The Federal government has come a long way in improving civilian agency and critical infrastructure cybersecurity over the past ten years.
Central to that improvement effort is the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has the weighty mission of managing and reducing risk to U.S. cyber and physical infrastructure.
And at the nexus of CISA’s ever-expanding lineup of major security programs is Sean Connelly. He carries the apt title of Senior Cybersecurity Architect, along with serving as program manager of CISA’s Trusted Internet Connections (TIC) initiative. TIC began life in 2007 with a mission of consolidating Federal network connections and has since grown into its third generation of guiding security across a wide range of network architectures.
Connelly arrived at the agency in 2013 – five years before DHS’s National Protections and Programs Directorate morphed into the present-day CISA – and through the TIC program has played a guiding role in many of CISA’s major cybersecurity programs that are household words in government network security today – including EINSTEIN, the Continuous Diagnostics and Mitigation (CDM) program, and the government’s full-bore push toward zero trust security architectures since 2021.
A familiar presence on the Federal tech conference circuit – and patient explainer of security concepts to inquiring journalists (thanks Sean!) – Connelly gave us a half hour of his time to track progress on CISA’s lineup of major security efforts, talk about why security architectures need to keep changing for the better, and counsel some of the most important things that Federal agencies can do to make those changes happen quickly.
MeriTalk: Sean, you’ve been at the policy and practice center of a lot of the Federal government’s biggest cybersecurity pushes for the past ten years – we’re talking Trusted Internet Connections, EINSTEIN, CDM, and zero trust – the real heart of the lineup. Can you take a step back and give us some thoughts about the differences between then and now, and how those efforts are making a difference?
Connelly: What you’ve been seeing over the last decade or so is the evolution of risk management and how security architectures have progressed to support our changing mission and business needs, coupled with technological advances and expansion of diversity of risks.
Ten to 15 years ago, the Federal government’s cybersecurity posture was largely reactive. We’ve gone from blindly trusting networks that have hardened outer defenses – and that may be connected to other similarly architected networks and environments – to a much more fluid, borderless way of interconnecting our enterprise information technology.
To address today’s network, from where we were 10 years ago, networks today are much more distributed, much more complex, diverse, dynamic, and automated. All of this means we need a proactive approach, which includes adopting zero trust principles so that no user device can be trusted by default.
Looking at the broader group of programs including CDM and EINSTEIN, these programs continue to evolve. I think a lot of times the focus of the programs has been on the tools. But really, the tools are just the means to an end. We’re seeing now the CDM program is rapidly advancing its dashboard capabilities for both the agencies and CISA to have a much richer understanding of agency environments. With EINSTEIN, just last June we released a new RFI as we look to evolve our sensor capabilities.
All of these efforts are making a difference. We are better able to detect and respond to threats, and we know we’re more resilient in the face of attacks. However, there’s still much work to be done. The threat landscape is constantly evolving, and we need to continue to invest in cybersecurity to protect critical systems and data.
With TIC, where I’ve been involved for the last 10 years, there’s a lot of overlap with zero trust.
The one thing we didn’t thread the needle on correctly – we launched TIC 3.0 back in 2019, and there’s a misconception that TIC 3.0 only means legacy firewall stacks. That’s the furthest idea from the truth. Ideally in both zero trust efforts, and with TIC 3.0, it’s moving security – including visibility – closer to what needs to be protected. We believe TIC 3.0 helps agencies to understand how to protect both legacy systems and code, and also modern tech stacks.
We are seeing this evolution of protections across the greater IT community. We are evolving from a “Data Center model” to a “Data Centric model.” With the Data Center model, everything we built was around the data being concentrated in physical data centers that we controlled. I’m not only talking about the technology that we controlled, but our processes, teams and thinking was built around data being in this one finite place. Now we are moving to a Data Centric model, where everything still revolves around the data, but with everything being much more diverse and distributed, we require architectural solutions that are just as flexible – and this includes security architecture. That’s where I think you’re seeing the value of both the zero trust and TIC 3.0 efforts, supporting the community as we evolve.
The end objective remains consistent throughout: keeping malicious actors from doing harm to the Federal government and our critical infrastructure.
MeriTalk: As we know, there is no end-state to security, but it sounds like the government has been making some solid progress. Can you describe that degree of progress?
Connelly: We’ve definitely made progress, and what’s interesting is the rate of improvement is accelerating. Sometimes it may seem like we take one step forward and two steps back, but having been in the trenches on a daily basis for a while now, sometimes you need to take the macro view.
As I look back over the last 10-15 years, there are some important markers that demonstrate acceleration in the improvement curve. First, we’re seeing how cybersecurity is becoming a real standalone program of record in agencies and departments, and real and continued investments are happening. Congress understands the need that agencies are budgeting for and is making real investments to improve their cybersecurity posture.
Second, those programs we just spoke about – TIC, CDM, NCPS (National Cybersecurity Protection System) – along with other CISA programs, the agency’s threat hunting teams, vulnerability management offices, the Joint Cyber Defense Collaborative, along with our regional offices, and outreach from CISA itself – we are continuing to evolve our services initiatives.
