Government Shutdown Perspectives: An Interview with Lou Eichenbaum of ColorTokens

Cybersecurity Through the Shutdown

This week we spoke with Louis (Lou) Eichenbaum, Federal Chief Technology Officer for ColorTokens. Eichenbaum, who previously served as Chief Information Security Officer (CISO) at the Department of the Interior (DOI), shared how the shutdown is affecting federal cybersecurity efforts and how emerging technologies can help agencies better protect their systems.

Can you start by telling me a bit about yourself, your role at ColorTokens, and your previous role at the Department of the Interior?

My current role is Chief Technology Officer on the federal side for ColorTokens. I have been in that role for about two months, so it is still relatively new. What I do is work with federal agencies to help them implement our microsegmentation platform so they can build secure environments using zero trust principles. It has been a bit slow because of the government shutdown. Once it opens up, hopefully we can help build some secure environments for the government, not just with IT but also with Operational Technology (OT), which is another critical focus for us as we work to strengthen the security of critical infrastructure across the federal government.

Prior to this role, I worked for the Department of the Interior for 23 years, primarily in cybersecurity roles. My last position there was as the CISO for the agency, and I was in that role during a time of great change. My team had several major priorities, and one of the biggest was consolidation of the organization. Before I took on that role, DOI was a federated IT environment with separate IT organizations within the bureaus and offices.

When new leadership came in, the administration made consolidation a priority. My team worked to bring together our entire IT security organization into a single, unified structure. That was a huge change for DOI because it had never been done before. That work is still ongoing. Phase one was what we called lift and shift, bringing all the people into one organization while continuing their same work, with plans to move over time to a more centralized approach for delivering IT security services.

Before that, I was the Zero Trust Program Manager for the Department of the Interior for just over three years. That role began when OMB released M-22-09, directing all federal agencies to start implementing zero trust. I was asked to lead that effort, and over three years we built what I believe was a very successful program. We created a virtual organization where more than 200 people across the department were working on this initiative. We focused a lot on cultural adoption and understanding zero trust. We also built a community of practice with more than 1,000 members, providing continuous information and training.

We trained over 200 people who went on to earn zero trust certifications. I have always believed that to be successful with zero trust, everyone needs to understand the principles. It is a philosophy, not a technology, and it is about integrating those principles into your risk management strategies. That was one of our main goals, educating people so they would apply zero trust principles in their daily work.

Before that, I held several other cybersecurity roles. I was also a CISO at the Bureau of Land Management and at the Office of Surface Mining and Reclamation Enforcement. I have been doing cybersecurity work for about 20 years, going back to when the Federal Information Security Modernization Act (FISMA) first came out, and I have seen how the field has changed over time. The role of the CISO has evolved as well. I think today the CISO needs to be less of a technologist and more of a risk executive who works with mission and business leaders to understand their needs and build security solutions that reduce risk while still allowing them to deliver their mission services.

How have you seen the government shutdown affect ongoing cybersecurity or modernization projects across agencies?

I think that is one of the biggest challenges when you have a shutdown. During a shutdown, there are certain people who are designated as excepted employees, and it is usually a very small group. The idea is to keep the lights on. From a cybersecurity perspective, those employees are still doing their jobs. They are still working every day, even though they are not being paid, to monitor systems and prevent compromises.

What stops are the larger initiatives. You have to focus on the basics of cybersecurity to keep systems protected. At DOI and other federal agencies, there are many ongoing projects aimed at building more secure environments, and those efforts are put on hold until everyone returns to work.

What kinds of security risks or vulnerabilities tend to increase for federal agencies when operations slow down, or teams are working with reduced capacity?

The attacks on our government systems have increased during this time. Our adversaries sense that there may be more vulnerabilities since some personnel are out. These are the same types of risks and threats we usually deal with, but we’re seeing more of them now.

Credit goes to our federal employees who have said, “I’ll still work, even though I’m not getting paid. I’ll still do my job to protect these environments.” There are still people showing up and doing their work, but there’s definitely increased risk because there are fewer people. You may miss something you would have caught in the past, which raises the chance of compromise.

Our adversaries know this and are taking advantage of it, so we’re seeing more attacks on our systems than before the shutdown. Still, we have dedicated staff working hard to prevent those compromises from happening.

What did agencies do ahead of time to prepare their cybersecurity posture for potential interruptions like this?

There has been a lot of focus on improving cybersecurity in recent years, as I am sure you are aware. Even without considering the shutdown, the work that has been done over the last several years has made a big difference. I will mention zero trust because that was a major driver for federal agencies to improve their cyber posture. When M-22-09 came out in January 2022, it gave specific direction and requirements to implement what they called foundational capabilities for zero trust.

Over the past three years, we have seen major improvements across the federal government in implementing things like multi-factor authentication instead of passwords, which is a significant boost to overall security. Agencies have also made progress in implementing encryption for data at rest and data in transit. These are all requirements outlined in the OMB memo, and agencies have followed through on them.

For example, at DOI, when that memo came out, it was a struggle at first to roll out multi-factor authentication (MFA) across all our information systems. Some of the systems were legacy and difficult to modernize. We were at about 40 percent implementation across the board for MFA. After three years, through the hard work of everyone across DOI, including our centralized cybersecurity organization, bureaus, and offices working together, we reached about 96 percent. That is a huge improvement. Other federal agencies have made similar progress over the last few years. There is still work to do, but the progress made has helped prepare us for times like this, when staffing may be limited.

