That was the message imparted today by Mark Weatherford, DHS’ Deputy Undersecretary of Cybersecurity, during his keynote address to the Cloud Security Alliance (CSA) Summit in San Francisco. Weatherford heads the DHS’ Cybersecurity Communications Directorate, which is tasked with securing civilian public sector networks at the federal level, in addition to consulting with critical infrastructure companies, and coordinating responses to cyber attacks of national importance.
Weatherford was delighted that President Obama dedicated two paragraphs of his recent State of the Union address to the topic of cybersecurity, during which the nation’s chief executive highlighted an executive order he signed earlier in the day that would require increased information sharing about threats between the public and private sectors. The executive order also included development of a Cybersecurity Framework that will “incorporate voluntary consensus standards and industry best practices to the fullest extent possible... to help owners and operators of critical infrastructure identify, assess, and manage cyber risk”, Obama noted during his Feb. 12 address to the nation.
The order does not require industry to adopt the framework, but includes measures to encourage its adoption. As a result, a DHS-compiled list of ‘critical infrastructure at greatest risk’ has been developed, and the only way for an owner of critical infrastructure to get off this list is to comply with the framework.
One of the deputy undersecretary’s objectives is to make DHS “the cyber 9-1-1 for the nation” – the place organizations call first when they fear a suspected cyber intrusion. Weatherford added: “We want to be that first phone call, and if we can’t deal with it, we will get you to the right people”.
The DHS is becoming the “centerpiece” of cybersecurity information sharing between the private and public sector in the US, Weatherford told the audience, and its role as a central clearinghouse for threat information is critical to the nation’s security and economic competitiveness.
“While I do believe we are getting better at security and developing defensive technologies to combat cyber crime, the bad guys are getting better, faster than we are getting better”, he noted, speaking to a room full of information security professionals. It’s an arms race of sorts, Weatherford continued, congratulating the assembled audience for its efforts, but acknowledging “as we get better, they get better”.
One of the areas of security that lacks fundamental innovation, according to Weatherford, is authentication, where simple IDs and user passwords remain the standard. Another area was continued reliance on regular software patches.
“We need better innovation to solve [security] problems”, he opined. “We are at the beginning at the next great evolution of technology that will make the past obsolete. I think the cloud, and our ability to take advantage of big data, is changing the development of products and services…and how the government purchases those services”.
Jim Howie, COO of the CSA, agreed with the assessment, with one small addition: “We have always struggled to understand what consumers want”, he told Infosecurity in an interview. “Building environments to process the data we collect but don’t always use has been extremely expensive. But cloud computing offerings have made it possible to use this data effectively at a more reasonable cost. He warned, however: “But you must keep privacy and security in mind” when employing all of this data for security intelligence or other business purposes.
In closing his comments to the CSA Summit, Weatherford highlighted what he considers one of the most fundamental obstacles to a more secure cyberspace.
“We don’t have enough people in the pipeline to protect our private sector organizations, critical infrastructure, or the nation”, he lamented. “Cultivating the next generation of security professionals is critical to our economic viability and the future of our country”.
Weatherford said the first step is to overcome the cultural misperceptions about those who may want to enter the field, acknowledging that infosec professionals are a sector near full employment, but far more are needed to meet the current demand. “At DHS, we can’t find enough people to hire”, he admitted.
He also noted that expertise is something that comes with experience, and that expertise does not necessarily mean having to earn a college degree in a related area of study before beginning a career in cybersecurity, an assertion that was met with applause by the audience. “The five smartest people in our organization did not go to college”, Weatherford said. “They spent that four to five-year period breaking things and building them back up”. A lack of a college degree, he concluded, “should not be a discriminator against getting these jobs”.