Federal leaders need to continue to make progress on the basics of cyber hygiene, but they also have to look ahead to the next generation of threats. In this episode of the McKinsey on Government podcast, McKinsey partner Tucker Bailey and former US congressman Will Hurd discuss the emerging cyberthreat landscape, the role of the chief information officer (CIO), and the future of the federal cyber workforce. An edited transcript of their conversation follows.
Francis Rose: Welcome to McKinsey on Government. Each episode examines one of the hardest problems facing government today and solutions from McKinsey experts and other leaders. I’m the host of McKinsey on Government, Francis Rose. High-profile cyber breaches in government, the private sector, and academia have technology and security leaders rethinking the basics of their cyber postures. The federal government is under orders to build more cyber resilience into its systems. That’s the subject of McKinsey on Government this week with Tucker Bailey, partner at McKinsey, and former congressman Will Hurd, former chairman of the House Committee on Oversight and Reform’s Subcommittee on Information Technology.
Gentlemen, thanks very much for coming on the program today. Will, I start with you. You had a reputation on the Hill as somebody who was really well versed and cared greatly about cybersecurity issues, especially resilience. What have you seen in the time that you’ve been off the Hill that you think is either a good thing or a bad thing as far as the federal government’s posture is concerned, cybersecurity-wise?
Will Hurd: Well, I think the posture has shown that the cracks that we’ve always seen are getting larger, and they’re being taken advantage of by more adversaries. I think ransomware is a perfect example.
Everybody thinks I’m strange when I say the GAO [Government Accountability Office] is one of my favorite entities in the government. The GAO has highlighted many of the problems that we have seen in our digital infrastructure for a number of years.
It goes back to, if you do the basics in good digital hygiene, then you’re protecting yourself against most people. We shower. We brush our teeth. We comb our hair. We do all those things in our personal hygiene, and we should be doing those basic things in our digital hygiene, too.
Since I’ve been out, those problems we identified have become more critical. Also, I’ve seen how the technology that can be used to take advantage of our digital infrastructure is increasing in complexity. The future of cybersecurity is going to be good AI versus bad AI, and we are definitely not prepared for that situation.
Imagining the next generation of adversaries
Francis Rose: Tucker, welcome. It’s good to have you on the program today, too. Will talks about the basics of good digital hygiene. That’s something every chief information officer and every CISO [chief information security officer] that I’ve talked to in the federal government for 15 years has said. Yet we’re still having this conversation 15 years after I started, and I certainly wasn’t there at the beginning.
Do you see anything either in existence today on the threat landscape or across the horizon that makes you think that that won’t still be necessary? I mean, the fact that we still have to talk about it means that it must still be a challenge or an issue, right?
Tucker Bailey: Yeah. I think it’s a “Yes, and,” Francis. I think basic cyber hygiene is going to continue to be table stakes.
As we talked about with the rising threat landscape and kind of new techniques and new vectors, folks are going to have to move at a dual speed. They’re going to have to continue to make progress on the basics of cyber hygiene, and they’re going to have to look forward and think about the next generation of threats, be it automated, AI-driven threats, or be it the use of new techniques, hybrid cyber campaigns, et cetera. It’ll be both. You can’t fall asleep on this one.
Francis Rose: Tucker, if we’d had this conversation a year ago, we probably would’ve been talking about phishing as something that was over the horizon. I got one at work today and, sad to say, I failed the test because it looked like it was coming from my boss. It was very well executed.
Fortunately, it was a test and not a threat, so I didn’t blow anything up. But when you think about that—I’m somebody who talks about cybersecurity every day of my life, and I blew it. And I wonder, how does one anticipate what the next generation of threats is going to be? In order to do that, you have to think like the bad guys. And good guys don’t normally think like bad guys, do they?
Tucker Bailey: You’re speaking my language, Francis. The attackers are limited only by their creativity and ingenuity, I hate to say it.
A lot of the counsel that we give our clients is just that: you know what’s important to you, but that may not be what’s important to the adversary. You have a view of your infrastructure and your network, but that may not be the same view that the adversary has.
So put yourself in the threat space and look at your own organization as an adversary would. Think about the campaign that they would run against you and how your controls align against that potential campaign.
Subscribe to the McKinsey on Government podcast
Laying the groundwork for future defense
Francis Rose: How do you shape a response, either policy-wise or operationally, Will, based on having to think that way? You have to think like the bad guys in order to decide how to deal with the bad guys.
Will Hurd: The latest buzzword is “zero trust,” where your systems are designed with the mindset that you can’t even trust people on the inside—designing the architecture of your systems such that even though someone may have to have this information, you have to have procedures in place to confirm that that person should have access to it.
It’s going to be hard to defend against. There are new technologies that are coming out to defend against runtime protection.1 The notion is, OK, we know this application. We know how it’s supposed to work. And we know the 10,000 ways that it may be used in a good way. But even if you’re prepared for 10,000 different uses, that 10,001st time will make it stop.
