The chairman of the House Committee on Homeland Security is calling on the Homeland Security Department to collaborate with industry and double down on its response to cyber attacks.
Rep. Michael McCaul (R-Texas) said leveraging the emerging technologies of the private sector was a “no brainer” for DHS, and the department needed to clarify the government’s role when responding to a cyber incident.
“We really need to finalize this national cyber incident response plan,” McCaul said, during the Sept. 15 Internet Security Alliance 15th anniversary conference. “We really need to ensure that DHS is organized to effectively respond to the emerging threats, and we need to really look at the cybersecurity mission at DHS and elevate the current office into an operational agency. We need to organize it effectively to respond to these ever-emerging threats.”
He said the department told him its committed to meeting his call for finalization by the end of the year.
“If you can’t respond in real time, it’s worthless,” McCaul said. “If you can’t get the codes in real time, it’s worthless. We have to get those codes and information sharing and do it in real time. We have to have clear coordination to respond and mitigate cyber attacks against our country.”
McCaul also urged DHS to take advantage of what the private sector has to offer in terms of cybersecurity solutions.
“I can’t tell you how many companies come to me and say, ‘I can’t even get in the door, I can’t get access, I can’t talk to the right person in the department,'” McCaul said. “And the department needs to be, I think, more customer friendly, technology friendly.”
‘We will fail’
Suzanne Spaulding, under secretary for DHS’ National Protection and Programs Directorate (NPPD), acknowledged her agency had more work to be done.
“We are never going to solve the cybersecurity challenge that we confront today until we really take a holistic management approach to it,” Spaulding said. “If we put this in an IT stovepipe and think we are going to be able to understand from a purely IT perspective or mitigate those risks from a purely IT perspective, we will fail.”
She said DHS is taking steps to improve its cyber workforce, as well as work with industry.
“Within the president’s budget is increased funding for incident response teams,” Spaulding said. “Folks out in the field, the numbers need to increase significantly.”
She said DHS is also working with it science and technology experts, academics and internally to develop better metrics for measuring cybersecurity improvements.
Spaulding added the National Institute of Standards and Technology (NIST) Cybersecurity Framework has proved its worth and sets forth a framework for understanding how to do risk management and assessment.
Spaulding also said DHS is reversing its emphasis to focus on small and medium-size businesses, but she said in the context of vulnerabilities and the risk management process, “while those small and medium-size businesses may be more vulnerable, the risks we worry about at the national level are more likely — not entirely — but more likely to be promoted by a significant cyber attack on a key player.”
Rep. Will Hurd (R-Texas), said one thing he was focused on when it comes to DHS is making sure that the agency “is the belly button for sharing between the private and the public sectors .”
“You cannot have an intelligence organization being the point of contact with sharing with the private sector,” Hurd said. “Period, end of story. We can all question whether the Department of Homeland Security has the right level of technical capabilities and sophistication, but we have to double down on DHS.”
Hurd said that’s why he supported the reorganization of the NPPD.
“They are an operational unit, they are already doing that, we need to treat it that way,” Hurd said.
When it comes to the administration’s overall approach to cybersecurity, a strong cyber posture is a moving target.
Michael Daniel, special assistant to the president and cybersecurity coordinator, said when the administration started in 2008, cyber technology was very different: Twitter was only reporting 500 million tweets per day, Bitcoin was an idea on paper and the iPhone was in its first generation.
“The development of this policy space is happening at a rate that’s difficult for industry to keep up with, let alone the government,” Daniel said. “Cyberspace is growing by more than 5.5 million devices per day, so that’s an unusual environment. We’re actually expanding its scope and reach on a regular basis, that’s not something that happens in the physical world.”
And with that widening scope, cyber threats are also becoming broader, Daniel said.
“We’ve watched many more actors around the world realize that they can effectively pursue their interests through cyberspace,” he said.
Daniel said he doesn’t want to minimize cybersecurity challenges, but it is also important to “reject fatalism about this problem.”
“I don’t believe it’s insoluble, we don’t have to throw up our hands and forego the benefits of a wired world,” Daniel said .”But we do have to be determined and methodical in our response and recognize it will take many years of hard, collaborative work and creative thinking to tackle these cyber challenges.”
Daniel pointed to the cyber threat intelligence integration center launched last fall as one example of how the administration is addressing cybersecurity, and the recent Presidential Policy Directive (PPD)-41 that more specifically describes how agencies will work together to respond to cyber incidents that could have a major impact on the nation.
“The principle that we’re trying to apply here, is that in terms of answering that question that we’ve heard from the private sector — the Ghostbusters’ question, ‘Who you gonna call?’ — we have tried to lay that out quite clearly in the PPD,” Daniel said. “I will also say, we see it as it should be our job to figure out the government’s bureaucracy, and that it should not be you [industry’s] job to figure that out.”