Napolitano Outlines DHS Cybersecurity Focus
DHS Perspective: A State of the Cybersecurity UnionWe have been spending a lot of time on cyber issues at the Department of Homeland Security and we really get it.
The Department of Homeland Security this year produced its first-ever Quadrennial Homeland Security Review. One of the things we did through the QHSR project was to say, what are our fundamental missions at Homeland Security? Counterterrorism, obviously, that's why we were founded; securing our borders, and that's air, land, and sea, makes sense; enforcing our nation's immigration laws.
But the next major mission area was the protection of cyberspace. The fact that cyberspace was specifically singled out in the QHSR process, amongst the myriad other issues that are within the Department of Homeland Security, indicates the fundamental understanding that we have on the importance of the problem.
Cybersecurity isn't about control. It's not about government control. It is about partnerships. But partnership needs to have some effectiveness. There needs to be meat on the bone when we say partnership. And there needs to be widespread distributed action toward that goal, so that we view this much more as creating, if I may, layered security involving partnerships, as opposed to top-down or government-down. We are working more closely than ever to identify the private sector partners who we need, and work with them, and also across the federal family.
Defense Pact
Indeed, just this past fall, I signed a landmark agreement with Defense Secretary Robert Gates to better align our resources and actions, because the two of us recognize that between the Department of Homeland Security and the Department of Defense, you have 90 percent plus of the cyber equities in the federal family. If you look at the president's cyber review and where responsibilities were assigned, on the civilian side, it's DHS, and on the military side, it's DOD.
Not only did we assign that, but we have cross-assigned individuals, and through that agreement, have identified how the technology resource base of the National Security Agency will be employed, both on the military side, but, importantly, on the civilian side. Indeed, for the first time ever, DHS has individuals who are now stationed at NSA, including, by the way, legal counsel and privacy officers, because there are particular protections that need to be applied in the civilian context. That gives us the ability to tap into that incredible resource.
At the same time, our department recognizes that much more needs to be done in this critical area, and that there needs to be not just a broad-base national commitment, but we need to be working together to create a national culture that provides that users at every level know that they are part of a system, know what they need to do to help us protect security, and have greater confidence, indeed, in the security of the system.
We need to build a cyber system in which the distributed nature of cyberspace becomes a great benefit, not a great weakness, and where people at all levels understand the shared responsibility that goes into that concept. It means that users, businesses, the technology industry, the government, everybody, has a role to play.
We have to do our own part in the federal government. We must secure our own systems, and we are working to get that done, but we also must assist the private sector in securing itself and in enforcing the law, laying the policy foundations for the future.
Transparency, Inclusiveness
For example, we need a more transparent and inclusive cybersecurity policymaking process that brings the best minds to the table and the best minds from a number of different areas. We need colleges and universities to make cybersecurity a multi-disciplinary pursuit so that we have policymakers who understand technology, but we also have technologists who understand policymaking, and we get rid of that divide that currently exists.
There are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it's the market or the war. Those are the two analogies that you hear.
Not surprisingly, I take a different position. Cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe. The market and the battlefield analogies are the wrong ones for us to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe.
We're proud to be a part of that global effort. We believe in the importance of an open Internet, but we cannot have an Internet that is open, but not secure, nor an Internet that is secure but not open. Just saying that lays down the challenge that we confront.
The challenge is unique, and it's uniquely urgent. Cyber really equates to life's essential functions. You can't imagine operating without cyber. A major disruption of our cyber networks could have cascading effects, not only within the cyber domain, but across multiple other sectors and elements of our critical infrastructure, crippling commerce, disrupting other aspects of Americans' daily lives. Because the cyber domain is so widely distributed, every single user becomes a consumer and a contributor, but also a potential source of security or insecurity. Every single user in this civilian cyberspace has a role to play in its security.
Our mission is to make sure that we assist in that, that we see cyber as part and parcel of a secure homeland, not something separate or distinct from every other mission that we have. First, we are working to create a safe, secure, resilient cyber environment. We're taking action to protect federal civilian networks, to improve our intrusion detection capabilities, and to create more robust and resilient systems that can withstand attacks, and also help prevent attacks from occurring.
Federal Cybersecurity Initiatives
There has been some real progress in this past year. We've had progress deploying the Einstein 2 intrusion detection system across federal civilian agencies. We have released and tested a version of the National Cyber Incident Response Plan, the NCIRP, to enable us to respond as one nation, across the public and private sectors, to cyber incidents.
We have opened and are growing the National Cybersecurity and Communications Integration Center, also known as the NCCIC, and that is a 24x7 watch and warning center. We are holding the National Cybersecurity Challenge to bring the expertise and creativity of the public and the private sectors to bear in promoting cybersecurity.
In this past year, we have expanded our partnerships with the private sector to protect our nation's critical infrastructure. The ones I would specify is working with are chemical plants, communication systems, and the control systems that operate our electric, water, and other utilities, including deploying teams to work with and to respond to cyber incidents that have involved critical infrastructure.
We have made progress by building ourselves, our expert team of cyber professionals, to lead this work. DHS Deputy Undersecretary Phil Reitinger has nearly tripled the size of the National Security Division cyber workforce this year over last year. Last year, we doubled it over the year before. We're moving in the right direction.
We are also working to promote cybersecurity awareness, education and innovation; educating the public with information they need about cyber threats, that enables us to strengthen our collective defense, and also making sure that industry is actively involved in our efforts.
Beyond 'Cool'
We need to be engineering some fundamental changes to Internet security. Cybersecurity must be a core component. It must be integral from the start, not something that's added on at the end; "Oh, we built this really cool thing, and it can do this really cool stuff, and now it's out there and it's really cool, and, oh by the way, we've got to do something about keeping it secure." No. You have to consider this as a core competency within the build-out of the Internet itself.
In that, the domain of cyberspace requires a redesign or perhaps a fundamental shift in approach so that it is safe and secure from the outset. It's a place where a vibrant and open international economic and social order can thrive.
That's why we think informing and engaging the public is important. That's why we believe our National Cybersecurity Awareness Campaign, which will be growing over the next year, is important. It's why we launched the Stop, Think, Connect Campaign last October as part of National Cybersecurity Awareness Month.
We're working very closely along and across the federal family, particularly having worked out really the thorny issues involving how the NSA is to be used in a civilian context for protection and prevention, as well as in a military context; very different types of worlds, and we want to make sure that we do it the right way, and we do it the right away from the outset.
Those are the kinds of challenges our country has confronted before, and by putting our best minds together, we have always met those kinds of challenges. This one may be bigger, more complex, and require more of our effort than anything we've ever dealt with. And we're going to have to make sure that we deal with it in the right way, because we are laying the foundation for the future.
This article is adapted from a speech by Homeland Security Secretary Janet Napolitano delivered Dec. 17, 2010, at the Atlantic's Cybersecurity Forum.