DHS Hears Government Infosec Pros' ConcernsPhilip Reitinger on IT Security Challenges the Nation Faces
But two-thirds of government IT security professionals revealed in a recent GovInfoSecurity.com survey that they feel federal government has failed to provide sufficient cybersecurity leadership (see Gov't Infosec Pros Question Fed's Security Resolve), a result that surprised Reitinger. "We are leading, but we're not the only people that need to lead," he said. "It is unfortunate that people don't really understand the threats that we face and the risks that we have." The interview with Reitinger occurred shortly before the Obama administration released its cybersecurity legislative package earlier this month (see White House Unveils Cybersecurity Legislative Agenda).
In the second part of a two-part interview, with GovInfoSecurity.com's Eric Chabrow, Reitinger talks about:
- Efforts by the federal government to assist financially strapped local and state governments in meeting cybersecurity challenges
- Growth in IT security employment at DHS, saying a program to expedite hiring is working well, and DHS isn't experiencing problems recruiting qualified cybersecurity personnel.
Reitinger - who often served as the administration's voice and face before Congress - revealed May 19 that he's leaving the post of deputy undersecretary at DHS's National Protection and Programs Directorate effective June 1 (see Reitinger Resigns Top DHS Cybersecurity Post). In the first part of the interview (see DHS's Mission to Build Safe Internet), Reitinger discussed the policies behind a new DHS white paper, Enabling Distributed Security in Cyberspace), which addresses how the government working with the private sector can create a new, secure computing ecosystem on the Internet.
ERIC CHABROW: At a recent congressional hearing, you testified that sensitive information is routinely stolen from government and private sector networks, and you say we cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis. That sounds dire. Is it?
PHILIP REITINGER: I don't want to tell you that the sky is falling. I come to work every day and I get work done. But I'm telling you that the threat environment is significant, and it's not possible for anyone to stay completely secure. It's just too hard, even for the most concerned of agencies or private sector entities. And if we believe, as our President said, that our networks are national security assets, we need to pay significant attention to that problem.
CHABROW: We had a survey that we conducted among information security professionals in government who felt that the federal government was not really leading, approximately two-thirds, and these are government IT practitioners. Would you be surprised at that high of a number?
REITINGER: I'm rarely surprised by surveys. We are leading, but we're not the only people that need to lead. This is a distributed ecosystem. Our private sector partners need to be and, in fact, are at the table as well. It is unfortunate that people don't really understand the threats that we face and the risks that we have, and it is hard, occasionally, to get traction in a world where there are so many things that occupy people's attention for very legitimate reasons. There's a lot of turmoil in the world, there are natural disasters, and those are very immediate. With cyber, most people don't have the smoking gun in front of them. The tornado is not on their front door. We've got a long, hard road ahead of us to continue to say this is really important and people need to pay attention.
CHABROW: Is it really beyond government's ability, or the leaders in governments, to persuade the public of the dangers, or is there just too much competition for other things going on in the world, as you just alluded to?
REITINGER: We're marshaling the resources that we have to bear. The President himself gave a speech on cybersecurity when the cyberspace policy review was launched in May of 2009. How many heads of state have given a speech particularly dedicated to cybersecurity? I will tell you that the Secretary of Homeland Security talks about this all the time, as does the deputy secretary of Homeland Security, and the deputy secretary of Defense, and the secretary of Commerce. We have government leaders' attention, and they are using the resources at their disposal to carry the ball forward. There are a lot of things going on.
We also, at the worker-bee level, are making a lot of effort. For the first time now, we don't just have a cybersecurity awareness month; we've got a national cybersecurity awareness campaign. The goal here is to have very clear and direct methods that people can relate to, much like Smokey the Bear for preventing forest fires and the jingle about not crossing in the middle of the street for all of our children. We want that sort of simple message, so we're carrying the "stop, think, connect" message around. That's not all you need to do, but the idea is that people online need to check their brains at the keyboard. They use their heads when they drive so they drive safely. So they need to think when they're online. They need to stop before they're about to do something online, think about what it is they're about to do, and then connect, and do so in a safe way. It's sad for those of us in the information technology industry and people who have been cybersecurity geeks for 15 years, but nobody actually buys a computer to have computer security. They buy a computer to do things. That's the whole purpose of having a computer. That's why they're going to connect. They just need to do so in the right way.
