Better public-private relationship key to preventing next cyber attack

Chris Cummiskey, Former Acting Undersecretary for Management, DHS

wfedstaff | April 17, 2015 10:26 pm

By Jory Heckman
Federal News Radio

The threat of a major cyberattack could expose the sensitive information of millions of Americans — whether that breach happens at a retailer like Target or at a government agency like the Postal Service.

Preparing for an attack from all angles requires a multi-pronged approach from government, the private sector and academia, according to Chris Cummiskey, former acting undersecretary for management at the Homeland Security Department.

“One of the things that we’re seeing over the last several years is really a targeting by nation-state actors as well as criminal syndicates on things like government personnel data systems and these control systems that are used in the critical infrastructure — whether it’s energy or dam control or things of that nature — and so we’re seeing an uptick in that kind of activity,” Cummiskey said on In Depth with Francis Rose.

Advertisement

But a cyber breach could also mean disaster for industry. Cummiskey estimates that more than 85 percent of attempted attacks target the private sector.

“There are a lot of countries around the world that are constantly probing our networks and looking for vulnerabilities in the private sector,” he said. “It’s got to be a multi-pronged approach.”

That approach means building better relationships between government agencies — such as DHS, the National Security Agency and FBI — and the private sector.

“We recognize that these kinds of infiltrations are going to go on, and it’s hard to stop them at the perimeter,” he said. “And so, once they’re in the networks, it’s the ability to have a continuous diagnostics and mitigation framework for the government and the legs of that stool so that we can make sure that once they’re in, we can detect them, because it’s going to be hard to keep them completely off these networks.”

Part of the problem, Cummiskey said, is that private sector companies are making the case that it’s hard for them to share data with DHS under the current voluntary framework, even though they’d like to cooperate.

“The companies feel like they’re going to be penalized for stepping forward. They don’t want to admit that they’ve had an intrusion until they absolutely have to, or they’re in the midst of trying to figure out what they’ve got going on,” Cummiskey said. “Companies have got to move beyond just intrusion prevention and figure out can they detect what’s on these networks and act to mitigate more effectively.”

One solution offered up by Janet Hale, former undersecretary for management at DHS, is giving the agency a break when it comes to preparing so many reports and hearings for so many congressional committees.

In a Federal Times column, Hale said DHS reports to anywhere from 88 to 118 committees and subcommittees, a figure that continues to tick upward.

“I don’t think any of us that speak or write on this issue are objecting to the oversight. I think it is much more [a question of] how much there is from how many different committee,” Hale told In Depth. “It’s not just the number of hearings or number of congressional briefings that are done, it’s the untold hours getting ready for those and then responding to questions for the record.”

RELATED STORIES:

Cyber breach at Postal Service leaves employees vulnerable

DHS says cyber initiatives healthy and growing