Third, our adversaries are evolving their approach and forcing the government to improve our defensive posture to combat those threats. It’s a common adage you hear that hackers are not only breaking into systems anymore, but they’re logging in as well. This requires new cybersecurity principles.
Fourth, I’m a big advocate of the Technology Modernization Fund. I’ve been an alternate board member on TMF for the last few years and over that time I think we’ve awarded somewhere between $700-$800 million to 20-plus agencies across 40 different projects as they are looking to accelerate modernization of their systems.
MeriTalk: You’ve said many times that putting zero trust security in place is much more than buying a suite of tools, and that it’s also about changing people’s minds, and changing the security culture. On those last two, how do you see them taking effect in government?
Connelly: The momentum over just these last few years has been amazing. Having led a lot of these security architecture discussions over many years, the ability to reposition ourselves quickly has been incredible. The concept of least privilege and not trusting any specific person or interaction in a digital environment is easily intuitive to grasp, and to understand and accept.
But for others that may have been steeped in legacy architecture and bureaucracies, it’s been a challenge. We’ve had many conversations at different levels of agencies, management, and technological teams discussing this evolution and how to improve agency cybersecurity posture.
Just to give an example, I’ve been promoting TIC 3.0 for a few years now in zero trust. But only just a few months ago, I was talking to a Chief Information Officer (CIO) – one I talk to every few months and one that everyone would recognize – and the CIO’s team didn’t realize until that conversation this summer that the agency could move off their legacy TIC firewall stack, and could migrate to a modern, Secure Access Service Edge (SASE) solution.
The big caveat is that these new architectures have to send the right telemetry to us. So even after building these new architectures for two years now, we know we still have work to do to ensure these new possibilities are understood.
As another example, one of the biggest challenges facing Federal agencies is simultaneously living in two worlds. As agencies migrate to zero trust architecture, they must also protect their legacy environments. Until that transition is complete much of their data and critical services will live in these legacy environments. So, agencies have to protect now, while striving for a future state.
For an extreme example to help illustrate the challenge, NASA’s Voyager satellites were launched in the 1970s and are still sending us universally unique data almost 50 years later, from over 10 billion miles away. We are never placing modern software and modern tech stacks on those satellites. We’re not putting on something like an endpoint security agent, but we can still protect the data that comes off of those satellites in new ways. So, you can protect the data’s integrity by allowing for greater data access possibilities.
It’s been part of the challenge working with agencies developing their requirements, building their budgets, finding the funding, ensuring investments meet these requirements. And we’re making progress through agency capital funds, with TMF, and other means.
MeriTalk: The Biden administration’s 2021 Cybersecurity Executive Order (EO), as we read it, put real power and authority behind the move to zero trust security. Can you give us an idea of that in a practical way as CISA and Office of Management and Budget (OMB) have been creating guidance and putting the order into effect at agencies?
Connelly: The EO set the stage for what we’ve been doing for the last few years. The EO really got the whole of government thinking about cybersecurity in new ways. It was not only about protecting our Federal networks, but also how the U.S. government could amplify the greater efforts going on across the entire IT community.
The EO was a response to the SolarWinds attack, and a lot of what you saw come out of it was we need to think about cybersecurity, and we need to think about modernization of systems in new ways. A lot of that was evident by what was in the EO itself.
To be honest, at a more operational level for Federal agencies, I think the most impactful document has been the OMB Zero Trust Strategy – OMB Memo 22-09. For agencies, the OMB memo and follow-on guidance that we’ve co-authored like the Zero Trust Maturity Model, the Cloud Security Technical Reference Architecture, and the catalog of TIC 3.0 use cases and capabilities, have really given agencies a roadmap of how to make these changes.
Outside the Federal government, we can also see how the cyber EO is resonating with our international colleagues. We’ve had a number of discussions with foreign governments as they want to shift their environments and understand the opportunities and changes of moving to a zero trust mindset. That’s something we haven’t had before – it’s this common language towards cybersecurity and it’s one thing the cyber EO really magnified.
MeriTalk: We know you’ve had some authorship of both of CISA’s Zero Trust Maturity Model editions, and they really get down to brass tacks about what agencies need to do. How are those detailed instructions both from CISA and OMB helping agencies to undertake the very large task of shifting their security mindsets?
Connelly: With the maturity model itself we intentionally took an abstract view – it’s very high level, it’s meant to help agencies, but it’s not meant to be the only way. At the very beginning, a couple of different times in the model, we say there are many paths to get to zero trust, and we will help to illustrate a few of those ways.
There’s that saying – all models are wrong, just some models are more useful. We hope ours is useful, that’s what we want. We want a model to help agencies understand where they may fit on the spectrum of cybersecurity efforts.
The whole idea for the maturity model was a way to shape agencies’ plans and discussions so we have a common language to talk about zero trust. This makes it easier for agencies to share their plans with OMB, CISA, Congress, and others and to help collaborate with other agencies and organizations. The maturity model helps agencies to assess their progress when they’re on a journey to zero trust. Information can be used to develop realistic plans, prioritize resources, as well as next steps to improve your zero trust posture.
