Gov Vs. Biz: One Kind of Public-Private PartnershipEx-TSA CISO: Feds Face Tough Challenge in Hiring Infosec Pros
Titus, in an interview with GovInfoSecurity.com (transcript below), says the federal government must do more to grow that partnership. "I think they are on the right track, but it needs to get pumped up and get going," she says. "There isn't enough dialogue going on in my mind. It is better than it was in previous years, but it is still not where it needs to be in order to address our critical infrastructure."
She characterizes DHS's plan of hiring 1,000 cybersecurity experts by 2012 as a hard-to-attain goal because many of the individuals with the needed skills work for businesses and may be reluctant to join the federal services. "A lot of people have been in the government and are not interested in going back into that environment; it is a very pressure-cooker environment," the former DHS official says. "You don't get a lot of pay for the glory. There are a lot of negatives. Obviously, the positive is you are serving your country, but it's the hiring process. How do I get in? A lot of people are comfortable staying in industry and providing their service back on a contractual basis. The other positive thing about being contracted to the government is you can stay refreshed with your certifications and stay in touch with IT security."
As TSA's CISO, she recalls, she only received $500 a year for each individual for training and development. "Five-hundred dollars won't even get you a security training course at the SANS Institute," Titus says. That's not true with many private-sector employers who have the money to help keep up with employees' skills.
In the interview, conducted by GovInfoSecurity.com's Eric Chabrow, Titus offers a wide ranging evaluation of the current IT security environment in the federal government from a distinctive perch, including:
- Increasing DHS's authority over civilian agencies compliance with the Federal Information Security Management Act;
- The activist role White House Cybersecurity Coordinator Howard Schmidt must play in guiding administration IT security policy; and
- The synergy between physical and virtual security..
Before her stints at Unisys and TSA, Titus worked as a technology adviser to the Department of Treasury's chief information officer, working extensively on enterprise network security.
ERIC CHABROW: At a congressional hearing in June, the highest-ranking cybersecurity official at the Department of Homeland Security, Phil Reitinger, testifying on the Lieberman-Collins bill, said that the Obama administration would rather not have separate organizations devoted to cybersecurity and physical security because they are jointly related. What is the link between securing the virtual and the physical?
PATRICIA TITUS: There has been a lot of integration between physical security and what we refer to as logical. Logical security utilizes infrastructure such as card readers and biometrics and video surveillance, which are all based on technology, so there are cyber implications to them, or virtual implications. I agree with Phil, by trying to pull them apart and put them into different agencies, you are going to have issues between the collaboration that needs to happen between the physical and virtual world.
Today, if you look at the organizational structures within an agency or a department, you will have a chief security officer, who deals with the personnel and physical security, tightly coupled to your chief information security officer, who handles your virtual security or your IT security. The CISO usually reports under the chief information officer, where your CSO or chief security officer usually reports in to a chief operating officer or in some instances even a chief human resources officer.
CHABROW: Do you think that structure is a good one to continue or are we getting to a point where maybe things will start being viewed differently, not only in government but elsewhere?
TITUS: The chief security officer and chief information security officer have through the FISMA (Federal Information Security Management Act) legislation have always had a very tight relationship. If you look at the Homeland Security Presidential Directive 12, HSPD 12, which is the common access card, now you are starting to see the linkages between an IT system that uses badging your common access card to get into a building now looked at being used for logical access to the network. It also stores your credentials to get into a building as well as to get on the network, so I think there is a convergence happening.
I don't know if it is a good idea right at this point in time to converge the two, we are starting to see some of that happening in the private sector actually where you have got chief security officers who have responsibility in some way shape or form of the IT infrastructure as well from a security perspective. I would say the government probably doesn't need to go that route quite yet and probably should wait until industry irons out the issues with the convergence between CISO and CSO roles.
CHABROW: The administration is giving the Department of Homeland Security more authority over other federal civilian agencies in security IT, the so-called .gov part of government and some bills in Congress do exactly that, such as Lieberman-Collins. There are some lawmakers who are reluctant in doing so and there are other bills that would not give that kind of authority. What do you perceive as the role of DHS as the guardian of the .gov area?
TITUS: I really think that direction should be coming directly from Howard Schmidt, our cybersecurity coordinator. The view when he took office was that he would have over-arching visibility into the civilian agencies as well as the DoD, U.S. Cyber Command and also the intelligence community.
I would hope that Howard Schmidt is well engrained in what resources, commitment and ultimate power is being given to Homeland Security in protecting this .gov domain, which in my mind really belong to the Vivek Kundra, our CIO. So a little bit concerning if it's only Homeland Security being given more power versus the direction coming from Howard Schmidt, our cybersecurity coordinator, who should be giving ultimate direction for policy basis on both sides of the fence.
CHABROW: There was a document issued by the Office of Management and Budget, the office where Vivek Kundra works and reports to the OMB director, and jointly signed by OMB Director Peter Orszag giving DHS more cybersecurity authority. Is that the appropriate way to handle this?
TITUS: I think that's the right direction. It allows Howard to have visibility into what level of authority Homeland Security is being given over the .gov, but I also would think that DHS is going to take a more succinct and more proactive role with our citizen protection. The IT infrastructure within the United States could also be considered part of protecting homeland and from a consumer basis we can't forget that component either.
Right now, I am sure all the focus is based on the federal agencies with the changes to the FISMA legislation and some of the other national critical infrastructure protection legislation that is pending. I am little bit concerned that we are getting close to recess and elections that any of this is going to get actually through Congress.
