[1:13] A Deep Dive into the National Cybersecurity Strategy Implementation Plan

Rachael: I'm excited for today's guest. It’s so awesome to have Kenneth Bible. He's the Chief Information Security Officer for the US Department of Homeland Security. He's also served in leadership roles with the US Marine Corps, including assistant director for the information command control communications and computers division IC-4, as well as Deputy CIO and CISO. Welcome Ken.

Ken: Hi. Thank you. So nice to be here.

Audra: Excellent. So Ken, can we jump straight into the key topic of the hour? The National Cybersecurity Strategy Implementation Plan was released in mid-July. We'd love to hear your thoughts on the plan.

Ken: Yes, so certainly this is a pretty striking thing to go from the release of the strategy to the release of an actual implementation plan in like five months. So just amazing how much work went into across the 18 agencies that are leading initiatives. And what I look at as a whole of government plan. What we've seen from this presidential administration is this deep commitment to defensible cyberspace. Also, the National Cyber Director standing up now under its standing up to lead this implementation plan. It's pretty striking and the pillars are pretty broad. 

So everything from defending critical infrastructure, which includes coordinating down to the private sector and the state, and local tribal. Territorial partners working through CISA as a cybersecurity infrastructure security agency under DHS. So it's a call across the whole of government. And even the whole of American society to get after this challenge of cybersecurity. Pillar two is more focused in terms of what CISA and the FBI do in terms of dismantling, and disrupting threat actors.

Evaluating the Comprehensive National Cybersecurity Strategy

Ken: And then pillar three, which we've had some play in directly with the department in terms of how do we shape the market forces. Drive security and resilience in the products that we use across the government. And then hopefully being able to inform that for the rest of the nation and then investing in a resilient future. So you're probably tracking some separate work that's been going on around quantum computing. And getting the appropriate algorithms that will be post-quantum computing capable. Or resistant to quantum cryptography algorithms to break that traditional cryptographic algorithm in our applications and systems. 

And then the last pillar is to forge international relationships to pursue shared goals. And this is important because cyber doesn't respect international vendors. It really doesn't care where the border from one country is to the next. It's a very fluid environment and in fact. Some implications of something that occurs in one country may and inadvertently have impacts on the United States or on other countries. So what do we think about that? So it's pretty ambitious. I'm pretty excited about being part of that from the Department of Homeland Security. Certainly, more agencies are involved as 18 in total that have actions in the plan. But it's bigger than that really. It's really taking a national view, a whole low government view of how we become more secure.

Audra: I know you've talked through the pillars. But are there any categories that you think were not put into the plan that should have been? Are there areas that you think need more focus?

Navigating the Dynamics of the National Cybersecurity Strategy

Ken: I don't think that there are necessarily pillars missing. I think that certainly details underneath it, there's going to be new initiatives that come about. One of the areas that's specifically called out is around software bills of material. And how we hold the industry that's most closely aligned to securing the products accountable for the products that they produce. Certainly, software bills and materials are ongoing work in terms of how to collect those. There are a couple of three standards for how to generate one. But how to manage the influx of those products and how detailed are they? 

Do they happen with each minor release that a vendor makes on a software product? Are they only major releases then? How much use are they if it's only at major release time and we're looking for something as nuanced as a particular library for a piece of software that was used during the coding process? And I use that specifically around things like log4j, which we're still finding within the environment.

Audra: Absolutely. So what are the plans around how to measure the implementation?

Ken: Well, I think each of the departments, and agencies that are involved in the plan has specific goals that they're working on. Some of this was ongoing work that they were doing. I wouldn't want to try to speak for every agency. But certainly in one area say in terms of what CISA is doing, they've created the joint cyber review board to look at major incidents and to actually produce recommendations and reports and they're on their third report. So they're actually off and running and producing materials that are really looking at it from a public-private partnership perspective. 

Accountability in Action

Ken: What went well, what didn't go well, and what are some recommendations for the future? So I think we measure it by outcomes if we're actually generating the products that lead to insights that generate change. But I wouldn't want to speak to individual departments. I mean, there are quite a few individual goals that each have their own timelines and the way in which they want to measure.

Audra: So with everyone who's involved, how will they be kept accountable?

