Ross Nodurft has moved to One World Identity (OWI) from the White House, where he ran the cybersecurity team at the Office of Management and Budget. Nodurft has worked for worked for two administrations, undertaking duties such as briefing senior leaders on incidents and partnering with the National Security Council to develop U.S. cybersecurity and identity management policies.
Nodurft’s role at OWI is as Vice President for Risk Management. He is well placed to discuss cybersecurity, identity, and incident response policy for businesses and individuals.
Digital Journal: How great is the threat of cybersecurity to the U.S.?
Ross Nodurft: Every day the U.S. Government faces threats from nation state actors, cyber criminals and hackivists trying to steal data and money or gain some advantage over the American people. There is a low barrier to entry for bad actors to use information technology to spy, steal, or disrupt the way that we do business.
DJ: Where are the main threats coming from?
Nodurft: When folks ask me this I like to break it down into the who and the how. First the who: the government and big companies often deal with threats from nation states, organized crime groups, hacktivists, and lone actors who want to disrupt the way the government delivers services to the American people and the trust consumers have in the economy. Small to medium sized companies and individuals are often targeted by cybercriminals who are looking to steal information and money. Next the how: one of the main ways that all of the groups break into systems is by impersonating someone else – stealing their identity. This is why using multi-factor authentication and building a trust and safety program is so important. Without that, institutions, big and small, will lose the trust of their customers.
DJ: What measures has the U.S. government put in place?
Nodurft: After the Office of Personnel Management data breach in 2015, the White House ran a cybersecurity sprint to make sure that agencies were covering the basics. Our team made sure agencies were using multi-factor authentication, were patching known vulnerabilities quickly, and had a good understanding of what their highest valued assets were and how they were protected. These basics are the foundation that the government needed.
Since that sprint, agencies have been working with the White House, the Department of Homeland Security, and the General Services Administration to tackle the hardest problem of all – modernizing the information technology systems that underpin the Federal government services. In December 2017, the WH issued the IT Modernization report which outlines a series of next steps to help get our Federal IT infrastructure up to a standard that reduces the risks to cyber attacks.
DJ: What can businesses do to protect themselves at the very least?
Nodurft: Businesses need to start with the basics. First, multi-factor authentication. Second, having a good understanding of what data is on their network and who has access to that data; and third, making sure their systems are up-to-date and patched as quickly as possible. Doing the basics well protects a business against the vast majority of the threats that are out there today.
DJ: At the White House, you developed the incident response policy for Federal civilian agencies. What did this entail?
Nodurft: In FISMA 2014, Congress tasked the White House with setting the parameters for what constituted a major incident in the Federal government. In OMBs annual guidance to agencies, we set those parameters. Additionally, we put in writing how an agency should respond if a data breach occurs. These documents outline who to call in congress and when to call those people. As incident response lead, I would walk agencies through the process of understanding the scope of the incident, ensuring the right remediations were in place, drafting the communications to congress and the press, and bringing in additional technical expertise from the Department of Homeland Security when necessary.
DJ: Was it difficult to build a consensus?
Nodurft: At the time, people were looking for guidance from the White House. There was some discussion about the factors that went into defining the triggers for a major incident. However, everyone was motivated to put together a policy that was flexible enough to be used by all of the departments and agencies but drew a line in the sand to give CISOs and agency leadership clear direction.
DJ: Why did you decide to join OWI?
Nodurft: The opportunity to partner with Joe Stuntz and the OWI team to build and create solutions that will shape the identity and cybersecurity conversation was one I could not pass up. I was recruited to the White House just after the OPM breach to help bridge the policy gap and drive strong cybersecurity hygiene across the federal civilian agencies. With nearly a decade of experience in this space, I’m confident my deep expertise in risk management and cybersecurity policy will prove to be valuable in my new role within OWI.
DJ: What services does OWI offer?
Nodurft: OWI is an independent identity research and strategy company focused on digital commerce and cybersecurity. We help businesses, investors, and governments stay ahead of market trends so they can build sustainable, forward-looking identity-enabled products and strategies. OWI accomplishes this by building community and facilitating dialogue through the KNOW Identity Conferences, as well as services the community with our educational content, news, media, and client services.
DJ: In your opinion, what future threats does society face in terms of cybersecurity?
Nodurft: People are continuing to become more reliant on technology that is connected to the internet. The Internet of Things poses significant opportunity space for malicious actors to target governments and individuals. Additionally, as e-commerce continues to gobble up market shares, we must ensure that people’s digital identities are trustworthy and the transactions happen securely. As these two trends continue, we will see the convergence of physical and digital security and identity.
DJ: Finally, what types of technology or technological developments do you find most interesting?
Nodurft: The introduction of secure identification into consumer products – e.g. face id and touch id – is very interesting. The seamless design of biometric identification into consumer products will enable people to have and maintain access to the data they generate as they interact with a world of connected devices.