At the macro level, our maturity model, along with a wealth of guidance put out by the Defense of Department (DoD) zero trust office, General Services Administration’s (GSA) zero trust buyers guide, National Institute of Standards and Technologies (NIST) and others – all of these are helping agencies, as well as organizations move forward with adopting a zero trust mindset one step at a time.
MeriTalk: Without naming any names of course, can you tell us what are some of the typical characteristics of an agency that seems to be making pretty good progress on zero trust, what kind of things would typify an agency like that?
Connelly: To give an example, when OMB’s zero trust strategy was released, each agency was responsible for releasing to OMB – and we helped review – their zero trust architectural plans. Along with OMB and other stakeholders, we’ve talked to almost all the Chief Financial Officers (CFO) Act agencies, and many of the small and micro agencies. The TMF Board is another way to talk to agencies, as is implementing TIC 3.0, so there are a number of ways up and down the chain that we talk to agencies, and there are some clear themes.
First, the agency has to have a clear understanding of its mission and risk profile. The agency should have a strong understanding of its mission, the data, and assessments that are essential to fulfilling that mission, and the threats those data systems face. This understanding can be used to inform the agency’s zero trust strategy and prioritization.
Second is a commitment to continuous improvement. Zero trust is not a destination. This means regularly monitoring progress, identifying areas for improvement, and making those necessary changes.
Third is a culture of collaboration and innovation. Zero trust requires collaboration – collaboration across the entire agency, as well as other agencies and organizations. Agencies that are making good progress on zero trust have a culture that fosters both collaboration and innovation.
But I think the core characteristic that was most impactful initially was having leadership buy-in. This goes back to the cybersecurity executive order, and at the agency level it means the Chief Information Security Officer (CISO), but also all the way up to the heads of agencies. Where this is a line at the top, agencies can make great strides.
MeriTalk: In the case of agencies that are challenged in their zero trust progress, is the opposite the case?
Connelly: There are some obstacles, almost the opposite of what we just talked about. But let’s start at the top – leadership buy-in is essential for success. If the agency’s leadership is not committed to zero trust, it’s much more challenging for an agency to make significant progress.
Lack of funding and resources is another factor. We know we are in a resource-constrained environment. Agencies that do not have adequate funding and resources may find it difficult to implement and maintain those zero trust architectures.
Lack of expertise also can come into play. Agencies need to have expertise to implement and maintain zero trust architectures, and cybersecurity skills gaps are well documented.
We’ve talked a little bit about the legacy system applications. Many of the agencies have legacy systems that are not natively designed for zero trust. We need to look at each of these systems carefully, and potentially maybe rearchitect, replatform, redesign, replace, or even retire them.
And then there’s that resistance to culture change. Zero trust requires changes in the way agencies operate, and resistance from staff that are comfortable with the status quo doesn’t help.
MeriTalk: You’re a familiar face in government security advancements and especially zero trust, but we know it’s a team sport. Are there any shout-outs you’d like to give on the government side of things to people or agencies that are really getting it done well?
Connelly: This is a very large group effort. But for shout-outs, both CISA and OMB leadership for sure, and our peers and colleagues at GSA, National Institute of Standards and Technology, and DoD.
There are many people driving the effort, but the real people that we need to shout out are the folks that are doing the daily implementation. We have the zero trust implementation leaders at agencies – those enterprise architects, the CIOs, CISOs, the networking security teams. And then a lot of them are augmented by the contracting community and the vendors they support, so we’re all doing important work to make zero trust a reality.
I’ve worked closely with a lot of these people, some going on 20 years, and we’re all kind of shocked at the momentum around zero trust in just the last few years.
And finally, a big shout-out to my colleague John Simms, who is a Senior Technical Advisor at CISA. John’s been here on everything we’ve been doing with TIC 3.0 and zero trust, and he used to be the CDM program manager, so he’s steeped in everything we are doing. He’s been on every call with me for the last five or six years.
MeriTalk: How about a little bit about your path – has technology always been a natural fit for you, or was that something you picked up along the way?
Connelly: I’ve been around technology for a long time. I grew up in Binghamton, N.Y., which was the home of IBM Corp. In the early 1980s, my parents bought a Radio Shack TRS-3 computer. I used to code on that computer. The movie War Games came out right about that same time and that had a big influence on me.
In the fifth grade, I created a science project on my computer that made it all the way to the county science fair. This is where I had my first experience of what we now call user experience. One of my judges in that county fair was Sister Geraldine, she was over 80 years old, born in the 1800s, and there she was trying to run my computer program at the county science fair. I didn’t win but it was an early lesson in how to make sure that technology is accessible to everyone.
MeriTalk: Final question – what do you like to do in your life that has absolutely nothing to do with technology?
Connelly: In addition to being a husband and father, I’m a history buff. Living in the greater D.C. area, it’s easy to be enveloped by history, so visiting museums, going to Mount Vernon, biking on the trails. I’m also a gym rat and have made a lot of great contacts there. I like my community outside of the office.