Before entering the private sector in 2021, Rick Driggers garnered extensive experience working within the U.S. government. He launched his career right after high school when he enlisted in the U.S. Air Force and later moved to the Department of Defense and then the Department of Homeland Security, where he gained a deep understanding of the relationship between cybersecurity and critical infrastructure.
Now, as managing director and cyber practice lead at Accenture Federal Services, he draws upon his knowledge of the current cyber landscape to help federal agencies address continuously evolving cybersecurity challenges.
Driggers recently sat down for an Executive Spotlight interview, in which he shared his thoughts on key cybersecurity trends and challenges and weighed in on what it means to successfully implement zero trust.
What new trends or shifts are you seeing at the intersection of cybersecurity and national security, and how are those trends influencing the public sector today?
There are several cyber trends that have emerged in recent years, one of which is countries increasingly emphasizing cyber sovereignty. If I speak globally here, this has led to nations like China and Russia implementing pretty stringent data localization laws to ensure that the data generated there stays within that country and is processed and stored locally. We’re also seeing countries deploy firewalls and other technologies to create a “digital border” to control the information going in and out of the country and to establish control of digital access.
From a military perspective, we’re seeing cyber warfare acknowledged as an integral component to modern military operations and the development of doctrine across different governments, particularly in the cyber offensive and defensive operations mission space. We are also seeing greater integration of cyber capabilities with traditional military forces as well.
Additionally, there’s an uptick in cooperation globally as there is increased recognition for collaboration on the international front. Countries are entering into bilateral and multilateral agreements to combat cybercrime and establish norms of behavior. There has also been increased participation and focus on information and technology security in forums like the World Economic Forum in Davos as well as the Paris Call for Trust and Security in Cyberspace.
All of that said, there has unfortunately been a noticeable rise in state-sponsored cyber operations, particularly cyber espionage, supply chain exploitation and incidents impacting our critical infrastructure all for political, economic and military gains. The increase in incidents of cyberattacks against critical infrastructure and supply chain attacks like SolarWinds is especially troubling. This has caused us to really focus on the protection of critical infrastructure assets, particularly as it pertains to healthcare, financial systems, communications, water and energy.
Governments are collaborating more with private industry to enhance the security of critical infrastructure through public-private partnerships. We’ve seen the U.S. regulatory landscape change as well. In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, which gave CISA the authority to mandate cyber incident reporting for critical infrastructure owners and operators – which has been largely supported by industry.
Of course, you can’t talk about ‘trends and shifts’ without talking about quantum computing, which in some ways is coming faster than we thought it would. The potential future threats posed by quantum computing are prompting many preemptive actions by Congress and the White House to ready departments and agencies to transition to quantum resistant algorithms. There has been significant investment into quantum computing as well as quantum security and information science over the past couple of years. We’re supporting our federal clients to inventory and gain visibility into their cryptological assets, but progress has been slow.
Another significant investment area is AI, which is being leveraged for both cyber defense and malicious activities. I see this as really signaling a new frontier in cybersecurity. The benefits – awareness, automation, planning, performance and many others – will help organizations greatly improve their cyber posture. But the need is now! Invest in your technology, process improvements and your people and do that responsibly and ethically.
What do you think is the biggest threat facing U.S. cyber systems today, and what can be done to protect against that threat?
I would say the biggest threats are state sponsored cyberattacks and other related malicious activities, particularly those coming from nation-states with advanced capabilities. Their efforts pose a significant risk to our national security, economic stability and critical infrastructure. Disrupting these nation state threat actors, as well as other cyber-criminal groups, requires a multifaceted approach involving government and private sector collaboration, leveraging technology advancements – particularly when it comes to AI and getting ahead of the quantum power curve – and public awareness. Everybody has a responsibility to keep their information secure.
In the past five or 10 years, there has been more effort from Government and industry to engage in cyber threat intelligence/information sharing with sector Information Sharing and Analysis Centers, or ISACs, and other organizations, like the Cyber Threat Alliance, to more quickly disseminate information about emerging threats. We’ve seen the adoption of advanced threat detection technologies around machine learning and artificial intelligence to identify and respond to those threats in real-time. Zero trust is important, and I know that many people think zero trust is a buzzword, but it’s also a set of critical practices to continuously verify users and devices and ensure that every user that has access to your network is trusted.
What we’ve seen, particularly when it comes to supply chains, is the implementation of really stringent security requirements for vendors, pushing them to conduct regular assessments of their security practices to build transparency and trust within their supply chains by sharing that security-related information. CISA is a big proponent and has done tremendous work across government and industry to promote its SBOM program.
At the end of the day, there are so many things we can do, but not all entities are able to do all of them. A lot of critical infrastructure is target-rich and resource poor, meaning our adversaries see them as valuable targets, and they really don’t have the resources to implement robust cybersecurity defenses. We’re not doing enough to disrupt or impose costs on our adversaries – we’re making it too easy for them. Collectively, we’re just not seeing the implementation of low cost and scalable cybersecurity practices such as multi-factor authentication or even changing default passwords.
In your opinion, what will zero trust success look like, and what is your company doing to help federal customers achieve that success?
Zero trust success looks a lot of different ways – it really depends on where you are and how you are measuring your cybersecurity risks in your organization. Zero trust is all about never trust, always verify. It’s a relatively new type of security framework that we’re putting in place. I think the most important thing you can do is get on the journey and begin this process of zero trust. There are a lot of different aspects to it – strong identity management, device protection, network security, data protection such as robust encryption, data loss prevention and access controls, continuous real-time monitoring across all your network traffic and users and application security.
To measure success, you’ll have to look at each of the frameworks that CISA and the DOD have published, baseline your maturity against the pillars within the frameworks and measure success of your efforts individually to determine what your broad zero trust posture looks like across your organization.
At Accenture Federal Services we have developed Zero Trust 360°, referred to as ZT360, a comprehensive security assessment that evaluates an organization’s security posture by assessing every component of the ZT model to produce a ZT Maturity Score. This score helps organizations understand their current maturity level and provides a baseline for measuring progress. The assessment also generates a tailored ZT Strategic Planning Roadmap that prioritizes security solutions, technology upgrades and process improvements to help organizations achieve optimal zero trust maturity.
It’s really hard to talk about all of these things without mentioning the workforce, which is something we’re not doing enough around. I do think there is now a renewed focus on building a cybersecurity workforce. Governments are launching programs to attract, train and retain cybersecurity talent, and we’re seeing similar initiatives across industry. At Accenture Federal Services, we have programs to upskill all of our people in cybersecurity so that they understand their roles and responsibilities as they use digital devices to conduct global work. I think the challenge is obviously resources, making sure the workforce is able to put in place robust cybersecurity practices and finding a way to do it from an enterprise perspective.
We’re also seeing efforts to educate and inform our citizenry. There are public awareness campaigns around cybersecurity best practices to recognize phishing attacks and secure personal devices. Another thing I think is really great is that we’re starting to see the introduction of cybersecurity in school curricula to build awareness at a young age because right now, all of our kids are digital natives. They have these devices as soon as they can hold them, so making sure that we are building that security mindset into their lifestyle the same way they know to lock the door when they come home or not talk to strangers is important.