman said. “We’re going to get authenticated a whole lot more ways than just two,” he added, suggesting “we will eventually get to a point where it’s going to be 15 or 20-factor authentication.” For that reason, authentication will become one of the government’s increasingly important tools in its cybersecurity arsenal.

One challenge that Beckman conceded he was unclear on is how to solve is supply chain risk management. He broke down three primary areas of supply chain risk: manufacturing, code development and distribution points (both physical and virtual).

“There is no way we’re going to be able to bring all the manufacturing back to United States. Good luck telling Apple that,” Beckman said. The same concern exists in code development. “For us to tell Microsoft, they’ve got to bring all their code developers to be in CONUS and (be) United States citizens. Microsoft Windows was built with over a hundred countries of developers. Bringing all that back (to the U.S.) – it’s not going to happen.”

Distribution, both physical and virtual, is an even more difficult challenge to manage, according to Beckman. “How do I secure the product and make sure it’s not tampered with in any way, shape or form from Point A to Point Z?” Certifying distribution is an “extreme challenge,” Beckman said. “I don’t have an answer other than just to try to throw a lot of money at it.”

Because of these and other concerns, Beckman noted,” I think we’re getting to a point where security is going to need to be regulated” on the internet. While he acknowledged that the government has largely intentionally stayed out of imposing regulations on the internet, eventually, Beckman said, “I think they are going to have to.” Pointing to the capability of using the internet of things to “manipulate cars, planes and medical devices embedded within our bodies,” Beckman said, “we’re starting to talk about the potential for loss of life and limb.”

That’s when the government will always get involved and start regulating, he said.

“My only ask is that we don’t wait for a catastrophe to happen before we actually get into using regulations,” Beckman said. “Whenever the federal government does regulation post catastrophe, we do it generally in a rushed fashion,” and this rushing leads to “not the best policies.”

“I think we need to sit down and very methodically go through what this regulation should look like, because it is coming,” he said. “I’m just hoping that we get to it before the catastrophe and not after.”

Want to keep on top of government IT trends in security? Subscribe to immixGroup’s Government Sales Insider blog.

Expand your reach and uncover new opportunities in government. Find out how immixGroup’s Market Intelligence team can help drive your business.