Q&A: DHS Cybersecurity Chiefs Speak Out

Philip Reitinger

As the federal government continues to try to figure out ways to effectively manage cybersecurity, the Department of Homeland Security is gaining prominence as one of several major players in protecting government computer networks from attack.

At the center of the DHS' effort are the agency's cybersecurity top official, deputy undersecretary of the Department of Homeland Security for the National Protection and Programs Directorate and director of the National Cyber Security Center Phil Reitinger, and Greg Schaffer, assistant secretary of DHS' Office of Cybersecurity and Communications. InformationWeek recently spoke with them.

InformationWeek: I wanted to start by talking about your role, your goals and some of the things that are going on there right now.

Reitinger: Cybersecurity always has been and always will be a distributed effort. If people want to say, well, there's a single locus of cybersecurity and anything and everything will be handled from one point, I say, dream on. We want to build cybersecurity into the DNA of the infrastructure, into the DNA of the businesses, into the DNA of all the government entities.

Our role is to work to bring one team, one fight from DHS to address cybersecurity, to work with partners to help enable progress across dot gov, and particularly with the Cybersecurity Coordinator when appointed.

The top priorities I'm focused on, are, one, building capability. That's primarily about people. I have some awesome people here at DHS; we have a great team, but we just don't have enough of them yet, and we're in strict competition with the private sector to get the best and brightest to work on these issues. I'm a firm believer that organizations succeed or fail based on the people you have.

Second is building partnerships. There are people with responsibilities across the organization, across the federal government and across the private sector, and we've got to continue to work on the right way to build a partnership among those entities. We're defining our partnership models, making sure they're as efficient as possible, that they let the private sector work effectively with us and as one, and we're starting the process of developing a national cyberincident response process that will enable all of the entities across government and the private sector to work together as one nation to respond to cybersecurity emergencies.

The third is addressing the ecosystem of the future, making sure that we're building the Internet and the cyberinfrastructure of the future that will have the foundations of a more secure tomorrow. There are a number of things that go into that. Two [priorities] I'd call out are the need to build up a set of metrics that will enable the people throughout government and industry to make better decisions about cybersecurity, so they don't do this or that based on religion, but based on data. Cybersecurity needs to move towards a full-fledged scientific discipline.

The second is identity management. If we're going to allow people to protect themselves, they're going to need to be able to make effective decisions about, do they want to communicate with this person or not, do they want to open this file, do they want to open this program, do they want to allow a machine to connect to their machine? That's going to require much more available and interoperable authentication to be used at their option and with the full protections for privacy.

InformationWeek: So are you actively working on a set of metrics, and what kinds of things are you doing in terms of identity management?

Reitinger: We're sort of starting to move into that space right now. Identity management in particular has been a personal concern of mine for some time. The 60-day review specifically called out developing an online identity management strategy, with particular protections for privacy, as one of the more immediate things that needs to take place. We intend to be a full participant in that, but I don't have anything to announce right now.

InformationWeek: As you might have seen, a number of people have called out the DHS for having problematic leadership over cybersecurity recently, one of the more prominent of them being [former director of DHS' National Cybersecurity Division] Amit Yoran. What are you doing to change the leadership culture at DHS in terms of cybersecurity?

Reitinger: I'm not going to comment on the history at DHS. Let me tell you what I'm doing. I'm ensuring we build a great team and that we make judgments about what's working and what's not working. If we bring in people who have the right technical chops, who have the capability to get the security courses and clearances they need to work, and most importantly have a passion for the mission we have here, I have no concerns that we can take the organization we've got and make it even more effective.

InformationWeek: You've said it's a myth that there's a lot of infighting among federal agencies over cybersecurity responsibility. Do you see those responsibilities settling out recently, and do you get the sense that everyone has a good grasp of how those responsibilities are broken up?

Reitinger: We're going to have to work this in partnership like members of a soccer team, where we play positions and work together as one. As we've been addressing this issue, we've aggregated a number of different capabilities across the private and public sectors, and we've built out, for example, ways of working with the private sector and advisory committees where roles and responsibilities are not as clear as they could be. I think we could do a better job of clarifying roles and responsibilities across government. I think the cyberspace policy review was a significant step, and there are going to be follow-on activities that are going to move us forward even further.

Schaffer: One of the things to keep in mind is how much change has occurred over the last ten years in terms of thinking about cybersecurity. When Phil and I were with the Justice Department 10 years ago, cybersecurity was thought of as a silo. It has since become horizontal. If you think about it in that context, it is an adjustment for everyone to get into the mentality of this being a team sport that everyone has a role in. That adjustment from a vertical to a horizontal is difficult and requires a lot of people to change their minds. A lot of what gets represented as infighting is simply the growth pains in making that normal adjustment. A lot of what is an effort to figure out responsibilities and make sure that they are clear gets articulated as infighting when it's not.

InformationWeek: I saw a request for proposal on a wiki that you are going to use to set up better collaboration among the centers of gravity for cybersecurity in the federal government. What are you doing there? Reitinger: That's one specific tool to help the cybersecurity centers across the government work together more effectively and share information better. There will be other tools across the government, and other things that we need to do to make sure we can work together, but that's one specific example. We can talk about the different developments, for example, in US-CERT to develop the National Cybersecurity Protection System, which is a set of tooling that it's going to use to help protect dot gov networks and to analyze what's happening so it has situational awareness. We are trying to leverage the same kinds of technologies the private sector is leveraging today to execute against the security mission, whether it's intrusion protection systems, intrusion prevention systems, wikis, or correlation engines and tools to deal with the mass amounts of data involved in protection.

InformationWeek: You mention the National Cybersecurity Protection System, and I wanted to see if you could go into that a bit more, and if you could tell me a bit about how US-CERT is going to evolve.

Schaffer: When you're talking about the National Cybersecurity Protection System, you're actually talking about NCSD, not just US-CERT. As a practical matter, US-CERT will continue to evolve. We obviously want to continue to grow our partnerships with the various departments and agencies that are our clients in this space, as well as the private sector national security and emergency protection entities that we service. The goal is to leverage the additional data and information that comes through the deployment of the kinds of tools that we talked about, whether it’s the IDS/IPS solutions, all of these new technologies we commonly refer to as Einstein, those technologies are going to lead to better situational awareness that can then be leveraged to defend the networks that are so important to our economic growth, the protection of our citizens, the protection of privacy, the protection of our civil liberties.

InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).