She may have left federal government two years ago but Suzanne Spaulding is still very much keeping an eye on the state of agency cybersecurity. As senior adviser for the Homeland Security, International Security Program at the Center for Strategic and International Studies, she offers insight to public and private sector groups about managing their cyber risks.
And on the former side, at least, she sees some good news.
Spaulding said cyber threat information sharing is improving among federal agencies, moving away from stovepiped tactics of the past and embracing a more “enterprise” view of government. The former undersecretary for the Department of Homeland Security said that while she was at the department efforts were underway to provide greater visibility across civilian agencies. The EINSTEIN program first offered the enterprise that visibility, she said.
“Beyond that kind of perimeter defense DHS was also able to deploy a suite of tools — Continuous Diagnostics and Mitigation (CDM) is the name of the program — that was able to make tools available to departments and agencies across that civilian government, and again to look inside at their networks, do asset identification, just critical first step and prove to be very illuminating,” Spaulding said on Federal Monthly Insights — Strategic Threat Intelligence.
She also said DHS instituted automated information sharing of threat intelligence across the civilian agencies and with the private sector. She said when this was first created DHS and Congress envisioned plenty of companies wanting to sign up to receive these threat indicators, but that was not the case.
“But increasingly these companies are willing to share with each other through information sharing and analysis organizations, whether their sector centers are organized around different … perhaps geography or other kinds of similarities,” she said on Federal Drive with Tom Temin. “And so what I have seen is, it is an increased understanding of the value of sharing threat intelligence information, but that it’s primarily being done in these private sector organized ways.”
Automated data sharing also improved thanks in part to aggregators which pulled data together, she said. Several platforms exist to visualize threat information so that agencies can automate their responses with high confidence.
Information sharing itself is, after all, only a means to a goal.
Spaulding said it’s becoming more apparent that network defenses and collaboration between government and the private sector are necessary.
“I think it’s really important that we move beyond just threat intelligence and sharing information about vulnerabilities, to sharing information about consequences and impact, because that is a critically important part of risk management,” she said. “Understanding that impact, understanding the consequences, not just to your network, but to your business — or if you’re a government department or agency to your critical missions — is really what it’s all about.”
But cyber breaches can also cause physical damage.
Spaulding said she thinks it’s inevitable that physical and cybersecurity integrate under a single entity. In particular, she said, the internet of things has made this abundantly clear. Whether it’s a business or a mission that needs protecting, an understanding of the continuity of operations is crucial. This in turn moves the issue of cybersecurity further up the organization chart and groups must think of it like a risk management effort, she said.
“I talked with CEOs and boards of directors all the time about this and the important role that, not only that they have to play but that they really can play,” Spaulding said. “It’s easy to be intimidated if you’re not a technical person by cybersecurity.”