Ken: Yes, I think that goes back to what I said before. The office of the national cyber director and the national cyber director is kind of the orchestra master on this. He's managing or managing the different parts of the process of making sure that agencies are actually moving forward on what they've reported in the implementation plan as the actions they plan to take.

Audra: So how is the DHS actually working to implement these initiatives?

Ken: So a couple of different ways. We leveraged what we were doing in the last couple of years and we've kind of expanded upon a couple of different initiatives. One was our bug bounty program. So we initiated a program called Hack DHS that was actually leveraging some of the cybersecurity infrastructure security agencies, and vulnerability disclosure platform capabilities. But we now have another vehicle within the department proper to be able to use with the components of DHS as part of hacking DHS. That's pretty profound. We started off with very few systems. We looked at it through some key systems. Now we've done a total of 20 systems with two department wides for specific vulnerabilities. 

[8:51] Unveiling the Impact of the National Cybersecurity Strategy

Ken: We've had eight researchers who have signed up at various points in time to look at it. And this is really critical, I think, to expand our view of how we leverage the private researcher community.
This is one of the things I think that is punctuated is the idea that we don't always see ourselves completely. So it's good to be able to get somebody from outside to take a look and find things that we may have missed. And that's truly what has occurred. It's probably the most effective insurance policy on our own systems that we've found by letting these independent researchers come in and look at our systems. 

And when I say it's pretty cheap insurance, I mean we probably paid out about $125,000 in bies in the first phase. We're up to about half a million paid out inwards as of January 31st of 23. And so we're looking at how we can expand it. But when you think about the cost of a breach or the actual cost that we pay for building and managing the systems, that's pretty cheap. That's a great insurance policy. Finding things that may have been missed during the development process.

Audra: I think it's a great, great way of doing that.

Ken: Yes. Another initiative that we've taken on board. Kind of came out of a secretary's priority in terms of his infrastructure transformation initiatives from a couple of years ago. Around how we use DHS contracting to improve the cybersecurity posture of the industry. We've kind of translated that into some really close partnerships with our procurement offices and across the department. Building out a methodology for not only looking at the current inventory of contractors and figuring out how cyber secure. 

The Collaborative Threads of the National Cybersecurity Strategy

Ken: What's their maturity in terms of their cybersecurity programs? But also now introducing a brand new evaluation factor for use in our contracts to make it a condition before award. So we not only have the ability to look at ourselves once somebody has a contract and help them get better. But also now the ability to see that in advance and hey, does this vendor really have the cybersecurity discipline?

Audra: Excellent. So you said it was 18 agencies that came together over five months. 

Ken: Probably more than 18 agencies, but it was in terms of those who have assignments in the implementation plan.

Audra: So let's say more than 18 agencies came together over five months. How did they all come together so quickly to get this plan together? Because actually a short time for that many groups to be involved?

Ken: I think that's where it comes back to the focus that the administration is at. Using the leadership of the national cyber director and of the National Security Council and being able to bring those parties together to look at what they would be able to do. And what would sit within the framework that the administration laid out for the strategy?

Audra: So in terms of the different pillars that you talked through. Can we focus on pillar five because it's dedicated to the whole four G of international partnerships to pursue shared goals? Can you talk more about that particular pillar and how that's going to come together?

Global Unity in Cyber Defense

Ken: I think it would be one that I would probably have a more limited view on. But I'll say that the different agencies, even talking about it within DHS. We have a great policy organization that's engaged in international forums to be able to discuss those goals. We have the work that's happening with CISA in order to build that capacity and build those partners. I'd underscore the department's involvement in the expanding cooperation amongst the Abraham Accords partners. And the fact that the Abraham Accords is an enduring coalition of partners to strengthen regional cybersecurity. I think that's a really powerful work. 

The department is also working closely in other parts of the EU on a broad variety of common cyber issues. And emphasizing how we harmonize our approaches in cybersecurity to help the critical infrastructure owners in particular and operators across this kind of increasingly connected world. So whether it's aviation or surface or other critical infrastructure sectors. How can we help them come to some consensus on what the right standards should be for their cybersecurity?