It is going to require artificial intelligence to do this. There are companies that are starting to do this, which is going to help because it may actually prevent the need for patching, because you know how the system is supposed to work in a perfect world.
But the reality is, the next level of technology is going to come with quantum computing—and to make sure that we have quantum-resilient encryption, we have to start thinking about this now. We should be thinking about quantum supremacy, or an adversary getting quantum supremacy, the way we were thinking about Y2K [year 2000].
I think the three of us are old enough to remember billions of dollars put into it. I remember driving in west Texas on Y2K day, being, like, man, something’s going to happen. And it didn’t. It was kind of like a big nothing.
But we put time, energy, and effort into it. And guess what? Our adversaries are sucking up as much ciphertext2 as they possibly can in every industry. They’re going to be able to break it once they have a quantum computer. Look, it’s been going on for years. But think about right now. Am I protecting my information right now? Being connected to the national security apparatus for 21 years, I’ve learned that the assessments of the security community and the national security community are usually—whatever they say—divide by two; divide by half.
We’re going to be at that quantum-supremacy point sooner rather than later. This is a whole other game. Imagine our adversaries having all of our information on banking and financials, on intellectual property. This is such a nebulous concept for so many people to think through, but it’s going to make these debates we’re having now, talking about ransomware, look like a pillow fight. We have to be prepared for that situation.
Strategic thinking for a secure government
Francis Rose: What, Tucker, does one do if one is in a position of leadership inside a federal agency? I don’t mean to pick on the folks at the [US] Department of Energy. But, for example, they have their own cybersecurity operation to run, and they have a very qualified leader there. Ann Dunkin’s the new CIO. She’s very experienced at all levels of government.
They also have responsibility through their CESER office [Office of Cybersecurity, Energy Security, and Emergency Response] at handling threat information about what’s happening throughout the energy infrastructure across the United States. So they’re thinking about this from two different perspectives. I wonder what thought process about resilience should be going on in an organization like that that has an internal-facing and an external-facing responsibility.
Tucker Bailey: I think there’s two things there, Francis. And, first, the good news is that government agencies see the threat in ways that they may not have in years past. The new generation of leaders really understands what the threat landscape is. But they’re playing the hand they’re dealt, which often is antiquated IT infrastructure.
The new generation of leaders really understands what the threat landscape is. But they’re playing the hand they’re dealt, which often is antiquated IT infrastructure.
At the same time, the second piece that you talked about is, for those agencies that have regulatory or oversight responsibility, how do they engage with their private-sector components who actually operate the critical national infrastructure?
On the first piece, some of it is playing that remediation game and some of that basic hygiene that we talked about. I do think the executive order that the administration recently issued 3 has some very constructive first steps in there, such as things like Will mentioned—moving to zero trust; plans to transition to cloud architectures; and also some things that aren’t traditionally thought about for cybersecurity technologists, such as, what are our critical information assets? What data do we hold that would be of value to somebody else? And how do we protect that proportionately?
On the second half of your question, how do they engage with private-sector components for holistic national defense? This is an area where we’ve seen significant improvement. As we talk to our clients in the private sector, they are seeing government agencies start to meet them halfway. As you think about the next phase of that, it’s understanding how they actually operate their business. What are the incentives for them? And how do you make engaging with the government and government agencies, at minimum, a friction-free experience and, at best, a business-and-mission-enhancing experience? That kind of customer experience concept is one where I think you’re going to see more emphasis going forward.
User-friendly security
Francis Rose: Haven’t people always thought about customer experience versus cybersecurity, though, Tucker, as exactly that? That they’re at loggerheads with each other and that they’re not compatible? The idea that whether it’s an internal or an external customer, the more security we put in place, the harder we’re going to make it to do business with us?
Tucker Bailey: The thought process has been that way. But I think with some of the technology that’s coming out, it’s a bit of an artificial dichotomy. Where you see leaders moving out on this, they’re actually doing both. They’re increasing their customer experience and customer value proposition, and also increasing the security.
It’s worth recognizing that customers increasingly value security. They don’t necessarily see additional security as a trade-off but as an enhancing feature. The fact that I don’t always have to put in a username and password if I have multifactor authentication—well, to me, that’s a better experience than banging out these passwords all the time. And it increases security.
I think the next generation after multifactor is where we’re limited by our own creativity. And I think there are some very interesting companies coming out of the technology infrastructure that are starting to address that: increasing the value proposition to customers and users and increasing security at the same time.
The evolving process of federal threat response
Francis Rose: Will, you’re just a couple months removed from direct oversight over these issues and direct interaction with the executive-branch leaders that are doing both the internal and external types of interaction with the threat landscape that I described a few moments ago. Are you bullish, bearish, or neutral on the trajectory that federal government agencies are on in dealing with the threat landscape?