CHABROW: Is there really a critical need to get it done now versus next year? Because, for example, one of the big changes that people talk about is FISMA reform and it seems like what is coming out of OMB in many respects is FISMA reform; going to real-time monitoring versus paper process. Is it worth waiting a few more months?
TITUS: That is interesting and I am glad to hear you say that, Eric, because there are not a lot of people who have actually picked up on that continuous monitoring piece and the direction that is coming out of OMB and our federal CIO. I would say that there is reform going on but I will also say that that continuous monitoring piece that we are now focusing on, it's always been in the original FISMA legislation. Everyone was so focused on that certification-and-accreditation component that they forgot to keep going which the last part of certification and accreditation then the next step is continuous monitoring.
I am really excited to see the government focusing on that so they can get out of this paper malaise that they have gotten themselves into and really focus on what matters, and that is continuously monitoring for vulnerabilities and threats.
CHABROW: What is the need to have significant cybersecurity legislation pass sooner than later?
TITUS: To be honest with you Eric, some organizations and companies might be waiting for the legislators to tell them what to do. I think that's the wrong approach and people should be encouraged to start working proactively, to start looking at their internal defenses and are they doing enough to achieve adequate security controls. If we don't get something through our legislature, people are going to go back to status quo and we are going to lose the momentum that we've gained over the past year plus when President Obama announced that cybersecurity was a national priority.
CHABROW: What areas of cybersecurity should be more aggressively addressed that aren't being addressed now?
TITUS: Well, I think, several things are being addressed so I wouldn't say that there are areas that are not being addressed. It is the areas of criticality for the country so obviously I am very keen on the National Critical Infrastructure Act that looks like it is going to make its way through here, hopefully before recess and elections.
That is really important for us to determine what level of authority the president has, what constitutes cyber warfare or a cyber attack that would allow the president to request from the private sector that certain things be taken offline. There is a lot of work that needs to be done there and it's not just legislative, it's also the public/private partnership conversations that need to get going, focused on this critical infrastructure.
To me, that is a conversation that hopefully we will see happening soon between Howard Schmidt and the Information Technology Sector Coordinating Council or what's called the IT SCC. Those types of conversations need to pick up and get better formulated and better frameworks and have better performance measure and metrics to respond to back to protecting critical infrastructure since I hear numbers 85 to 90 percent of the critical infrastructure in the United States is owned by the private sector. Legislation is great, but it has got to be a public/private partnership with more output from the government than we have seen in the past.
It has gotten tremendously better under this administration. I am seeing more communication coming out of Homeland Security in the form of alerts; more communication between the sector coordinating council and the information technologies strategic advisory council, the IT-ISAC; all of those committees I am starting to see a lot more communication, but it really needs to get pumped up and get more attention so that the private sector can have more input than we've had in the past and the government can have more output than we have seen them have in the past.
CHABROW: Every time I hear someone from the administration talk about cybersecurity, they are always talking about public/private partnerships. Are you saying that they are not doing enough, or that they are on the right track and just need to continue doing what they are doing?
TITUS: I think they are on the right track, but it needs to get pumped up and get going. There isn't enough dialogue going on in my mind. It is better than it was in previous years, but it is still not where it needs to be in order to address our critical infrastructure.
CHABROW: And why do you suspect that's the case?
TITUS: I am assuming that it's based on resources. If I look at Homeland Security wanting to hire 1,000 cybersecurity experts or IT security professionals, where are they going to come from? Those individuals right now are in critical infrastructure roles within companies in the private sector. So if they all get hired by the U.S. government, who is going to be out in industry protecting critical infrastructure? So it is kind of a double-edged sword.
CHABROW: And the answer is?
TITUS: I think Homeland Security is having a tough time filling positions, especially positions with experts where they need to pulling at a subject matter expert level. A lot of people have been in the government and are not interested in going back into that environment, it is a very "pressure cooker" environment. You don't get a lot of pay for the glory. There are a lot of negatives and obviously the positive is you are serving your country, but it's the hiring process, how do I get in, so a lot of people are comfortable staying in industry and providing their service back on a contractual basis. The other positive thing about being contracted to the government is you can stay refreshed with your certifications and stay in touch with IT security.
When I was in the government, we were only given $500 a year for individual development, meaning training and education; so $500 won't even get you a security training course at the SANS Institute. The bonus to industry is we are able to put more money into our people and our human capital development, which is critical and key for us and that's something that the government has not been able to do up to this point. The other thing is the government doesn't' have a job series category through the Office of Personnel Management for IT security professionals.
They talk about certifying and in some of the legislation I have seen they want to have a certification program for cybersecurity people working in the government but yet they haven't solved the problem of the job series. So, right now, everybody falls under what is called a (GS) 2210, which is an IT specialist, so they really need to come up with a different job series for the cybersecurity professional in the government.
CHABROW: What you are suggesting is something that government has done for many years in contracting out a lot of its services to companies like yours and others. Obviously, working for UNISYS, you probably don't see a problem with that but with something like cybersecurity, is there still a need for a certain number of people to be employed by the government as some work is still contracted out?
TITUS: I think there is a healthy balance between the trust but verify model that needs to happen. There has been a lot of discussion about what is inherently government, and I think that is another area where the government has to decide what is inherently government and what can we contract out, and then if we call something inherently government, meaning a government employee needs to perform that work, where do I get the resources and how much do I pay those resources to perform that job?
There are a lot of variables to it, but I agree that there is a balance between the number of federal employees versus the number of contract employees and I did have to balance that in my previous job in the government. There is a very fine line between maintaining what is called a full time equivalency staff for an FTE staff or hiring out and contracting. The bonus of contracting is you can move your resources in alignment based on needs of your organization versus you've hired a person, you have put them in a position and that is where they stay for five years.