Audra: So what do you think will be the biggest challenge to actually bring this plan together? Because all 65 initiatives, bring that to fruition, where do the biggest challenges lie?

Ken: I think this would be more of a personal opinion. But I think the challenge is just having this understanding that having a national strategy is great. Having a national implementation plan is great. But at the end of the day, it's just like the strategy says we've got to go rely on those that are closest to the ability to secure the products, to secure them. I can't rewrite the code. 

Industry Mindset and the National Cybersecurity Strategy

Ken: I'm usually the person who finds the problem when I run into some sort of vulnerability. And that's the mindset shift. I think that the strategy and the implementation both are trying to get at how we have industries start to take more of a look at themselves. Prioritizing how do I deliver security by design rather than eventually getting to security? This is the whole point around the push around SBOs, the OMB memorandum M 2218, and then M 2316 followed this year.

It talked about attestations by industry. The software they delivered to the federal government was built using this secure software development framework. It's about how does industry takes that on board and actually prioritizes that. And that becomes the business value is that they deliver secure software. Not that they deliver 50 more features next year. And that's boardroom discussion. 

And that's the real challenge in cybersecurity right now it's not a function of the government doing that much. I mean, there's a lot in the plan that the government is going to do. But it's only effective if the industry takes it on board and says, yes, that's a priority for me too, which it should. Because again, cybersecurity is now becoming a business imperative. If you don't do it eventually you're going to find yourself not able to buy cyber insurance. Or you're going to find the reputational risk of having been breached too great for you to continue in business. 

So I think that's maybe the biggest challenge is that mindset shift that our industry bases. Whether you're in DD or DHS or any place else have to undergo, is that kind of realization that you can't do it yourself. We have to rely on industry to some extent.

[16:34] Strategies Beyond Insurance in the National Cybersecurity Strategy

Audra: And how is the industry being encouraged to actually care beyond the insurance side of things and things like that? But how are they going to be encouraged to care to ensure that?

Ken: Certainly that was my point in trying to go and when we were trying to drive the cyber hygiene is to say. Look, if you want to be competitive, we've added this competitive factor that says that your cyber hygiene and your cybersecurity posture is a hey factor. And whether or not you're going to get awarded a contract, I'm making that a business decision. Is that where do you want to prioritize? DOD has taken a little different approach with its CMMC program, and its cybersecurity maturity model certification. Where they actually are requiring a third-party assessor to come in and give you a checklist. 

A certificate that you meet these requirements and we're both going after the same thing. The requirement has remained the same. It's just their approach probably makes more sense for larger vendors who can afford to invest that kind of money. Whereas with DHS, our industry base was a significant amount of small businesses. And we didn't want to lose that competition in terms of the small, so we had to look at the approach a little differently.

I'd also say that what we've found is what we're doing with our cyber hygiene approach. And the evaluation factor and the awards process actually will keep us from having to revisit every time. Revisit rulemaking every time something changes with Nist. So I'm hoping that we have built something not only to understand what the cyber hygiene posture is before they get an award. But because we're taking looks at them throughout this course of the contract. 

Elevating Cybersecurity Globally

Ken: We're helping them to understand where they're weak and how we start to go give them the resources to strengthen. So again, going back to the secretary's original goal how do we use our contracting to elevate the cybersecurity posture industry?

Audra: That's great. Excellent. And could I ask, out of the 65 different initiatives, which initiative do you actually believe will be the most impactful? Personal opinions are okay.

Ken: Yes. There's a host of them that probably could have a great deal of impact. I would want to pick because I dunno that all of them will work within DHS. I certainly think that the international partnerships piece is pretty powerful in this space. Particularly given the nature of some of these products. And we talk about secure software and secure by design. That's something that the products that we buy are not all made in the us and there's software that comes from other countries that's assembled together to make up a product. So I would almost hazard a guess that increasing the understanding across the international community. 

And having similar kinds of strategies and implementation planning in those governments could be a driver. Because it's increasing the awareness across the board. At the end of the day, I think the fact that so many of our business processes are driven by software-driven. Getting that right building secure by design is probably the most important thing that we can get out of this. Because otherwise, we're chasing a problem rather than proactively saying we get in front of it. 

