Don't Overload DHS with Cybersecurity Tasks
That isn't what Mischel Kwon says, but it represents the gist of a point she made in an interview with GovInfoSecurity.com (transcript below):
"What worries me the most is how we think about our IT systems and, therefore, how we protect them. We often think about them as just that, computers and assets, when we really need to be thinking of them as the integral part of the mission. And, what is important is that when we look at the fact that we are protecting the mission, the actual work that is being done on these systems, and that the systems are just inconsequential."
By focusing on mission, key people - departmental and agency leaders, for instance - and not just technologists have a stake in securing IT, said Kwon, now vice president of public sector solutions at the information security firm RSA.
In the interview, conducted by GovInfoSecurity.com's Eric Chabrow, Kwon also discussed:
Kwon joined RSA in August. She headed U.S.-CERT from June 2008 to August 2009. previously, she served as chief IT security technologist within the Justice Department as well as its acting deputy director of IT security. Since 2006, she has served as an adjunct professor of cyber defense and leads the Cyber Defense Lab at George Washington University.
She earned a master in computer science from Marymount University and a master certificate in information assurance from George Washington University. ERIC CHABROW: How safe are government IT systems? MISCHEL KWON: They are as safe as all IT systems. It is hard to gauge the security of systems just as a whole general sloth. The federal government has many different kinds of IT systems that support many different kinds of missions, some that are very well kept and some that have some issues, just like any other sector in business. CHABROW: What worries you the most about threats to the government's digital assets and the nation's critical IT infrastructure? KWON: What worries me the most is how we think about our IT systems and, therefore, how we protect them. We often think about them as just that, computers and assets, when we really need to be thinking of them as the integral part of the mission. And, what is important is that when we look at the fact that we are protecting the mission, the actual work that is being done on these systems, and that the systems are just inconsequential. When you think about it in those terms, then the right people get involved with the protection of these systems. Sometimes the systems are not funded adequately, therefore, their lifecycle management isn't done regularly, because they are not thought of as a very important part of the mission and they are just relegated off to some IT department. I think when we can change our thinking about how we fund these systems and how we care for these systems, a lot of the vulnerabilities that are being exploited today will be taken care of through life cycle management. That is what worries me the most, that we are trying to fight this fight with some big fancy tool when we really should be looking at the low hanging fruit and the real reason is why these systems are in the condition that they are in and how we can easily solve the problem. CHABROW: How do you change that culture in government? KWON: I think it is changing slowly but surely. You can see a lot of really good work being done at a lot of agencies today to change that around, to change the way we do risk assessments from risks to the asset changing that to the risk to the mission. You see that a lot in different agencies. You see a lot of work being done at the State Department by John Streufert (deputy chief information officer for security). A lot of work, good work being done at the Department of Justice, and the IRS, all in that same vain of moving towards protecting a mission and making the mission more productive and accessible. I think that is really encouraging to see. You also see that in the financial sector coming out of government, looking at the private sector, the financial sector has been doing this for a long time because they realize that the losses they feel are financial losses and, therefore, it is easier to see that. It's really hard to see a return on investment from doing IT security, you really see that return on investment when your loss is actually monetary. Sometimes that is harder to see but that is something more abstract, but it is encouraging that we are moving in that direction. CHABROW: How about the role of Congress in all of this? KWON: Congress is very involved and very excited about cyber, I should say. As you probably know, there are many, many draft bills up on the Hill today that are pointed towards cyber and agency losses, different articles and different members making comments on cyber; some that are very good and some that are not quite on spot yet; that is encouraging. When you look at the way government works, you know we are a constitutional government and it does take legislation to codify any type of initiative or position, so the fact that they are involved, engaged and becoming more educated is important for moving forward in cyber. CHABROW: You mentioned an interesting point about codifying certain practices in legislation and there is some debate going on as to whether it is necessary or not. For example, there is a major bill before the Senate to update FISMA, the Federal Information Security Management Act. You mentioned John Streufert and what he is doing at the State Department; he seems to be doing things that are appropriate even without updating the law. Are changes in laws necessary? KWON: I am a full believer that changes in the law are not necessary. I think that the current FISMA legislation probably covers 99 percent of what we need. The problem is the implementation of the current legislation is not what we need. Unless we change that implementation, it won't be right, and sometimes the easiest way to change something that has been implemented so poorly is to make slight tweaks to make it stronger, and the new draft bill that updates that (law) does attempt to make those changes. Is it perfect? No, not yet. Is it close? Probably. I am not sure that we actually need to pass that though, although I am sure it probably will at some point go