Weatherford Outlines DHS Cybersecurity GoalsDeputy Undersecretary Laments New Normal of IT Security
Businesses, government agencies and other organizations need to learn how to deal with distributed-denial-of-service and other cyber attacks, says the Department of Homeland Security's top policy maker focused exclusively on cybersecurity.
"This is the new normal mode of operation," says Mark Weatherford, DHS deputy undersecretary for cybersecurity, in an interview with Information Security Media Group. "People are getting a little bit weary of this and, as I try to say without raising too much ire, this is it. This is our life for the future. Bad guys are figuring out that they can create this kind of havoc at almost [no] cost for themselves. It is more than just a distraction; it is now the way we operate."
In the interview, Weatherford also addresses how DHS has aided banks that have experienced DDoS attacks [see DHS Helping with DDoS Defense] and defends the department's ability to take a leading role in safeguarding federal civilian agencies and key national IT systems [see Defending DHS as a Cybersecurity Leader].
A Hint of Optimism
Weatherford characterizes the current cybersecurity environment as somewhat sad, but says he believes society can beat back those who seek to do harm in cyberspace. "We're going to solve this problem; I have no doubt," he says. "We're not there yet, but we are going to solve the cybersecurity issue at some point. And, you know, we will move on, and there will be another challenge for us." After pausing for five seconds, Weatherford adds: "I'll be looking for a job then."
But Weatherford has a job now, and one of the challenges is addressing the unknown. "We still have a lot of vulnerabilities out there that we don't even know about, and there are a lot of companies that aren't aware of what their vulnerabilities are," he says, referring to industrial control systems that are embedded in the nation's critical infrastructure, which he characterizes as the underpinnings of our society.
"You can't manage a waterway without industrial controls systems," Weatherford says. "So, we're a little bit behind the curve with protecting this infrastructure, but I can tell you we're getting a lot better. The vendors that are developing the products are getting a lot better, but we have a long way to go. That is what keeps me awake at night."
DHS's Top Cybersecurity Priorities
Weatherford, in the interview, says his top three goals at DHS include:
- Recruiting and retaining qualified personnel;
- Cybersecurity awareness and outreach;
- Improving the security of cyber-operations.
One of the challenges Weatherford faces in recruiting cybersecurity experts is letting people know jobs are available. "Most people don't realize that you can actually have a job in the Department of Homeland Security and other government agencies doing cybersecurity," he says.
Two other challenges in recruiting is pay - Weatherford says private-sector base salaries for IT security pros could be 35 to 50 percent higher than what the government pays - and the time-consuming bureaucracy of getting security clearances for new employees. But a big selling point to attract the best and the brightest is the work being performed at DHS and elsewhere in government. "There aren't too many places where you can go to that have as full of a mission as we have with the cool tools that we have and get to actually serve your country in a way that is pretty satisfying for a lot of people," he says.
DHS, according to its website, is looking for professionals with skills in cyber-incident response, cyber-risk and strategic analysis, vulnerability detection and assessment, intelligence and investigation, networks and systems engineering and digital forensics.
Flabbergasted by an Unaware Public
Despite headlines of breaches and DDoS attacks, the public isn't as aware of cybersecurity as many in the profession would expect. That's why Weatherford places awareness and outreach as his No. 2 priority, spreading the gospel of cybersecurity preparedness. "I still can't get over the fact that as I go out and talk to companies and audiences around the country, sometimes there are still people in the audience that are flabbergasted that there is this cybersecurity problem," he says. "So we have a whole organization within my organization that is focused on outreach and education and awareness across the nation."
His No. 3 priority, providing secure IT operations, ties in with DDoS and other cyber attacks organizations are experiencing regularly. "We have got to get better, and I don't mean just DHS, but every organization, about operations, incident response and how we position ourselves to be able to react to the threat environment that we're in today. You know, these DDoS events that we've been seeing, and the financial institutions bearing the brunt of that right now, is the new normal."
In an interview with ISMG last year, Weatherford discusses how he is attracting IT security "superstars" to DHS [see Building DHS's All-Star Cybersecurity Team].