The Evolving Landscape of the National Cybersecurity Strategy

Ken: And then again, that work around the SBOM allows us to be able to quickly identify whether the products we're using are actually effective. And to be able to act on that hopefully in an automated fashion brand.

Rachael: So I do want to make a side comment too. What I really appreciated about the release of this plan is it was acting National Cyber Director Walden said it's going to serve as a living document. So many things are kind of one-and-done. We said it, but as we know, cybersecurity is a very dynamic world and it changes seemingly by the day. So it's wonderful to know that that's happening. And it's kind of awesome to think that there's going to be a version 2.0 in the spring that seems so fast. That's awesome.

Ken: Well, I think that's it, right? And I like that approach, keeping it as something that's a living document as we learn more. I mean, certainly, as we talked about before, there are things that are ongoing, right? Part of this implementation plan, and the reason I think that it moves so fast is that we're able to leverage a lot of work that was already ongoing. But that also means that as we're learning more and adding new things, why not add those into the implementation as well? 

So I think that's really been a unique strategy to have an implementation plan, but it has the benefit of remaining fresh. It's not something that you're staring at three years later saying, what did we get done? Now we move on to the next technology or the next buzzword of the day, which is a risk we have in this industry in the hype cycle.

From Submarine Engineering to Cybersecurity Leadership

Rachael: Absolutely. So Audra, do you want to ask your favorite question?

Audra: I do. If that's okay. So when I see some of the amazing guests that we have who come on the podcast with us. And I see their career and the flow and just how the different elements of their career are, it's never a straight path. So I absolutely love to hear. I would love to hear your origin story and just how you got to where you are today. Because I'm sure it wasn't a direct path and nobody has some very good stories around it.

Ken: Yes, I sometimes joke that it was neither straight nor narrow, right? So actually at some point or time had been a chief technology officer, ACIO, and mentioned that through my executive career at DOD and now at DHS. But at my heart, I'm an engineer, I was an engineer as an undergraduate and a graduate. I started out my career at a naval shipyard here in Charleston working on nuclear submarines. I built, designed, and built support systems to allow the reactor plant to be taken offline at some point to actually work on the reactor plant itself. 

So I spent the first almost 10 years of my career, literally on a drawing board and doing design work and down on submarines. And it really was a formative experience though. The US Navy Nuclear Propulsion Program is this wonderful discipline around the engineering that takes place. And it forces you to really document what you're doing to critically think and to be able to defend the decisions that you're making.

[23:57] A Cybersecurity Journey

Ken: And so when that shipyard that I was working in was closed after the fall of the Berlin Wall, we didn't need as many submarines. So we didn't need as many shipyards. I actually pivoted to start using a little-known technology called geographic information systems at the time. Basically, digital mapping to lay out the hazardous and radioactive waste sites on the shipyards. And that got picked up by one of the Navy organizations that was moving into where I was living to fill the economic void. 

One of the department heads said, Hey, I see you something about this technology, would you come to work for me? And I kind of joked that now some of my career took a 90-degree turn away from more traditional engineering into information technology. But that led me to have to learn new things. So being a curious mindset and wanting to learn new things. It wasn't hard for me to learn something about software development, to learn something about networks, to learn something about radio communications. 

To be able to work in these different areas and facets of this new field that I was moving into led to me being selected to go up to my first job in DC to be the chief engineer for the major acquisition organization. Buying the enterprise information systems for the Navy, the ERP system, the training systems, and even some of the systems for the Marine Corps.

From there, I was selected for my first executive service job as the chief technology officer for the Marine Corps, which was a lot of fun. Because we were right at that phase of coming out of the wars. 

Odyssey from Wars to Waves in the National Cybersecurity Strategy

Ken: The land wars in Iraq and Afghanistan, thinking about what would the new national Fed strategy require. And a very different approach from being in a land war to being back to our naval expeditionary roots out someplace in the ocean on a rocky island someplace having to go maintain some sort of threat to an adversary. And being able to communicate and use the technology that we gained over the previous two decades in this new way. In this new, more diverse distributed way. So it was a lot of fun in that job. And then based on some retirements, I ended up leading up to be the deputy CIO.