through. That is why I applaud what John is doing. It is really important to note that the agencies - and it is not just John, it is a lot of the other big departments and agencies - are also moving and changing they way they do IT security so that it is still compliant to the letter of the law that is written in business, but more actionable, where they are actually relating what is happening to them in incidents back to the hygiene of their networks and the health and security setting for their networks. That is critical and important and that is what we are missing in FISMA. FISMA was actually a great thing. It moved us very far ahead of the game by bringing security to the forefront, making us think about it, making us establish policies and controls. The problem was that we probably picked some of the wrong controls because we weren't relating that back to the actual events that were happening on our networks. But we have learned from that lesson and you can see that the departments and agencies setting up their security operation centers, understanding the events they are having on their networks, and then relating them back as security controls that they need to implement. CHABROW: We are speaking in mid-December and President Obama still hasn't named a cybersecurity adviser, nearly seven months after he promised to do so. (Days after the interview, Obama named Howard Schmidt to the job). You indicated in your earlier comments that there is some leadership that is needed to getting agencies to step up their activities to secure IT. What damage to the government, if any, (did) that vacancy create and is such a position really needed? KWON: I really don't feel like it creates any damage. I mean I think that is kind of an overkill. The big gap that we are missing in the government is collaboration and coordination between the departments and agencies at a national level. How I like to think of that is we need governance in structure; a defined government structure with defined authorities. Does that mean a cyber czar? Maybe. Does it not mean a cyber czar? Maybe. What is important is that we get that governance structure in place and we give the authority to the people that need it in that government structure so that we are moving in the right direction. I don't want anyone to think that we are not doing anything now because that is totally false. I read that in the paper and it makes me kind of shiver because the long and the short of it is there are a lot of people in these departments and agencies that are working really hard and making good progress in securing our government networks. Is not appointing a cyber czar a problem? It is just a press problem at this point. Even if we were to appoint a cyber czar, that position is not codified through legislation and there has been no presidential directive giving that position authority, so there is a lot of work that has to be done besides just appointing someone. Again, that governance structure has to be established from the White House, DHS, departments and agencies, CIO Council, how all of those players fit together, what the hierarchy is and who has what authority needs to be cleared up and established in order for that to work. It is a lot more than I am going to appoint a cyber czar. You have to cut our new president some slack; he has got a lot of initiatives on his plate right now. CHABROW: Do you think his cybersecurity policy review report sort of outlines the beginning of that structure with or without the cybersecurity coordinator? KWON: Are you referring to the 60-Day Review? CHABROW: Yes, the report he issued after the 60-day Review. KWON: The 60-Day Review did not outline a governance structure. CHABROW: Do you think it is incumbent on the president or his office be the place where this structure should originate from? KWON: That it is something that everyone should work together to figure out what the best structure is. If you look at how these things work, it is usually legislation that codifies something like that unless it is just for one presidency. The president puts together something like that just like George Bush put together the CNCI (Comprehensive National Cybersecurity Initiative); it is only good for his administration unless codified in legislation. That is the way our government works, it is not the way we think it should be, it is the way our government works and how it happens. You know there is a lot of work that needs to be done per the Constitution. There are a lot of ways that with the CIO Council and with the White House and with DHS and with Congress they can work this out and put together a perfectly fine structure and then present it to the President, which is the way I think it should be. CHABROW: You mentioned a few times DHS. You used to work at DHS when you were at U.S.-CERT. Some lawmakers have proposed giving the Department of Homeland Security more authority over civilian agencies, cybersecurity, including the reviewing of civilian agencies IT security budgets, and even one center proposed putting the so-called cybersecurity czar in DHS and not the White House. What is your take on the DHS's current role and growing role in cybersecurity? KWON: DHS has a lot on its plate right now in regards to cybersecurity. It is a new department and has a lot of growing and maturing to do and I am not sure it is the right thing to put all of our eggs in one basket. The way the government is set up today, different agencies have different strengths and they already work in those areas. For example, the State Department already works in the international arena, why would we put international cyber in another agency? We need to look at the departments and agencies and their strengths in working in the different sectors and areas, and use the collaboration of our government to be a stronger government. We already have relationships and intellectual knowledge in each one of these departments and agencies and that is why I say it is important that we understand how we collaborate as a government to make this work instead of setting up one siloed entity to be cyber. If we are going to look at cyber as something that supports our missions than we need to put the support of it into the mission support agencies. For example, people that want to work with the financial sector, that should be in the Treasury Department. Say that we are going to work with international cyber policies and treaties and relationships, that should be in the State Department. Just taking everything and dumping it into DHS is actually going to hurt the cause instead of helping it. CHABROW: Sounds like you have a very good argument for a cybersecurity coordinator in the White House. KWON: It has to be coordinated somewhere and whether the coordination comes out of DHS or whether the coordination comes out of the White House, it does have to be done. I don't think where it is is as important as that it is defined well and that the governance structure is laid out and the coordination and the collaboration is really the first thing in their mind so that this can really be actionable. It is really a management issue. CHABROW: Your departure from U.S.