Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Cybersecurity at the Homeland Security Department has a new urgency with the upcoming midterm elections and, possibly, a new umbrella under which to group its mission areas.
Undersecretary Christopher Krebs is excited by the prospect that one month from now he will no longer refer to his agency’s cybersecurity effort as the “incomprehensible and unpronounceable” National Protection and Programs Directorate. That’s because Wednesday evening the Senate approved legislation to rename that office as the Cybersecurity and Infrastructure Security Agency.
The change is years in the making. Reacting to the vote Thursday morning, in the presence of federal cybersecurity stakeholders, Krebs said why this rebranding and reorganization is more than cosmetic.
“It clarifies and clearly signifies our mission,” he said at the CXO Tech Forum in Rosslyn, Virginia. “It also is going to help significantly in terms of recruiting. There have been a number of job fairs where we have signs saying DHS, or National Protection and Programs Directorate — nobody knows what that means.”
It also streamlines NPPD, which was created as a conglomerate of programs that did not fit neatly under other agencies and whose missions did not align. Currently NPPD houses the Federal Protective Service, Office of Biometric Identity Management, Office of Cyber and Infrastructure Analysis, Office of Cybersecurity and Communications, and the Office of Infrastructure Protection.
According to the amended Cybersecurity and Infrastructure Security Agency Act of 2017 (H.R. 3359), CISA would be comprised of a Cybersecurity Division, and Infrastructure Security Division and an Emergency Communications Division.
The bill would move the Office of Biometric Identity Management under DHS’s Management Directorate, while the Federal Protective Service would also be relocated, though that destination is yet to be determined by DHS.
Although Krebs said that DHS was not ready to uncork the champagne bottles just yet, he felt confident things were nearing the finish line. The Senate passed the bill with two amendments and the House Committee on Homeland Security press office said the bill would have to return to the House for another vote.
Election cybersecurity an ‘awakening’ for DHS, country
Cybersecurity is also driving DHS to improve its relationship with state and local governments when it comes to elections security. Krebs said when Homeland Security initially learned of hacking attempts on election systems by Russian actors in 2016, officials did not know they should reach out to secretaries of state offices for elections administrations.
“There was an agency within the U.S. federal government that had a very deep understanding of that and that’s the Election Assistance Commission,” Krebs said. “The problem is no one at DHS knew that the Election Assistance Commission actually existed in and of itself.”
Since then, DHS has established partnerships and communications protocols to share elections security intel to every state regardless of whether that state office or official has a security clearance, he said.
It speaks to how DHS’ scope and mission has changed since its post-9/11 inception when terrorism was the No. 1 focus.
“[Cyber attacks] had always been this kind of ephemeral, intangible threat,” he said. “The 2016 elections, it was an awakening because it was the first time I think people actually realized that cybersecurity could destabilize our government. And it really shook people to the core.”
How other agencies can bolster cybersecurity
Krebs said he cannot expect to ask for something legislatively and see fast results — the CISA name change took about four years, after all. Other organizations need to work out cybersecurity problems with the IC and Defense Department, which he said has increased with vigor.
For agencies who do not know where to begin with digital solutions, DHS’ Executive Director for the Digital Service Stephanie Neill recommended referring to U.S. Digital Services Playbook and the office’s values set. She and other panelists from USDS said first identify a problem to be solved, rather than a “technology first” mindset.
USDS expert Alexander Romero said agencies should not be afraid to open themselves up for evaluation. He is working on the “Hack the Pentagon” program to entice private citizens to find and report vulnerabilities in DoD’s websites and applications. The prize-awarding “bug-bounties,” such as Wednesday’s Hack The Marines event which spotted 150 vulnerabilities, are ways to crowdsource cyber know-how.
“If we put money behind a bug that is found that is brought to us we get some really good results,” Romero said.
But advice can be got for free. He said that many researchers are willing to offer tips on open ports which should be closed, or bugged applications. After launching the Vulnerability Disclosure Policy, Romero said about 7,500 vulnerabilities for various DoD applications have been reported.
But Marcy Jacobs, executive director of digital services at the Veterans Affairs Department, noted that some agencies may be afraid to open themselves up. They may fear vulnerability is spotted for which they lack the funds or expertise to address.
“I would just say start small,” said Jacobs, who spent three years working on the brand consolidation of VA.gov and Vets.gov and even won a Service to America Medal on Tuesday night for her work. “Figure out what is the most broken part of the problem or what is something that is solvable, and build some momentum from that and be iterative.”