Cybersecurity's Critical Need: Better Metrics

Global Economy Dependent on Secure Information Networks
Cybersecurity's Critical Need: Better Metrics
With the global economy so dependent on the Internet, the need for better cybersecurity metrics is crucial, and the government must take the lead to assure proper measurements are developed, says the top cybersecurity leader at the Department of Homeland Security.

"Markets rely on information to allow effective decision making, so if you want people throughout the ecosystem ... and this is actually absolutely going to be required, to make effective decisions, to institute the right practices, to buy the right products, then you have got to give them the data they need to make effective decisions," Philip Reitinger, DHS deputy undersecretary of DHS's National Protection and Programs Directorate, said in an interview with (transcript below). "They have got to be able to make decisions based on data and not religion."

In the second of a two part interview conducted by's Eric Chabrow, Reitinger also discussed the

Balancing incentives with regulations to get the private-sector operators of the nation's critical IT infrastructure to provide adequate system safeguards.
Deployment of the Einstein 3 intrusion prevention system, which he contends does not infringe citizens' privacy rights.
Importance of the recently opened National Cybersecurity and Communications Integration Center.

In Part 1 of the interview, Reitinger discussed the need to develop innovative, collaborative approaches to meet the human resources needs to safeguard government systems and how much risk the government faces by not having a sufficient number of cybersecurity professionals.

Before his appointment in March, Reitinger served as chief trustworthy infrastructure strategist at Microsoft, where he was responsible for helping improve the protection and security of the nation's critical IT infrastructure. This role allowed him to coordinate closely with government agencies and private partners on cybersecurity protection programs to build trustworthy computing systems worldwide.

Reitinger also served as a member of the Federal Emergency Management Agency National Advisory Council, where he advised the FEMA administrator on aspects of cybersecurity related to emergency management. FEMA is part of DHS. He is an expert on computer crime and policy, and previously served as the executive director of the Defense Department's Cybercrime Center, charged with providing electronic forensic services and supporting cyber investigative functions department-wide. Before joining DoD, Reitinger served as deputy chief of the Computer Crime and Intellectual Property division at the Justice Department.

Reitinger holds a law degree from Yale Law School and a bachelor's degree in electrical engineering and computer science from Vanderbilt University.

ERIC CHABROW: When will the government's intrusion detection system known as Einstein 3 be ready and how does it differ from the first two versions, and why is this third version important?

PHILIP REITINGER: We are moving forward on Einstein 3 right now. We are in particular working most directly on an exercise to test Einstein 3 capabilities.

Einstein 3 differs from Einstein 2 because it is an intrusion prevention system as opposed an intrusion detection system. Both of them look for specific patterns of known malicious activity. The intrusion detection system of Einstein 2 is something that when the attack occurs notices and says, "hey, an attack has occurred." An intrusion prevention system takes that a step farther and can actually stop that attack in progress and say, "I'm not going to let you succeed." They are both dedicated towards the same end of securing government systems, providing defense in depth, but one is able to act a little bit more quickly.

CHABROW: How successful has Einstein 2 been?

REITINGER: Einstein 2 is being rolled out on an increasingly broad basis and we are finding it an effective means for helping to detect malicious activity on the government networks.

CHABROW: Some privacy advocates contend that Einstein 3 relies on predefined signature code that might contain personally identifiable information and threaten the privacy of law-abiding citizens. They say Einstein 3 could operate within the networks of private telecomm companies, intercepting data before it reaches government networks and that could be considered an interception under electronic surveillance laws requiring a court order. Are these valid concerns?

REITINGER: We are proceeding in full collaboration with the Department of Justice and with our own privacy and civil liberties communities to make sure that we stay squarely within the boundaries of allowable authority.

Our purpose is to protect government networks, not for any other purpose. To that end, it is not our intention to go out and seek to collect things like personally identifiable information. Our intent is, instead, to say what constitutes an attack, what is malicious traffic, and when we see something that is malicious traffic that is an attempt to compromise a government system, and quite conceivably impair the privacy Americans whose data is held or the people who are working on those government systems, that we can detect that and stop it and do a better job of actually protecting privacy.