-CERT along with those of Ron Beckstrom as the director of DHS's National Cybersecurity Center and Melissa Hathaway, who conducted the 60-day cybersecurity review for President Obama, have been held up as examples of the administration's failure to find and keep top notch cybersecurity leaders. What do you think of that assessment? KWON: We all left for different reasons and I think that is a pretty broad-sweeping, inaccurate statement. We were all three very different individuals that left for very different personal reasons. I don't believe grouping the three of us together is accurate at all. CHABROW: Do you think the government is doing a good job in attracting the right people to help with cybersecurity? KWON: It is difficult right now. Yes, I do think they have very talented people. The Cyber Corps Program, which I was a part of, they are getting very talented young people out of college and out of grad school every year and that is a wonderful program that has proven to be very fruitful for the government. In addition to that, they have gotten many people from the private sector. Just look at who DHS brought in to run cyber there, Phil Reitinger, who has a wonderful reputation and came from Microsoft and is a very talented individual. They are definitely recruiting very talented individuals. I think that is an overreaction statement that the press has been making. Could it be better? It could be better. It could be better everywhere. There is a shortage in general for IT security professionals. You have to look at the root cause of what that is and part of the root cause is that over the past 10 years, there has been a rapid decline in computer science majors. In fact, many universities have closed their computer science departments. When you look at that root cause, we have a problem. We also have issues in the government that if governance structure isn't clearly laid out and if there is a question as to where cyber is going to go, of course, people will question whether or not they want to go there. There is also the age old problem of the government has always paid significantly less than the private sector. There are a lot of different problems that both sides of the house have in keeping with cyber professionals, whether it is pay, whether it is lack of talented people coming out of the universities, or even if it is lack of good, substantive to work and sometimes that happens on both sides of the house. It is a more complicated problem than just making a broad-sweeping statement. CHABROW: Well you mentioned the fact that there is a decline in computer science enrollment, what kind of risks does that present our nation at the moment and in the future? KWON: It is more than just in the security realm if you think about it. A lot of our software development and a lot of the technology development is going overseas and we really need to do something about bringing computer science back to our universities and educating more Americans in this field if we want to keep the field alive here in the United States. It is more than just security, it is also in software development and upkeep, and technology advancement in general; we really need to look at how to bolster that in the universities. And, a lot of that is stemming from math issues, we have to learn how to encourage our students from an early age to love math and embrace math because that is a lot of the decline in computer science because a lot of students don't want to take the math that is required in computer science so we have to look back on our education system and see how we can bolster that love of mathematics. CHABROW: You have worked in government as a cybersecurity leader and now doing the same in the private sector. What is the role of the federal government, what is the role of the private sector to ensure the protection of the nation's critical IT infrastructure? KWON: I don't know that there is a clearly defined role for the government. Remember, the private sector is just that, privately owned and not necessarily owned by a U.S. company. Does the government today have the right to do more than give advice or share information with them? I don't believe so. I believe there is enough work that we have to do in sharing information with the private sector and working together with them to help solve these problems. The government needs to turn in more of its focus on the government for a little while as well. CHABROW: There are those who would say though that there are concerns that some businesses, especially those who operate, say, utilities that are crucial to the economy of this country, that the operators of those utilities or some of those utilities may be more interested in profit than long-term security needs and that the government needs to at least have some form of regulation to make sure that they secure those systems to protect our economy and they feel that is an appropriate role for government to play. KWON: That's a possibility but I don't think we know enough about that, at least I don't know enough about that to make a substantive comment about it and I am not sure that we have focused in on determining what they do and don't do. I would just be hesitant to move in that direction rapidly. We need to get the governance structure down and we need to get the federal government running correctly and then we can branch out looking at the private sector.