And so that was a change in the process of thinking about how to make this technology actually work for a business user. Really getting focused on the stakeholder, the user stakeholder, and what technologies work best for them. That role of Deputy CIO transitioned into the title that I left the Marine Corps with assistant deputy command up for information. That was really a realization that the deputy, you have both sides of the equation, both the business side of the equation as well as the warfighting side of the equation. So not only the IT but the C4 in the equation, and certainly enjoyed that time in the Pentagon. I say with my tongue firmly planted in my cheek, but eight years in the Pentagon. 

Journey in the Ever-Evolving Landscape

Ken: And then the opportunity to come over and take on the department-level role, DHS, which has been a tremendous amount of fun. And really landed right as the SolarWinds incident was taking full effect. Which actually empowered me in some ways to use all of those skills I had from the past to apply to the problem. And I found the problems weren't really all that different. It's just the environment was different, which you had to solve. So that's the short story of how I went from being a nuclear engineer on the drafting board and designing to being the CISO for the federal department. You figure out that trail.

Audra: I like it. Anyone who has a direct path just hasn't had as much fun. Exactly.

Ken: I think you're right. And frankly, going back to the first principles. I think that my engineering background and the experience of having to break down very complex problems into something a little more bite-size. And the discipline behind that process has carried through the entirety of my career. I try to talk about that with young people that I speak to about coming into a cybersecurity career how do you learn that critical thinking? Have you learned that process? 

The other thing I always try to remind, and talk to young people about is that the job that you'll end up in probably hasn't been invented yet, uninvented yet. And I say that from personal experience because when I started my career, there was no such thing as a CISO. So don't be constrained by what the job titles are today. It'll probably be different tomorrow.

Charting the Future

Rachael: Most definitely. Particularly when we start thinking about AI and all the things that come.

Audra: What's next?

Ken: Goodness. AI probably is one of the more disruptive things that we'll experience. Although, it certainly eclipsed Quantum in terms of the focus that I've had to make in even the last six months. That's not necessarily a bad thing, but it just goes to being comfortable with that uncertainty.

Rachael: Yes. Well, that's going to be an exciting, I think, conversation in a year's time. Without a doubt. It's when you come back as CISO of AI for dh.

Ken: I think my boss might have a lead on that. He was, Eric is the CI, and he's also been by the secretary as the chief AI officer. So that is indeed a role that I'm trying to go support and make sure that we're doing it in a secure way.

Rachael: Absolutely. Well, Ken, thank you so much for joining us today. This has been so wonderful. One of the things that we really love about the guests that we have is being able to double-click into themes and regulations. Everything that's impacting business government way of life today. 
And the opportunity to really talk through more of the national cybersecurity strategy implementation plan is really critical because these are significant movements forward. A true pivot as cybersecurity becomes the leading conversation. And how we eventually at some point get ahead of it versus chasing it. These kinds of plans and strategies are critical to moving forward. So thank you.

About Our Guest

Kenneth W. Bible serves as the Chief Information Security Officer (CISO) for the DHS Office of the Chief Information Officer (OCIO). In this role, he is responsible for all matters relating to information and securing and strengthening the Department’s information security program and information technology (IT) posture. Prior to his current role, Mr. Bible served under the Headquarters Marine Corps Deputy Commandant for Information (DCI) as the Assistant Director for the Information Command, Control, Communications, and Computers Division (IC4).

In this capacity, he also served as the Marine Corps Deputy Chief Information Officer and CISO, formulating and providing broad policy guidance for IT, cybersecurity, and communications infrastructure and applications. Among his many accomplishments, he delivered ADVANA, the U.S. Department of Defense’s single authoritative source for audit and business data analytics, and led Risk Management Framework reform across the Marine Corps by guiding the production of the first fully accredited secure software development (DevSecOps) pipelines.

Previously, Mr. Bible served with the Space and Naval Warfare Systems Command (SPAWAR) for almost two decades. Starting as a lead engineer integrating commercial Geospatial Information Systems technology. Then heading the Networks Engineering Division of the SPAWAR Systems Center Atlantic. He later became the Assistant Program Executive Officer (Engineering) for PEO Enterprise Information Systems. Serving as the PEO’s chief engineer as assigned by SPAWAR headquarters.