Exempting Infosec from Budget Cuts?CHABROW: As Congress looks for ways to cut the federal deficit, should they exempt IT security spending, and if they make cuts in IT security spending, would that damage our ability to safeguard federal information assets?
REITINGER: The resources that we in government need are those that the President asked for in his budget. We gave a lot of thought to the resource request, and as you can imagine, there's a fair amount of competition in government because there are a lot of missions that we need to accomplish. We think very hard about how much to ask for and where to put it. Obviously, cuts in cybersecurity, with the threat environment that we face, causes some concern.
CHABROW: A year and a half ago, Homeland Security Secretary Jan Napolitano announced that the department received new authority to hire up to 1,000 IT security professionals. How is that going, and what skills are the toughest to find?
REITINGER: It's going pretty well. In fiscal year 2009, we tripled the number of people that we have in the National Cybersecurity Division working cybersecurity, and in fiscal year 2010, we roughly doubled. Right now, we're up to about 240. We're hoping to grow to around 400 by the end of October of next year. We're avidly hiring people. In this environment, I definitely advise your younger listeners to go into cybersecurity. Jobs are not hard to find. The problem that we face is that there's nary a person that works for me in cybersecurity that couldn't walk out the door and double his or her salary. They work for government because we offer a critical mission space and an opportunity to be a patriot and help your country, but we ask people to make sacrifices. Given the fact that it's also more difficult to hire people in government, sometimes that can be difficult, but we're having a lot of success in hiring people. The skills that are in demand certainly include the technical skills. The people who are the "Jedi" of cybersecurity, who graduate from computer programs that have an emphasis in security and really understand what they're doing, those are hard people to get. We're doing a good job of getting them, but it's going to be a continuing struggle.
CHABROW: The thousand jobs that the secretary referred to, were they all for the National Cybersecurity Division, or were they for other functions?
REITINGER: That's across the department. Let me be clear for you. It's not 1,000 new positions; it's an authority to hire, in a more expedited way, up to 1,000 people into positions that we're including in our budget. We get to use special, faster government ways to hire people. Not that they're as fast as the private sector, but they're faster than typical government processes. And those apply for people who do cybersecurity or what's called information assurance across the Department of Homeland Security. We're continuing to move forward, and we would hope to work with Congress as we move forward to get additional expedited authority so that we can continue to compete with the private sector for those key people in the right way.
Struggling States, Municipalities
CHABROW: Obviously you're having more success than other kinds of governments, state governments or local governments. I talked to systems there, and they complain they just don't have the money and the resources. Is there anything new that DHS can offer local and state governments in securing their individual assets?
REITINGER: State and local governments are in a lot of trouble because, in some ways, particularly some of the smaller local governments, they're a lot more like individual end users, and they don't have the resources or the effective ability to secure themselves any more than you or I might on our home computers. That makes it very hard on them. One of the things that we have to do is make that easier, and that's where the paper that we talked about earlier comes in. We need to make it easier for people to reach an appropriate level of security.
In terms of things that they can do right now, there are programs that are helpful for them. A couple of things that I point out are the continuing growth of the Multistate Information Sharing and Analysis Center, which is located in New York. We support the Multistate Information Sharing and Analysis Center very heavily, and it's there to support the security activities of state and local governments and is piloting some very interesting programs to offer managed security services to state and local governments so it's easier for them to be secure. And my understanding is they're having a very good level of success in doing that. We're looking for additional ways that we can work with that center.
We directly work with states and localities, including their Homeland Security advisers and their chief information security officers, and have instituted another pilot program to make sure that those folks have security clearances and can get access to classified up to the secret level cyber information through state and local fusion centers. Finally, we are hoping to, in the near future, get someone from the Multistate Information Sharing and Analysis Center onsite at our cyber operations center, so we'll have an even more direct flow so state and local entities can get better access to what's happening in the environment, have situational awareness about what's going on, and react appropriately.
CHABROW: At least one state has used Einstein II, Michigan, for intrusion detection. Will that be expanded to states and local governments?
REITINGER: That was a very good pilot. I think we learned a lot. We're moving in a different direction right now because it's probably not as scalable an approach for the federal government to try to offer that service to all the states and localities. Instead, we're working through the Multistate ISAC to extend some of the commercial managed security services to the states.