Will Hurd: I have to agree with something Tucker said earlier: federal CIOs completely understand the threat landscape and what’s coming their way. I’m a huge fan of all of our federal CIOs. During my time in Congress, I was always trying to give them more authority and ability. But Tucker pinpointed it: sometimes they’re dealt the hand they’re given, and then sometimes one of their hands is tied behind their back. They don’t have the freedom and flexibility to do all the things that they probably would want to do on their digital infrastructure, which is the biggest problem.
Look, it’s so funny. When I was in the CIA [US Central Intelligence Agency], thinking about running for Congress, and I’m in a tent in the Hindu Kush Mountains, I didn’t think that I’d become the IT procurement guy in Congress. But I spent a lot of time focusing on IT procurement, because the problem, ultimately, is that the person using the IT good or service is different from the person purchasing the IT good or service.
That disconnect is gigantic, and that creates a lot of the problems. That’s where we need to make sure we’re empowering the CIOs, because all these folks are smart. They know the threats that are coming. They’re getting on the reports and reviews. But sometimes they’re restricted by the flexibilities within their budget.
When I first got to Congress, I wasn’t going to do oversight and government reform. I wasn’t going to chair an IT subcommittee. But [former US representative] Jason Chaffetz, at the time, was the chairman from Utah. I had my degrees in computer science. I had helped build a cybersecurity company. And he’s, like, “Hey, come do this thing.”
The staff at the time was, like, “There’s this thing called FITARA [Federal Information Technology Acquisition Reform Act].” It ultimately became a scorecard, and what I learned was the importance and the role of oversight in government: what you shine a light on, people will focus on.
And so, when you focus on trying to do data-center consolidation, and people were constantly finding something: “Oh, we actually had more data centers than we thought. Oh, we’re not doing two-factor authentication. Oh, the administrator’s password to the system is ‘password.’ Oh, wait a minute—we only thought we had five licenses for this software; we have 1,000.”
They’re trying to focus on those things that are problems, but they need the flexibility to move at the speed of the threat. That is where the gears of government sometimes get in the way.
Tucker Bailey: Well, let me pick up on one of the things that you mentioned, which is that sometimes, security initiatives are dual use. If you can reduce your surface area by reducing the number of licenses, that’s a cost saving. If you can reduce the surface area by retiring legacy applications that may be out of support, oftentimes there are significant cost and productivity savings as well.
Security officers partner with the broader IT organization to think through how we modernize, how we increase productivity, and how we take advantage of best-in-class COTS [commercial off-the-shelf] products that are proven. You don’t have to do custom development, which can be difficult to sustain and support. Oftentimes, we see real win–win opportunities there.
Will Hurd: It also gives us the opportunity to provide better digital-facing services. And guess what? When you provide better digital-facing services, you can make the government more efficient. One of the reasons that trust in government is at an all-time low is because of the inefficiencies with providing services. To your point, Tucker, security can drive some of those savings, and some of those savings can drive better services to the constituent.
When you provide better digital-facing services, you can make the government more efficient.
Maintaining a robust security supply chain
Francis Rose: Is there a risk of having too many things in the supply chain—boxes that need to be checked off—in order for companies to support the federal government, given that the government pretty much buys everything that it uses, cybersecurity-wise, whether products or services, from somebody else? And shouldn’t it—as you just said a few moments ago, Will—be creating this stuff on its own?
Tucker Bailey: I see members of the defense industrial base and others who are looking to do business with the federal government think about security as an enhancing feature and not just as a compliance feature.
If we want to sell to the government, part of our sales pitch is going to be that we’re going to come with an advanced level of security. If we have software, we’re going to attempt to provide a software bill of lading or a clean bill of health. Or we can actually show how we’re doing our diligence on our supply chain, so those products we’re delivering are as remediated as possible from cyberthreats.
I think that is driving very good behavior throughout the supply chain. If you go back to the NIST [National Institute of Standards and Technology] cybersecurity framework, one of the things that I think that NIST was very thoughtful about in driving adoption was using the levers of federal government and some of the procurement levers to drive adoption of the NIST framework. So you saw folks adopt that, and that’s happening throughout the supply chain.
On the other hand, you have to be thoughtful about whether we’re putting too much burden on nontraditional providers to demonstrate compliance and hygiene. Are you inadvertently limiting some innovative companies that consider the burden of doing work with the federal government to be too high? I do think there’s recognition there. There are some intermediaries that are helping to cross that bridge, but I do think that’s a watch-out as well.
Will Hurd: A lot of new industries that we think are new and different ultimately end up cutting corners because they can. If I’m building a tire, I know where all those elements come from. If I’m a chef and I’m putting together some fancy meal, I know where all my ingredients are coming from. And guess what? When it comes to software, we need to know where every bit of code is coming from.
