Defending IT: Swimming Against the Tide
"U.S.-CERT started out as a government CERT," Vickers said in an interview with GovInfoSecurity.com (transcript below). "But, really and truthfully, U.S.-CERT is growing to be a national CERT."
Vickers said he wants the agency to work with organizations that aren't formally associated with industry-specific information sharing and analysis centers. "Our goal is to be able to build to that mission, not only work with the federal government, not only work with critical infrastructure, but work with organizations that aren't tied to a specific sector," he said.
To accomplish its mission, Vickers said, U.S.-CERT must train, equip, and hire personnel. "We are trying to be that center of excellence for cybersecurity, not only for the federal government, but for the nation as a whole."
In the interview, with GovInfoSecurity.com's Executive Editor Eric Chabrow, Vickers discusses the:
- Need to keep ahead of our virtual adversaries who would constantly improve their tactics to do harm;
- Improving relationship U.S.-CERT has with local, state and tribal governments, including the Multi-State Information Sharing and Analysis Center;
- Evolution of sharing of computer security information with U.S.-CERT's various stakeholders;
- Goals he has in to expand U.S.-CERT's mission to protect America's IT assets.
Vickers retired three years ago as Army lieutenant colonel, with his last military assignment was chief of the Defense Department's Computer Emergency Response Team. In 2007, Vickers was tapped to be U.S.-CERT's deputy director, and became its acting director a year ago with the resignation of Mischel Kwon. He was named fulltime director in April.
ERIC CHABROW: You've been at U.S.-CERT for three years, first as deputy director, then acting director, and now director. How would you assess the security of government IT over those three years? Are we safer today?
RANDY VICKERS: That's actually a hard question to answer because we, as the federal government, have done a lot to improve the security posture of our assets. But, in doing so, the adversary has also gotten more technically confident and stronger. Yes, we are more secure than we were yesterday, but it doesn't end there. It's got to continue to grow to keep up with the adversary. The adversary may be able to focus certain technologies against certain assets; we've got to be able to look across the whole spectrum of assets in this federal government, and be able to defend that, and keep up with the change in technology and abilities of the adversary.
CHABROW: That seems quite a challenge. How do you go about doing that?
VICKERS: To work in the reactive environment is a way to do that. To be able to look at the alerts that we get through programs like Einstein, to get reports from departments and agencies, that helps to paint a picture. But, because this isn't a one-organization problem, we have to rely heavily on our partners. We work in coordination with the intel community. We work in coordination with the law enforcement community. We work in coordination with industry, to understand the environment, so we can try to stay ahead of the challenges. The sensors we have are just on the federal government. That is a small percentage of the national assets, with critical infrastructure, with industry, etc., so we have to rely on other information resources: industry, intel, law enforcement, etc., to be able to help paint that picture and understand that environment, to be proactive, instead of relying on the retrospective analysis and the reactive measures that traditionally cybersecurity defenders have to deal with. We are getting better, not only is the U.S.-CERT, but the federal government, doing that cross-sector, cross-agency coordination.
CHABROW: Please give an assessment of where we are today versus the past, and where we are going in the future, with information sharing among the various constituencies.
VICKERS: We are way ahead of where we are, even at the point at which, when I started at U.S.-CERT in December 2007. We had probably very small numbers of relationships, predominantly with relationships formed through the Information Sharing and Analysis Centers and finite numbers of forums that we interface with.
We are now moving forward with the stand up of the National Cybersecurity and Communication Integration Center, being able to bring in, at least initially, the ISACs and being able to reach out to other organizations and industry. We have learned through events this year that we need to work more with industry. The transparency piece is improving. We all have sensitive information, some from a national security perspective, some from a proprietary intellectual property perspective, and we are diligently working ways to be able to share information to both sides, and keep equities in place and statutory issues in mind, and being able to share that information. Are we where we need to be? Not yet, but we are making great strides to be able to share information with individual organizations and companies. We are doing pilots with several of the sectors to be able to share information that more granular recipients can get. It's not just going to the chair of an ISAC, it's being able to go across a sector, without necessarily having to be a member of an ISAC, because we are making information available as we can, and we are growing that, and learning where those gaps are, and trying to fill those gaps with capabilities to share information with industry.
