Fresh off his induction into the 2024 class of Cyber Defenders, we were thrilled to grab a half hour with Paul Blahusch – who is director of cybersecurity and chief information security officer at the Department of Labor – for a wide-ranging talk about the security opportunities and challenges surrounding artificial intelligence, zero trust security, the coming quantum computing wave, and the importance of collaboration among Federal security leaders.
MeriTalk: Paul, congrats on the Cyber Defender award! Can you tell us a little bit about the security work that you are spearheading at the Labor Department?
Blahusch: I’ve been doing IT work for over 30 years – yes there are computers that are older than that! I’ve been doing cybersecurity work for probably 25 years and have been the CISO at the Labor Department since 2018.
How I look at the CISO’s job – and maybe why I am deserving of the Cyber Defender award – is because I really have a focus on one mission. I don’t have as much focus on what the new, bright, shiny security thing is – I have people who work for me who focus on that. But I’m focused on how do we make sure that what we’re doing in cyber supports the mission, how are we making sure that the systems and services that the Labor Department staff and the public use are going to be available when needed, will produce accurate results, and have integrity? And then how do we keep this data safe, this confidential data that we’re providing whether it’s from other stakeholders or from citizens that are providing us with data to do this work?
It’s really about how do we enable mission, whether that involves workers or job seekers or retirees. The Department of Labor has a big mission space – we keep workers safe, we protect 401Ks, we help service members transition to civilian life, we provide economic data products that help policymakers, businesses and individuals make informed decisions – and all of those require security.
To be successful as a CISO today is not only to understand cyber but understand what mission your organization is trying to accomplish so that you can be a partner in that. There’s that old stereotype of a security person who just says “no, you can’t do that.” If I’m saying no all the time, then I am a really bad CISO. Instead, if you’re coming to me with something I’m going to assume that you have a need for that, and you need me to make sure it’s safe. It would be easy if my job was to just say no.
MeriTalk: In the bigger picture on security, what are some recent policy and tech trends you are seeing that are helping to improve security and that we should be doing more of?
Blahusch: I will point back to President Biden’s 2021 Cybersecurity Executive Order and say it has been impactful. Some of these things involved with zero trust security we were doing already – like identity and access management and encryption – but the order allowed us to take a fresh look at it. It also raised the profile of zero trust so that all of a sudden there might be agency secretaries asking me about these things, how are we doing with it, and whether we need any help. It also turned us more toward not just talking about this idea of zero trust security, but then starting to implement it.
We are hip-deep in implementing a secure access service and were fortunate enough to get a Technology Modernization Fund (TMF) award that helped us kickstart that process. As your readers know, TMF funding is not a gift, there is some sort of payback for that, but it helped to start moving us to that zero trust environment and architecture.
But the order covers much more than that. I think one of the hidden nuggets in the executive order that doesn’t get as much focus as zero trust is supply chain. Think back to the CrowdStrike disruption in July – if that falls in anywhere it’s pretty close to supply chain, because we are all interconnected. I think supply chain is going to be very, very important and more so as we move along. No one is building everything themselves and we need to be having trusted partners.
Along with that are the requirements from the Office of Management and Budget that we have to know what’s in your software products – sort of like a nutrition label on packaged foods. Where did that stuff come from, is there some open source in that there that I need to know about – and that ties into issues like log4j. We need to know that upfront.
I’d also be remiss if I didn’t talk about artificial intelligence and how much machine learning, AI, robotic process automation – however you want to draw a circle around that – is going to help us. It’s also going to be a challenge for us, and our adversaries will be using those things too. At a practical level, we get so much data and we need help from AI to sift through that because we are never going to be able to hire enough people to do that.
Another thing that’s encouraging to me – and I think this has been since the start of the coronavirus pandemic – is the degree to which the Federal CISO community and others have come together. The pandemic kept us physically apart but since then we’ve had a shared experience and we’ve been collaborating in a richer way.
MeriTalk: Has that come mostly through the Federal CISO Council?
Blahusch: The Federal CISO Council is one of them, but there are so many focus groups and working groups and communities of practice that have spun off. It’s not just the CISOs and my peers, but it’s people in the security operations centers, it’s our people doing supply chain across they government, they are getting together to collaborate. I see so much more of that happening. We also used to say we need to do it more because the bad guys are busy collaborating on the dark web, and I think there is a lot more collaboration among the good guys now.
MeriTalk: Also in the bigger picture, what looms large for challenges in improving security?
Blahusch: In addition to the implications of AI, the other big one we are preparing for is quantum computing which will make current encryption of data obsolete. So if a hard drive gets lost today you might say the whole thing is encrypted and I’m not going to worry about it but if a bad actor with enough quantum computing power gets ahold of it they will be able to crack that encryption in the future. We have to start identifying where our tranches of data are that would still be valuable in 5-10 years. We need to start identifying those, and those need to be the first ones that need to be secured when post-quantum encryption algorithms become available.
The other thing that is challenging is resources, particularly in the Federal space. We are challenged with budget realities. So we need to make sure that we’re finding new ways to be more efficient and stay secure, and maybe that points back to using AI to accelerate some things and create some efficiencies from that because I don’t foresee us getting a huge increase in budget.
The final thing is workforce, and that’s going to be extremely challenging. One thing we do in the Department of Labor is workforce training and that’s something that the Federal government as a whole is interested in because it’s a nationwide initiative to get more people into the cybersecurity workforce, to get more high school and college students into the field and produce a tide that raises all boats. On the government side, we certainly have things to offer – mission and stability and things like that – but sometimes it’s hard for us to be competitive with the private sector on salary and other things, so we do have concerns about workforce.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path or was the path more complicated?
Blahusch: Cybersecurity was not actually a career path when I was growing up. But I did always have an interest in solving problems, solving puzzles, or putting things together and figuring out how they work, which I think are very important interests to have if you want to be in cybersecurity. I graduated from Penn State in 1985, and this was before the Morris Worm virus was discovered in 1988. I think maybe the only other touchpoint for cybersecurity was the 1983 movie WarGames.
I graduated with an engineering degree but my first real job out of college was inspecting cement and concrete laboratories, and that was affiliated with what was then the National Bureau of Standards but is now the National Institute of Standards and Technology. My boss at the time asked if I knew anything about computers and how to set them up and write some macros, and I realized I liked that better so that’s what I got into. I moved through system administration, email administration, network administration, dabbled in some programming, moved into system analysis and design, and then in 1999 the agency I was contracting with started up a cybersecurity group and I was fortunate to get in there.
MeriTalk: Last one, what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
Blahusch: I’m not sure it’s what I enjoy doing, but it’s what my wife enjoys, and I enjoy being with her. She loves lighthouses so we go visit lighthouses up and down the Mid-Atlantic and even further away. I think her dream someday is to actually live in a lighthouse – we’ll see.