Two top cyber officials say initial pathfinders programs to protect the financial sector from cyber attacks are off to a good start and showing positive process for future programs.
The pilots involve simple combined analytics, information sharing and small scale solutions between the Defense Department, the Homeland Security Department, financial institutions and other businesses.
“What we are doing with the financial sector is taking that picture of what they’ve identified as key functions and risks to their industry and then we bring in the Defense Department, the intelligence community,” said Jeanette Manfra, assistant secretary for the office of Cybersecurity and Communications at DHS, during a speech Tuesday at the Carnegie Endowment for International Peace in Washington.
Manfra said DHS is piloting the idea of taking a couple of areas where the financial sector and the government can share cyber indicators back and forth to enrich the government and the businesses.
“Early signs are pointing to yes, this is enriching both sides,” Manfra said. “It’s not easy, it’s not transactional, it’s not, ‘I produce a feed, you consume that feed and I beg you for feedback every time I see you.’ It’s much more of a collaborative understanding and process that I think is going to bear a lot of fruit.”
Ed Wilson, deputy assistant defense secretary for cyber policy, agreed with Manfra.
“In the pathfinder that we are running in the financial sector early feedback, preliminary feedback was very positive. So much so that everyone is committed to the next round of pathfinder,” Wilson said.
Manfra added that the more insight DHS and DoD can get into how the systems work and where the dependencies are, the better they will be able to make smarter decisions.
DHS, DoD working together on cyber strategies
DoD and DHS have had to sort out their authorities regarding cyber attacks as the cyber landscape evolved.
Deciphering which agency will take charge and provide certain functions is something Congress and the departments have been hashing out for years.
Both Manfra and Wilson said there have been frustrating discussions on both sides in trying to figure out authorities and actually take action, but things are now settling into a more mature space.
DHS and DoD’s new cyberstrategies are building in better authorities that allow them to work together better than they ever have before, the duo said.
In addition, the departments are gaming out scenarios in order to prepare for cyber incidents.
“I don’t always want to be afraid to do something because we are afraid of what ‘X’ consequence might be,” Manfra said. “I want to be able to articulate what those consequences are and then I want us to have a conversation and say, ‘Is this the right thing for the government to do, do we agree?’ I believe we’ve built the tools to that. I believe we’ve removed some of the bureaucracy to allow us to have that in the appropriate space.”
Manfra and Wilson said DHS and DoD’s new cyber policies are building in better authorities that allow them to work together better than they ever have before.
That even includes enforcing cybersecurity in more offensive capacities.
“We have to be able to take the fight to the enemy a little bit,” Manfra said. “It can’t be exclusively focused on all the work we are doing on the homeland.”
DoD’s new cyber strategy, which was released in September, gives the Pentagon more leeway on using offensive strategies to deter cyber attacks.
“The new policy really strives to make timely decisions from the U.S. government across interagency channels in a very transparent fashion in regard to assessment of risk and understanding the risk levels if we were to execute an operation,” Wilson said. “The new policy, I think, has been successful. We are conducting operations in concert with it.”
Wilson said the feedback from other agencies is positive so far.
That doesn’t mean that there still aren’t frustrations within the departments and between DoD, DHS and other agencies.
Manfra said the biggest challenges for DHS right now are actually getting to specifics on cybersecurity.
DHS needs to not “try to solve all these complicated policy issues in the abstract,” Manfra said. “Some of them aren’t that complicated once you get down to the business of trying to figure it out. … We want to be very clear about authorities and what’s appropriate and ensuring that there’s no cross over because the policy still remains on having this civilian focus. To me, that’s been the biggest thing. Let’s stop talking at a high level about very abstract concepts. Let’s take a few key issues where we know we want to work together and let’s just work through it.”