CHABROW: Do any laws have to be changed to allow more transparency, more interaction with sharing of information?
VICKERS: I'd rather not go into any detail, because there are a lot of issues going on right now with legislation. I know the Defense Department is looking at ways through their defense industrial base and their defense federal acquisition regulations on how to make that better, but there is probably some capabilities that need to be defined, because a lot of the regulations that were written were not written in a time of cybersecurity. There are a lot of things that need to be looked at, personally, in my personal opinion, and I believe that the cybersecurity coordinator, Howard Schmidt, the DHS leadership, and others are looking at where are gaps that need to be fixed, and possibly through legislation, or some types of activity like that.
CHABROW: Let's talk about the relationship between U.S.-CERT and the states. How has that evolved?
VICKERS: That's actually growing well. I guess our greatest accomplishment has been the standup and the maturation of the Multi-State Information Sharing and Analysis Center, the MS-ISAC, owned by Wil Pelgrin up in the state of New York. They are a great asset to deal with state, local, tribal government type incidents, so a state can go to them whenever they have an incident, and then the Multi-State ISAC will actually work with us in helping them to mitigate, and they become the watch, basically, currently, the U.S.-CERT equivalent for the states. That is a great relationship that we have with the Multi State ISAC. One, it aids in this capability, as the states become more mature in their cybersecurity efforts, it gives them a focal point that can focus on the state and local level, and helps, kind of as an extension to U.S.-CERT, and as we continue to mature, adding 50 more states, and a multitude of territories and tribal areas and local governments would be difficult to be able to keep up with that growth, and the Multi-State ISAC is able to help improve that coordination with the states.
CHABROW: What are your goals for U.S.-CERT over the next year, or so?
VICKERS: U.S.-CERT started out as a government CERT. Its focus was the federal departments and agencies. It has expanded to critical infrastructure with the onset of HSPD (Homeland Security Presidential Directive) 7 and the role and expansion of DHS. But, really and truthfully, U.S.-CERT is growing to be a national CERT.
Our goal is to be able to build to that mission, not only work with the federal government, not only work with critical infrastructure, but work with organizations that aren't tied to a specific sector. If you look at some of the software development companies, or application companies that aren't operating systems, or aren't routers or infrastructure systems, they may not clearly align with a specific sector, like the IT sector or the communications sector or the water sector, or something like that. So, we need to be able to assist them.
Also, as the general public becomes more cyber aware, not only through what they read in the press, and what they learn in schools, but also what U.S.-CERT can provide them in information services, we've got to be able to grow to expand that. As DHS takes on the cyber mission that it is being handed by Congress and the White House and OMB, we've got to be able to step up and support that mission, from an operational perspective.
My goal is to be able to train, equip, hire and get people onboard, and get the resources onboard, so that we can do that mission. We are trying to be that center of excellence for cybersecurity, not only for the federal government, but for the nation, as a whole. Now, honestly, we can't do it by ourselves, and that's why we work with the partners that I mentioned earlier. We also are being approached from an international perspective, as cyber becomes an international thought, we have had engagements with foreign governments that are standing up CERTs, so we will help them, at least point them in the right direction, for best business practice and things we've learned, and to help grow that.
CHABROW: And why is U.S.-CERT the organization to do this?
VICKERS: The challenges that you would face with an intelligence organization, a law enforcement organization or other organizations to do that, they have specific statutory missions to execute. We do, from a lot of different perspectives, but we're not a regulatory organization; we're not going to go fine somebody for doing X, Y, or Z. We're not going to audit them for not doing X, Y, or Z. We're not law enforcement. We're not going to go do an investigation and show up with a badge and confiscate a computer. And we're obviously not the intel community.
Even though we work with all of those types of organizations, our mission is to be that focal point, to pull in information and then assist with incident response and provide information for incident prevention. If you look at other organizations across the U.S., they tend to be niched in some cases, or they have specific laws and statutory limitations and restrictions. We have the ability to be able to expand a lot of that. The other thing is, being a part of the Department of Homeland Security, whose charter is to provide security to the homeland, not only from a kinetic perspective or a physical perspective - you know, your border control, FEMA, your airports, all that stuff that we see every day in a lot of different aspects - but because DHS has that role, U.S.-CERT being part of DHS, it's a natural fit for U.S.-CERT to be that focal point.