Keeping a Step Ahead of the Virtual EnemyDHS Top Cyber Leader: Our Defenses are Getting Better
Asked what worries him the most about safeguarding government IT systems, Philip Reitinger demurs. "It's not a question of what worries me most; it is a question of the opportunities we have got," Deputy Undersecretary Reitinger, the top cybersecurity official at the Department of Homeland Security, said in an interview with GovInfoSecurity.com (transcript below).
"We are connecting more and more systems, creating an increasingly complicated environment," Reitinger said. "The attackers are getting better and better and we are depending more on those systems from day to day to make sure that our very way of life can continue, that the ways we work and play will continue and we will be able to be successful."
Reitinger maintains the government's cyber defenses are getting better. "We need to continue to improve because the hackers and the bad guys have continued to improve and there are a lot of areas for improvement, but we are making significant efforts to do so," he said.
In the first of a two-part interview, Reitinger concedes the challenge will be tough because of a dearth of qualified information security experts, but explains steps the government is taking to eventually eliminate that skills gap. Also, Reitinger addresses:
- The need to develop innovative, collaborative approaches, not only among federal agencies, but between the government and the private sector to meet the human resources needs to safeguard government systems.
- How much risk the government faces by not having a sufficient number of cybersecurity professionals.
- Why, even when the government didn't have a permanent cybersecurity coordinator, the White House addressed the government's information security needs.
In the second part of the interview, Reitinger discusses the evolution of Einstein, the government's intrusion detection and prevention system as well as the right balance between incentives and regulation to get the private-sector operators of the nation's critical IT infrastructure to adopt best cybersecurity practices.
Before his appointment in March, Reitinger served as chief trustworthy infrastructure strategist at Microsoft, where he was responsible for helping improve the protection and security of the nation's critical IT infrastructure. This role allowed him to coordinate closely with government agencies and private partners on cybersecurity protection programs to build trustworthy computing systems worldwide.
Reitinger also served as a member of the Federal Emergency Management Agency National Advisory Council, where he advised the FEMA administrator on aspects of cybersecurity related to emergency management. FEMA is part of DHS. He is an expert on computer crime and policy, and previously served as the executive director of the Defense Department's Cybercrime Center, charged with providing electronic forensic services and supporting cyber investigative functions department-wide. Before joining DoD, Reitinger served as deputy chief of the Computer Crime and Intellectual Property division at the Justice Department.
Reitinger holds a law degree from Yale Law School and a bachelor's degree in electrical engineering and computer science from Vanderbilt University.
ERIC CHABROW: Let's start with a simple question. What worries you the most about securing federal digital assets and the nation's critical IT infrastructure?
PHILIP REITINGER: It's not a question of what worries me most; it is a question of the opportunities we have got. As I think you know, Eric, the environment is continuing to get more and more threatening in a number of significant ways. We are connecting more and more systems, creating an increasingly complicated environment. The attackers are getting better and better and we are depending more on those systems from day to day to make sure that our very way of life can continue, that the ways we work and play will continue and we will be able to be successful.
Our national security, our homeland security and our economic security all depend on those networks. That means that as those attackers get better and better, it is incumbent upon us in government and frankly in the private sector to continue to do a better, and better job of addressing the threat and make sure that we can move toward a world where those information and communication services that we depend upon, and the infrastructure services like power and financial services that depend on those information services can continue to be more and more reliable and secure.
CHABROW: How would you rate our current defense?
REITINGER: I think our current defense is getting better. We need to continue to improve because the hackers and the bad guys have continued to improve and there are a lot of areas for improvement, but we are making significant efforts to do so. Over the course of the next year, the National Cybersecurity Division is going to grow, if we can do it, from around 120 people to around 260 people. We are putting additional resources at the problem. It is an area of focus for us and we are going to continue to grow and get better.
CHABROW: As we enter the new year, what are your top goals?
REITINGER: My top goal, and nothing else even comes close, is to continue to add to the great core of human capital I have already got. There are no silver bullet solutions here. We need people, we need process and we need technology; but of those people are by far the most important.
I have an awesome group of people that I work for and with, but I don't yet have enough of them. Continuing to find the right people, continuing to add to that core of talent and add capability through that is by far my most important priority.
CHABROW: That's quite a challenge as you just mentioned at the National Cybersecurity Center you plan to double your payroll there. DHS has received authorization to hire up to 1,000 new cybersecurity professionals over the next three years. Is there a sufficient pool of talent out there to meet not only DHS's cybersecurity needs but also the whole government's needs for cybersecurity specialists? What challenges does that present to DHS and to government as a whole?
REITINGER: I'll be glad to answer that question Eric but let me first say, I was talking before about the National Cybersecurity Division, which is part of cybersecurity communications. The National Cybersecurity Center is an even smaller group that will be growing form perhaps somewhere in the neighborhood of five people to perhaps 25 by the end of the year, so it is going to be much more than doubling but it is a smaller group of people.