Another major improvement was the implementation of Endpoint Detection and Response (EDR) systems. These are essentially advanced replacements for traditional antivirus systems. Federal agencies were directed to implement enterprise-level EDR solutions, and that has also greatly strengthened our security posture and helped us better prepare for situations like this.

How have public and private sector teams continued to share information and collaborate effectively when normal communication channels are disrupted?

During a shutdown, when you are not hearing anything, it can be interesting. I am not in the federal government anymore, but I still talk to my former federal colleagues all the time. Platforms like LinkedIn have become a big tool for that kind of communication. People have built their own communities or have certain contacts they rely on to share information.

I honestly think LinkedIn has become one of the most powerful communication tools for federal employees who are sitting at home and cannot access their government email or find out what is going on. I remember in past shutdowns, LinkedIn existed, but we did not really use it. All we would hear was, “Just sit at home and watch the news. If they say the government is open, come back to work.” That was really awkward, just sitting at home waiting, not even allowed to log into your email account. Now, LinkedIn has become a very effective way for people to communicate and share information during these situations.

Are there new cybersecurity tools or technological innovations that could help agencies build more continuity into their operations during future shutdowns or funding gaps?

From a cybersecurity perspective, one of the big focuses right now, and you hear this from all of our cyber leaders like Mike Duffy, the current acting federal CISO, is building resilience into our systems.

For years, as cybersecurity professionals, we have focused on prevention, which is important and something we need to keep doing. The goal has always been to prevent someone from breaching our networks. But the reality is that no matter what you do, a breach will eventually happen. We have to be able to build resilience into our networks to keep a small breach from becoming a serious one.

Typically, what happens is a user on a laptop inside the network receives a phishing email, clicks on a link, and suddenly there is an adversary sitting inside the network, looking around. In that situation, it becomes about understanding what your most critical assets are and how to protect them. Microsegmentation is becoming a major focus for that reason. It is about building secure microsegments around your most critical assets and placing security as close to them as possible.

If you do get a breach on a laptop, it is not a big deal, but traditionally attackers could move laterally to a critical asset, creating a serious problem. By building an effective microsegmentation strategy and using modern tools, you can prevent that lateral movement from happening and limit the impact of a breach.

How does ColorTokens’ technology support that kind of resilience and help agencies strengthen their cybersecurity posture?

We offer a microsegmentation, software-based platform. What our tool does is sit inside your network and monitor all the traffic flowing in and out of your systems. Then we use something called a policy engine, where we ingest information from your various technology feeds, including threat feeds from Cybersecurity and Infrastructure Security Agency (CISA).

Every other day, CISA sends out advisories on new known exploited vulnerabilities, which are the most critical vulnerabilities to protect against because adversaries already know how to exploit them. If you have one of those vulnerabilities in your system, they can compromise it. So, we pull in information like that. We also pull in data from MITRE and the MITRE ATT&CK framework, which helps you map your systems and identify if they are susceptible to certain types of attacks, like lateral movement.

We can also pull in information from your SIEM tools and EDR solutions. With all that data, you can see where you have risks, such as systems with known exploited vulnerabilities or those susceptible to lateral movement. From there, you can build secure microsegments around those systems.

And of course, I have to talk about AI because everyone is. We have an AI roadmap that is really exciting right now. We are in phase one within our solution, which includes a ChatGPT-style feature. Someone like me, I am a CISO, can simply ask, “Do we have any new known exploited vulnerabilities from the latest CISA advisory?” You type it in the chat: “Show me all my systems with this new KEV.” It shows you. Then you can ask, “Are any of these susceptible to a MITRE TTP like lateral movement?” It tells you which ones are. You can even ask, “What do I do to fix it?” and it walks you through how to build a policy, what ports to close, and what steps to take.

That is what we have today, which we call phase one. Phase two, which will be ready at the end of the year, uses agentic AI. It will automatically analyze your environment, assess threats, and recommend specific policies to fix vulnerabilities. You will be able to approve those policies with one click. Or, if you are cautious about breaking something, which is always a concern in cybersecurity, you can put it in monitor mode first to observe traffic before fully implementing controls.

Phase three will be fully automated, and that is a little further out. But even with what we have today, the ChatGPT-style feature makes microsegmentation much easier. It is something people have talked about for years, but it has been difficult, especially when done with hardware, which is expensive and complex. Software tools have made it easier, but it still requires close collaboration between your application, operations, and security teams to build secure containers.

Now, with the help of AI, that process is becoming simple and efficient. Our tool works, it is effective, it is easy to deploy, and we are hopeful it can help federal agencies strengthen their security posture.

During Leadership Connect’s “Leading Through Uncertainty: Navigating Change Together” webinar, you emphasized that communication and authenticity are key to maintaining morale, even when you don’t have all the answers. How do you balance transparency with the need to keep teams calm and motivated when the situation is constantly changing?

It is difficult. I’ll tell you, I was in that role, and I did my best. I was not perfect. I think the most important thing is to be open, honest, and authentic. Be yourself. Do not try to be someone different just because things have changed. That is what I tried to do. I would meet with my staff and say, “Look, this is what is going on. This is what I know.” There were times when I had to tell them, “There are certain things I can’t share. I’m sorry.”

Just being honest and communicating openly does not always take away people’s fears or concerns, especially during extremely challenging times when people are worried about whether they will have a job. For me, it was about being myself. I would tell them what I could, answer questions when I could, and be upfront when I could not. I think that is the best approach.

Also, being there to listen to their concerns is just as important. Even if you cannot give them an answer, listening and letting them know you are there with them matters. We were all dealing with it and doing our best. I think that is what matters most. Being yourself, being authentic, and listening to your staff.