Defending DHS as a Cybersecurity LeaderMark Weatherford on DHS's Growing Sway over Infosec Policy
The top Department of Homeland Security policymaker focused exclusively on cybersecurity, Mark Weatherford, defends DHS's ability to take a leading role in safeguarding civilian agencies and key national IT systems. His viewpoint challenges questions raised about the department's capabilities by critics such as Sen. John McCain.
See Also: Proactive Malware Hunting
"With all due respect to the good senator, and you know he is one of my heroes, there was probably a point in time where DHS probably wasn't the place where you would think that the cyber talent and the cyber [defense] should be, but that has changed," Weatherford says in an interview with Information Security Media Group's GovInfoSecurity. "We are more mature now. We are developing the talent. We have the chops to do this, and we are proving it on a daily basis."
McCain, R-Ariz., is a leading critic in Congress on giving DHS more sway over coordinating cybersecurity among federal civilian agencies and the private sector, responsibilities being advanced by the Obama administration and Democratic lawmakers. Last year, in debating cybersecurity legislation, McCain said in a Senate floor speech: "I think I speak for many when I question the logic of putting this agency in charge of sensitive national security matters. They can't even screen airline passengers without constant controversy."
Recruiting Top Talent
But Weatherford suggests McCain's assessments of DHS's capabilities are outdated, and he hears of a growing confidence in the department's ability to lead cyber-defense for the civilian part of the government and the nation. Since becoming deputy undersecretary in the fall 2011, Weatherford has been recruiting some of the top cybersecurity talent from other parts of the federal government to strengthen DHS's IT security abilities [see Building DHS's All-Star Cybersecurity Team].
"I've been very pleasantly surprised at the skill that we're able to attract here at DHS ... we've matured so much in the past year," Weatherford says. "We weren't even on people's roadmap; we weren't in people's vision a year ago. Now, people know and are beginning to understand better what the mission of the Department of Homeland Security is in the cyber-arena and that they can actually come here and do some pretty dang interesting stuff. Not to toot our horn too much, but we're attracting some of the best talent out of some of the other civilian federal agencies that I'm pretty satisfied with. It's causing some consternation in other organizations sometimes, but we're having a lot of success with that."
Among the talent Weatherford has attracted to DHS include John Streufert, who as State Department chief information security officer rolled out a continuous monitoring program that's credited with reducing IT vulnerabilities. Streufert, as DHS director of federal network resilience, is helping other agencies deploy continuous monitoring [see Continuous Monitoring and the Cloud].
Other recruits taking top DHS cybersecurity posts include Rosemary Wench, a seasoned Defense Department information operations director, as the main DHS contact with the National Security Agency [see DHS Fills Senior Cybersecurity Post]; and former Energy Department Chief Information Officer Michael Locatis as assistant secretary for the Office of Cybersecurity and Communications [see DHS Taps Energy CIO for Senior Infosec Post]. DHS announced earlier this month that Locatis is leaving that job.
Still, the perception of DHS strengthening its cybersecurity leadership role is growing, Weatherford says.
"The number of phone calls, the number of interactions that we're getting from the private sector on a daily basis has increased almost exponentially off the charts in the past year, and that is because people trust us to do what we're doing," Weatherford says. "When you think about it, we are the Department of Homeland Security. Our job is working with the private sector, the civilian organizations in the private sector across the country to help manage and secure their infrastructure. ... That is our mission to do that. We have matured an awful long way and I don't, quite frankly, think there is anybody that does doubt this capability."
To make his point, Weatherford offers an anecdote about a posting made by a Facebook friend he doesn't know very well. In her posting, she asked: Where does the responsibility for cybersecurity sit in the United States?
"Now," he says, "I thought that was kind of an interesting thing for her to post on Facebook and I don't even know who all her friends are, but all the responses start coming back and it was primarily people [who] said, 'Well, obviously DHS is.'"
But, leading cybersecurity efforts doesn't mean going it alone, Weatherford says, and DHS must collaborate with other organizations such as the FBI, National Security Agency and sector-specific federal agencies. "It's working with other agencies that we can accomplish this; we can not do it all on our own," he says. "I think certainly the responsibilities on the authority are with DHS, but we can not do this by our self."