There was a focus on open source. Everybody thought that open source was a great sign that the code doesn’t have holes in it. Well, not everything is Red Hat Linux, that thousands, if not tens of thousands, of people have looked at and banged on to try to find problems.
You should be able to figure out where your code is. You need to be thinking about this when you’re developing your software, plain and simple. I think that gets to the fact that it shouldn’t be an overly burdensome compliance problem, because you should already know where it is.
If I’m getting ready to go on a trip, I know everything I’m putting in my bag. It shouldn’t be hard for me to tell you everything I put in my bag. I already know what’s there. That’s where we’re going to have to go.
The future of the federal cyber workforce
Francis Rose: We’re starting to run out of time, gentlemen. Will, you spent a ton of time on this in Congress, but we haven’t talked about it much on this program yet. That is, what does the cyber workforce look like in the federal government, and what should it look like in the coming years? Tucker, I’ll start with you. How do you think about what we talked about earlier, as far as the future of the threat landscape, in terms of the skills that the workforce should have in order to be able to meet that future threat landscape?
Tucker Bailey: I’m actually quite bullish on this topic, Francis. And I think in years past, government leaders have bemoaned the fact that, “Gosh, we can’t pay enough to attract and retain the best in cybersecurity talent, because they’re going to the banks or they’re going to Silicon Valley,” et cetera.
I think you see two things. One is that a lot of people who go into the cybersecurity world are incredibly mission driven. And the one thing that government can provide that the private sector can’t always provide is that sense of mission. You are protecting the most critical assets to the United States; continue to play on that.
The second is the experience and capabilities that they give those folks. And it may be that there’s a different model that’s required. We’re not expecting someone to come to the government and work for 20 years and draw a pension, because that’s not how digital talent thinks and works.
But you can talk about the value proposition of, “Come to us for four years. Learn best practices at the coalface with nation-state adversaries. Sharpen your sword, and you’ll become that much more marketable in the private sector. Then, once you go out and conquer the world in the private sector, maybe you come back into government. You’ll play a leadership or executive role.”
I think there’s some things that agencies can do there, and we’re seeing some of that as well. I also think that the pool of talent they can draw from is increasing. I think the demand signal has gone out, and you’re seeing academia respond with undergraduate- and graduate-level cybersecurity programs. So the talent supply is increasing as well.
When we did research into this, what we found is that the compensation piece is only one factor of an individual’s decision about their job. They’re looking for quality of life, sense of purpose, community, and the ability to build their own capabilities and tool sets. I think these are areas where government agencies can and do compete.
Francis Rose: Will, you hammered and hammered and hammered and hammered on the workforce and the need to build a successful, healthy one when you were in Congress. Are you as encouraged about the future of the workforce, specifically for the executive branch of the federal government, as Tucker is?
Will Hurd: Yes. The long-term pipeline is going to be built. I’m more concerned about the short term. There’s a lot of great talent that’s coming back into the federal government, like Tucker talked about, that had great experience in the private sector, and they’re coming back at senior levels.
But by 2025, there are probably going to be a million positions within the federal government that require some kind of cybersecurity needs. I know we can build that pipeline.
My father is 87 years old, and every time I’m with him, he always talks about cyber. My dad hasn’t ever used a computer, can’t type, and he’s, like, “We need more. These kids nowadays need to be going into cyber.” So if my 87-year-old dad—if it sunk into his head that this is needed, then, long term, we’re going to be OK.
But how do we deal with this current gap and shortage that we have? That’s the most difficult thing. Not every job needs a PhD in cybersecurity, and not every job may need a BS in computer science. Making sure that the positions that are across the federal government—we need to understand what the real skill set is that is needed within any given position.
That didn’t exist three or four years ago. That change has slowly happened so that we know the kind of skill set we need in order to get people into those jobs. Everybody recognizes that, and we’re trying to do that. But also, I think the federal government is starting to realize, “Hey, we don’t know everything, and we should be relying on the private sector a little bit more. We don’t have to build everything. We should be buying it from the private sector and using these tools that already exist.”
I think you’re seeing some of that change. That’s going to also help us deal with that personnel gap that we have. Long term, yes, I feel good we’re going to meet that need. But that short term—this is the period where it’s really hard.
Francis Rose: I have a problem. I have five more big questions and a ton of things that I’ve scribbled down over the course of this conversation. We’re out of time. So I’d love to have both of you come back and continue this discussion another time.
Tucker Bailey: Would love to, Francis. It’s always a pleasure to be with you.
Francis Rose: You’ve been listening to McKinsey on Government, a presentation of McKinsey. Our next episode is in a couple of weeks. You can subscribe to get McKinsey on Government everywhere you get your shows. I’m the host of McKinsey on Government, Francis Rose. Thanks very much for listening.