Cybersecurity is king! It seems you can’t turn on the news or look at the Internet these days without hearing about ongoing cyber threats, bad actors or investments in new cyber technologies. Behind all the sensationalism is the reality that more and more individuals are actually being adversely impacted by an increasing number of breaches.
After six years in senior leadership at the Department of Homeland Security, I knew it wouldn’t be long before I received my notice from the Office of Personnel Management (OPM) regarding the status of my personally identifiable information (PII). It was all contained in the wide-ranging SF-86 form I filled out in 2009 to obtain my Top Secret clearance. Sure enough, it was a short wait.
The letter arrived in a non-descript envelope, from a company I had never heard of, last week. It read, in part, “You are receiving this notification because we have determined that the data compromised in the recent incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.” This statement downplays the breadth of the information that was actually in those files. Basically, they took it all. I am certainly not alone. This grand slam of PII breaches has the potential to impact current and former Federal employees for years to come.
Increasingly, the White House and Congress are turning to DHS as the epicenter for protecting the .Gov environment.
So what can DHS do to improve Federal cybersecurity?
Here are five steps DHS can take to help reduce risk and better protect key government systems and networks from emerging cyber threats.
- Accelerate CDM Deployment
DHS has two major acquisitions for protecting the totality of Federal agencies, the National Cybersecurity Protection System (commonly referred to as Einstein) and the Continuous Diagnostics and Mitigation program (CDM). Einstein is broken up into several blocks of activity ranging from detection to information sharing. The latest iteration, Einstein 3 Accelerated (E3A), uses the major Internet Service Providers to apply classified and unclassified malicious “signatures” to agency traffic before it enters their networks. The difficulty with this approach is that the ISPs are in different places when it comes to their own capabilities and security postures. This leads to an unevenness when applying the E3A protections. Also, Einstein has to recognize the threat in order to be most effective. We know that hackers are constantly changing their methods and approaches. This makes it harder for Einstein to stop the attacks at the perimeter. A better investment for DHS and the Federal government would be to increase funding in FY 2017 for CDM. Since we now know the most sophisticated adversaries are going to get past Einstein, it makes more sense to accelerate the program that can actually monitor the network in real time and deploy mitigation strategies quickly to remove the threat before significant harm occurs. The current timetable and investment strategy for CDM is too long to make a significant difference when attacks are damaging us today. Now is the time to give the folks on the front lines of this fight the resources to be most effective.
- Cross-Train Current DHS IT Professionals for the Cyber Fight
In 2012, then DHS Secretary Janet Napolitano formed the CyberSkills Task Force under the Homeland Security Advisory Council. The charge to this group of cyber experts from industry, academia and government was to delineate an executable strategy for properly staffing DHS for the cyber fight to come. The task force called for hiring of up to 600 additional cyber professionals in 10 mission critical cyber skill sets. Even with a special hiring authority from OPM, this recommendation has fallen far short. One bright spot from these recommendations has been the exceptional work of the Cyber Management Support Initiative (CMSI), led by Executive Director Renee Forney. This office, with limited resources, has helped to set standards and provide meaningful tools to components across DHS to assist in the hiring process. The reality is that DHS will continue to have trouble hiring cyber ninjas when competing with the private sector and other Federal agencies, like the FBI and NSA that seem more exciting. There are currently thousands of DHS employees doing IT work across the department, but only a fraction qualify to be categorized within the 10 mission critical cyber skills sets. With OPM going to paper processing for screening of security clearances, it will take an eon to onboard a critical mass of expertise from the outside. With the help of CMSI, DHS should start cross training a sub set of current IT professionals who can swiftly be deployed to key cyber jobs that need filling now. DHS should also go to its major partners in the private sector for a short term filling of the skills gap.
- Deliver Fast Track Acquisition for Cyber
Responding to an imminent cyber threat is not the same as building a National Security Cutter for the Coast Guard, yet for acquisition purposes, DHS treats both the same. This is not the department’s fault. The Federal Acquisition Regulations (FAR), which are about a foot thick, dictate much of this policy. Several years ago, DHS made an effort to provide key cyber components a tiered approach to procuring essential tools and services based on emerging threat. This acquisition approach was more agile and more likely to allow DHS offices the ability to respond within days not months. Unfortunately, that program was not completely successful. In light of recent events, DHS needs to renew the drive for fast track acquisition capability in those cyber programs where it is obviously needed and can be justified as an imminent threat.
- Co-Locate the DHS Cyber Watch Floor and US-CERT at St. Elizabeths
The DHS Headquarters Consolidation Plan at St. Elizabeths in SE Washington DC has long been a political football. Proposed by then DHS Secretary Michael Chertoff as a way to improve command and control for a nascent department, Congress has never really gotten on board with the funding. Phase I of the plan was to build the Coast Guard a new home. With American Recovery and Reninvestment Act (ARRA) funding, this became a reality. That’s where the construction stopped for about four years. In more recent budget bills, Congress has authorized the rehabilitation of the Center Building, which will likely house future DHS secretaries. In the interim, there is an opportunity to take advantage of some important cyber synergies at Coast Guard headquarters. Last year, the DHS Security Operations Center relocated to St Es. When coupled with the strong vision Coast Guard Commandant Zukunft has for advancing cyber as a member of the .Mil community, the co-location of the DHS National Cybersecurity and Communications Integration Center (NCCIC) and the US Computer Emergency Readiness Team (US-CERT) would be a powerful combination for enhanced cyber cooperation and coordination. The added benefit would be that other partners in government and key infrastructure sectors who also staff the NCCIC would be situated together on a 21st century cyber watch floor at a Level 5 secure facility.
- Embrace Private Sector Cyber Innovation
Since leaving government after 24 years to work with the private sector, I have been pleasantly surprised at how forward leaning industry has become in advancing innovative cyber approaches. Part of the challenge is that when you’re inside the fence line at DHS headquarters or in the components it is often difficult to hear this message. With the renewed push for strategic and pre-acquisition planning led by current DHS Secretary Jeh Johnson, there is a real chance to create an ongoing dialogue with industry that will not be seen as violative of procurement regulations. One general DHS Industry Day per year is not going to be sufficient to generate the ideas necessary to advance innovative cyber discussions that can turn into action. The DHS Under Secretary for Management and the Under Secretary for Science and Technology should jointly establish a formal process for the department that gives private sector companies the chance to offer innovative methods and ideas for combatting cyber threats early in the acquisition lifecycle. While combatting cyber threats can be a complex and resource intensive journey, there is hope that by acting on these ideas and others we can find a way to reduce the risk to our citizens. There are a great many dedicated professions at DHS and across the government that deserve our full support as this battle continues.
Chris Cummiskey is a former Acting Under Secretary for Management at DHS. He also serves as a Strategic Advisor to GTSC and a Senior Fellow with the George Washington University Center for Cyber and Homeland Security.