A Homeland Security Department official says part of the Trump administration’s cyber agenda is focusing on critical infrastructure through a “neighborhood watch” and identifying high value targets and their respective contingency plans.
Jeanette Manfra, acting deputy under secretary for cybersecurity at DHS’ National Protection & Programs Directorate (NPPD), said protection and preparedness, and response and recovery, are “where we would really like to prioritize our efforts and where we intend to prioritize in the next few months.”
“From DHS’ perspective we’re looking at systemic risk and how we can sort of stave off any potential from this becoming larger than one entity if it hasn’t already done that,” Manfra said during a March 20 New America’s Cybersecurity for a New America event. “Also ensuring that we’re getting those systems back up and running. Every cyber incident has to manage all of those equities whether they’re in government or out.”
DHS is also looking at continuing to build up a “neighborhood watch,” where everybody is sharing automatic indicators, and liability and privacy protections are in place. Manfra said there are nearly 100 entities signed up for DHS’ automated information sharing (AIS) network.
“The more people that are sharing and the more people that are ingesting that and protecting themselves, we’re not only all improving our protection but we’re also having a deterrent effect by making it harder for the bad guys to use the same techniques over and over again,” Manfra said. “The other [area of focus] is really trying to understand the systemic risk within critical infrastructure and understanding what you would call high value targets, and where is the potential for the greatest consequence from cyber incident.”
Executive Order 13636 helped DHS take some steps for this, Manfra said, by having the department identify those high value entities.
“Now that we have begun that, we need to have a conversation with both those entities but also other parts of the internet and communications technology community about what do we do; are we providing additional services and products for those entities, we should be developing contingency plans with our government partners, with those entities, with other elements of the community,” Manfra said. “That’s where we want to go forward is now that we have this joint understanding where that potential for consequence is, how are we working together to mitigate those consequences. That may not be a cyber response. There’s a lot of things that you can do to mitigate consequences that don’t necessarily involve a computer.”
Critical infrastructure is one of the top three priorities for the new administration, according to Tom Bossert, assistant to President Donald Trump on homeland security and counterterrorism.
During a March 15 Cyber Disrupt 2017 event at the Center for Strategic and International Studies, Bossert said when it comes to cybersecurity, the administration would be looking at federal networks and data, securing the nation and focusing on critical infrastructure.
“But not all critical infrastructure is equally critical, so we will focus in on the most critical of those things,” Bossert said.
When it comes to recruiting and retaining the workforce to help with these cyber priorities, Bossert said the administration will be moving toward a management service provider model, and that DHS is already playing that role to its “compatriot departments and agencies,” and would need to reach out to and obtain resources from industry.
Manfra said workforce is a challenge at DHS, and there needs to be a “big cultural shift” that encourages people to come and go from civil service as their life dictates, and giving federal employees the same resources and support they would receive in the private sector.
“People do love the mission. We want to make sure we are providing them the same sort of tools that they could get in the industry,” Manfra said. “Are we removing the bureaucratic hurdles that are keeping them from being able to be as agile and nimble as they would like as a cybersecurity professional?”
Manfra said DHS has been given some very good congressional authorities that have allowed the department to recruit and retain cyber personnel, and the agency would continue to look at how to best use those authorities to reduce the attrition rate, or attract someone back after they spend some time in industry — something that shouldn’t be seen as a chore.
“I think most people come to DHS, and they stay at DHS because they love the unique mission, but when we spend a couple years training forensic analysts, they’re very qualified, and they’re often spirited away by the private sector,” Manfra said. “I think a lot of what we did over the past couple years … was we shouldn’t resist that as much. There’s a benefit to everybody for people to have a career in both government and industry, so thinking about workforce a little bit differently.”
Manfra also spoke about the 6.8 percent boost for DHS’ fiscal 2018 budget. Current spending levels are at $41.3 billion, and the Trump administration has proposed $44.1 billion, to cover in part $1.5 billion for federal cybersecurity.
Manfra didn’t get specific about what the additional money would be used for, but she said DHS is focusing the next year on protecting dot-gov websites.
“We have learned a lot over the past 10 years,” Manfra said. “As we’ve learned, our environment has evolved as well.”
Manfra said she would like to see a strategy to address stronger dot-gov protections in the next few months, with plans to implement it in the next two years.
“I think we can do it, and I think we have a lot of support from the administration leadership, and between us and the private sector we have the tools,” Manfra said. “The complication is in federal government, you have to be able to scale pretty massively, and we have a lot of decentralized networks. That is always sort of the challenge in implementing these sort of cross-domain solutions. But I think we can do it, I think we have cabinet heads similar to the private sector where they understand this is their risk to manage.”
Metrics and disclosures
Rep. Jim Langevin (D-R.I.), who also spoke at the New America event, said he also wanted to see more protection of the dot-gov network by this time next year.
“You have NSA and the United States Cyber Command, they’re doing a better job at protecting the dot-mil network,” Langevin said. “We need to have I think more focus on protecting the dot-gov network and then working in partnership to close vulnerabilities in the dot-com world.”
Langevin said he expects Congress to take on more of an oversight role to determine if information sharing legislation “is having the desired effect.”
For his part, Langevin said he would be focusing on establishing metrics to determine how well cyber policies are working and how well agencies are adopting them.
“If we don’t know the degree to which they’re being adopted or degree to which they’re being effective, then we’re doing ourselves a disservice,” Langevin said. “This is going to be a time for oversight. There will be other bills I’m sure that are going to be making their way through Congress.”
Langevin said he’s working on a vulnerability disclosure that would set a uniform 30-day time frame in which a company has to disclose if customer data was stolen.