In terms of the challenges that are posed, they are significant. As I think you know, there are not enough highly qualified experts that are currently being produced by our nation. So in a sense, we in government and across government are competing with the private sector for too small a pool of sophisticated experts. That means that we have got to be careful to get out of that zero sum gain activity. We have got to continue to make sure that we are agile and we can bring on the people that we need and the hiring authority you mentioned that will allow us to hire in an expedited way up to 1,000 people over the course of three years in several places in DHS is going to be a significant goal for us.
We have got to continue to increase that pool of experts. We work with partners across government to do that. We partner, for example, with the National Security Agency on the Centers of Academic Excellence for information assurance education and the Centers of Academic Excellence for Research Programs, to help raise the level and the people we get out of academia. We are working closely with academia and we are hiring people under the Scholarship for Service Program. Going forward we need to drive an even broader effort and initiative to start to get to kids early to make sure that they are learning about security when they are, you might say "still in short pants" and learning what they need to know. Getting them involved in science and engineering and programming. Making sure that they keep that focus throughout high school and that we are putting enough people into universities in science and engineering programs so that we have got the right pool coming out of them. That is very important.
We also have to continue to enhance our workforce development program so that we can take and keep the people that we have in government, continue to enhance their skills and make sure they have got good job satisfaction and that they are maintaining a passion and a technological level of passion and skill about their work.
We also need to recognize that we are going to lose people to the private sector. The private sector can pay better than we can, but that is not the only issue. We can offer a sense of mission and a capability to really help secure the country that I think is unparalleled. We are still going to lose people to the private sector, but you know what, we are going to get some people back to, and that is actually not a zero sum gain.
The exchange of people between government and the private sector is going to aid us both because the people that come from the government are going to have a better understanding of what the threat is and what can be done to address it and the people who come from the private sector into government are going to have a better understanding of what technology can bring, how to do things in sort of the agile ways the private sector can act, and that is going to be good for both of us.
CHABROW: I hear what you are saying; I have heard these arguments from others, too, and they are very valid. But it sounds like we are maybe a half a generation away from maybe training sufficient people not only in government but in the private sector to provide the kind of security we need to protect our systems. Is the dearth of qualified IT professionals putting our systems at real risk?
REITINGER: I think it is a significant problem that we need to address as rapidly as possible. You know by the same token, we live in an ecosystem that is insufficiently secure. Right now, if you picked up your telephone and you didn't get a dial tone, you would be surprised. But if you turned on your computer and it didn't work the way you had expected or it had been infected with a virus, you wouldn't be surprised and you would say, awe, that's what I expect. We have got to get out of that game, both in terms of people and in terms of the technology that we rely on. I don't have the magic wand. People like to say there's a silver bullet but it is also a magic wand that can make that right, right now. What I can tell you is that is a focus for us in DHS and it is a focus for the president, who made clear that improving our cybersecurity posture was critical for both our national security and our economic competitiveness.
CHABROW: Will there be a different way to staff cybersecurity positions in government or even partnership with other industries than in the past in a sense of cross portalization and things like that because of the shortage of IT professionals?
REITINGER: In fact, we are actively looking at how we can have the right means of collaboration with the private sector. In part, that is a matter of building the right cooperation mechanisms. You know what some people like to call information sharing but might be more adequately described as you are driving collaboration around objectives. How can we work together jointly to prevent attacks and when attacks do occur to respond effectively?
In terms of a human part of that, we need to be able to work together as one nation, regardless of government agency or private sector entity, to respond to incidents. So we need to bring all of our people to bear no matter where they are located.
In terms of getting the right expertise actually into government, that is going to be a mixture of things. We are going to need to continue to hire the right people and we are going to need to find the right models to bring people on board. As I said, we are actively looking at what sort of programs can we offer so that we can bring the right sophisticated private-sector expertise to bear on what we do and how can we gather information from the private sector and we just recently issued a request for information from the private sector on end-to-end solutions that could be better used to protect government systems. We have got formal and informal ways of working with the private sector and we are looking at the right way to bring the valuable people that the private sector has on board to assist us either in a more formal or less formal way.
CHABROW: You made reference to President Obama and his commitment toward cybersecurity. What effect has President Obama's delay in naming a cybersecurity coordinator had on safeguarding the nation's key IT systems and networks?
REITINGER: It is absolutely essential that there be strong White House involvement in cybersecurity, and there is strong White House involvement in cybersecurity. The acting cybersecurity coordinator at the White House, Chris Painter, is a bonafide expert in his field and has a great team of people working for him.
Chris and I personally go back to the mid-'90s when he was an assistant United States attorney doing cyber crime in Los Angeles and I was at the computer crime section of the Department of Justice, and he has got a great group of people working for him just like I do and just like there exists in other government agencies. While it is critical that we have a strong White House presence, we have that and we are working together effectively across the interagency right now to implement the president's priorities and to move forward on the short-term action items from the Cyberspace Policy Review.
The last thing I would say is it is more important that the right person be in that role than a person be in quickly. Pending the selection from the White House of the right person to be in that role permanently we will work together effectively and are working together effectively.
(Editor's Note: Shortly after this interview was conducted, President Obama named Howard Schmidt as the White House cybersecurity coordinator.)