CHABROW: The Internet Security Alliance came up with a list of incentives to encourage businesses to properly secure their IT systems in a move to discourage government from regulating cybersecurity. Still, some in Congress and elsewhere believe that some regulation will be needed. Where do you stand on all of this?

REITINGER: People in both the private sector and government are committed to increasing the security of our nation. Having come into government from the private sector, I firmly believe that to be true. There are people of very good will among both the public and private sector ... that want to work together to make our nation as secure as possible. But, it is also the case that the market may not go as far as we need to go in order to enable the full protections of national and homeland security. That is why you see private-sector groups coming out with proposals for regulation or additional incentives.

We are working avidly with the private sector, having discussions within government to make sure we have the right policy framework, which could be a mixture of different things, to make sure we can best close that gap between what the market may provide and what we actually need.

It is also a false choice to say, you know we are talking regulation or no regulation, and point of fact there are large parts of critical infrastructure and network systems that are already regulated. The Federal Communication Systems have important rules for how telecommunications providers work. There are Graham Leach Bliley regulations for the financial services industry. There is HIPAA for health services. Within the organizations that report up to the undersecretary of the National Protection and Programs Directorate is the group that runs the Chemical Facility Antiterrorism Standards regime. That is a set of risk-based standards that included specific risk-based standards for cybersecurity.

We have got a set of regulations and incentives already, the question is making sure that that policy framework, including some regulation, some incentive and a lot of market activity, will work together to drive the level of security we need.

Critical Need: Better Metrics

The one other thing I say on that point, not to run on at the mouth, is one of the things we actually need that is critical for that market to be as effective as possible is better metrics. Markets rely on information to allow effective decision making, so if you want people throughout the ecosystem, both in the U.S. and internationally, and this is actually absolutely going to be required, to make effective decisions, to institute the right practices, to buy the right products, then you have got to give them the data they need to make effective decisions. They have got to be able to make decisions based on data and not religion.

We need to drive better metrics regimes that will let them make those effective decisions so that the market itself is as effective as possible.

CHABROW: Who is to develop these metrics?

REITINGER: That is going to be a broad spectrum. Clearly, a big role there lies in National Institute of Standards and Technology within the Department of Commerce. They have done some groundbreaking work, including developing sets of controls for FISMA (Federal Information Security Management Act), working on metrics for things like how effective cybersecurity tools are within the Department of Homeland Security. We have done great work with the private sector and internally on working to develop the right metrics for the security of infrastructures, sectors, all of us are going to have to collaborate together going forward to make sure that that set of metrics covers what it needs to.

CHABROW: As you know, there is a lot of activity, mostly in the Senate, around several Bills being developed relating to cybersecurity. What would you like to see come out of Congress relating to cybersecurity?

REITINGER: I am not in a position yet to make any particular (prediction) of Congress in this space. I think that the attention that Congress is giving to the issue is very valuable and we look forward to working with Congress to have the best policy regime possible so that we in government and the private sector can be fully effective.

CHABROW: Are you or someone on your staff meeting with Sen. Joseph Lieberman? He is supposedly putting together an omnibus cybersecurity bill?

REITINGER: I travel to the Hill a fair amount as do people from across DHS. Congress is obviously a critical stakeholder.

CHABROW: Anything else you would like to add?

REITINGER: You asked before about what sorts of things are we doing. One of the key things that we announced recently that you are probably familiar with and may have written about is the creation of the National Cybersecurity in Communications Integration Center and that is just one example of how we are moving forward to take the capabilities that we have got and integrate them in a more effective way.

The NCCIC is a collocation of some of our key cybersecurity and communications operations centers so that their watch capabilities are sitting together, breathing the same air, increasingly with the private sector will work jointly to make sure our information and communications networks are as secure as possible.

The other important thing about that is we are listening to our customers, to our stakeholders. The creation of an entity like the NCCIC has been recommended by the National Security Telecommunications Advisory Committee, by a tiger team that was established over a year ago, and by various other private and public bodies, including the Government Accountability Office. We are listening. We are figuring out where we can go to be most effective and we are working jointly in full partnership with our government partners and the private sector to bring all of the national capabilities we have got to bear on the problem.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.