As director of emerging cybersecurity solutions for Carahsoft, Steve Jacyna keeps his finger on the pulse of the biggest cyber threats to government organizations, as well as the latest cyber innovations that protect against them. His dual goals are to help cyber vendors understand agencies’ unique needs and to assist agencies in identifying the technologies that will safeguard their sensitive data.
Jacyna joined in a Q&A discussion with GovCon Wire that covered today’s most compelling cyber concerns, including artificial intelligence, critical infrastructure, the technology supply chain, quantum computing and more.
What are the most pressing cybersecurity issues and trends organizations should be aware of right now?
Zero trust continues to be an important focus for federal agencies, and we increasingly see zero trust principles being applied at the state and local level, as well. But undoubtedly what’s on everyone’s mind is AI.
There are good reasons for that. Malicious actors are exploiting AI capabilities to steal credentials and hack into agency networks. The good news is that AI gives agencies new functionality to respond to cyber threats more quickly and protect against cyberattacks more proactively.
There are additional developing issues that should be top of mind for government. One is more frequent attacks on critical infrastructure and Internet of Things networks. Another is the security of the technology supply chain, and efforts like the Department of Defense’s Cybersecurity Maturity Model Certification to strengthen security across the vendor ecosystem. And then looking a little farther out, agencies should be thinking about quantum computing and how they’ll protect against future quantum-based attacks.
What AI-driven threats are you seeing today? And what are some of the AI-powered solutions that better safeguard agency systems and data?
Bad actors are exploiting AI to enhance social engineering attacks such as phishing. Attackers are becoming sophisticated at using AI to mimic human behavior. For instance, they can write emails in the style of agency leaders and reference topics that would be valid to the sender and the recipient. As a result, they’re getting better at tricking agency employees into clicking on malicious links, downloading malicious files, sharing access credentials or revealing sensitive data.
But AI also provides stronger cyber protections. More vendors are offering cyber solutions that leverage AI to improve threat detection, protection and response. These tools can identify anomalous activity, assess its significance, and then launch a protective response. They can simultaneously protect the rest of the network in a proactive way. Agencies benefit from faster response times to attacks and the ability to anticipate attacks and take action in advance.
Plus, many AI-powered cyber protections can function autonomously. That has tremendous value at a time when agencies face a cybersecurity skills gap.
You mentioned increasing attacks against critical infrastructure. What should organizations be aware of in this area?
There has been an overall increase in attacks on operational technology and the IoT networks that support critical infrastructure such as energy, water, transportation and healthcare systems. We work closely with our public sector customers to help them understand the threats and the measures they should take to protect against them.
One way we’ve done that is by creating verticals within Carahsoft for specific cybersecurity areas such as zero trust, quantum computing, operational technology and so on. We staff each vertical with experts who build out a portfolio of cyber solutions to address relevant issues. We help the vendors in our ecosystem to understand agency needs and we help agencies to identify the vendors that can offer them the best solutions.
For operational technology, or OT, there isn’t a one-size-fits-all solution. Each organization must build out the security infrastructure that will meet its unique requirements. We help organizations understand how to integrate a set of complementary solutions to give them end-to-end protection.
What about securing the technology supply chain? Where does the Cybersecurity Maturity Model Certification, or CMMC, fit into that picture?
CMMC is a cybersecurity model for the DOD’s partners in the defense industrial base, or DIB. The goal is to increase assurance that DOD contractors and subcontractors meet cyber requirements to protect unclassified but sensitive information.
CMMC 2.0 is the latest iteration of the program. It streamlines the requirements and aligns them with widely accepted standards created by NIST, the National Institute of Standards and Technology. Most DIB vendors need to be compliant with CMMC 2.0.
CMMC is a big focus for us at Carahsoft, and we’ve invested resources in developing programs that help vendors achieve compliance. We’ve created a CMMC Sales Desk to help vendors, resellers and managed services providers navigate the CMMC process.
Quantum computing promises to perform computations at a massive scale. Why does emerging quantum technology introduce new cyber threats?
Quantum computing has the potential to break today’s strongest encryption codes, placing sensitive data at risk. While that threat is still in the future, malicious actors can steal encrypted data now and simply hold onto it with the hope of using quantum technology to decrypt at a later time. That has many agencies very nervous.
A growing number of established technology vendors and cyber startups are working to address this once-in-a-generation emerging threat. My team is actively evaluating the technologies developing in this space. Many of these are focused on adding a quantum-secure layer to existing tools that protect data at rest and data in motion. Vendors are investing a lot of research and development dollars in this area, and we’ll be following this closely going forward. Agencies should be, too.