Fresh from a White House press briefing on the WannaCry ransomware attack, Department of Homeland Security Assistant Secretary Jeanette Manfra buzzed into her suburban Virginia office last December, eager to talk about her mission. Manfra views cyberspace as an ecosystem in which all parties — government and private sector alike — must work together to survive and remain secure.
The challenge for Manfra's organization, the cyber division of the National Protection and Programs Directorate, is to safeguard government networks as agencies upgrade their technology and interact with a widening array of partners within that ecosystem.
FedTech Managing Editor Elizabeth Neus spoke with Manfra in December about DHS' role in keeping government IT safe during a time of modernization and outsider intrusions.
FEDTECH: What did you discuss at the WannaCry press briefing?
MANFRA: We attributed the WannaCry attack to the North Koreans, and used that as an opportunity to highlight the important role that attribution can play in holding actors accountable. I specifically focused on what we are trying to do at DHS, continuing to build strong partnerships with industry, state and local governments and international partners to create this collective defense model, where we all provide capabilities, authorities and competencies to make cyberspace safer. How do we come together as industry and government to work together to address this challenge?
FEDTECH: What is the goal of a collective defense?
MANFRA: Government and industry have a common goal of preserving the internet and everything that network capabilities and computers enable in our modern society. In order to do that, we have to ensure that it is a safe and secure place as well. The government doesn't run the internet, we don't run these networks, so how do we work together? This notion of collective defense is the only way, I believe, that we can get the advantage to the defenders, versus the attackers always having the advantage because everybody is working independently.
FEDTECH: The administration has finalized its IT modernization plan. How are you approaching this?
MANFRA: DHS has two roles in that plan. One is primarily led by my organization: Generally, it's how the government thinks about how we govern, procure, maintain our IT systems, and how we modernize all of that with security in mind, because a lot of the decisions that were made long ago about how the federal government governs its technology weren't necessarily done in a way that thinks about .gov — there's not one network that is .gov, it's a bunch of civilian agencies that all have a lot of different networks, and it's very decentralized. That approach doesn't really help us understand our enterprise risk. Through our IT modernization efforts, we are also identifying efficiencies along with other benefits.
How do we, as the security professionals, be a part of this modernization so that we can solve our IT challenges? In support of it, how do we modernize all of our security processes and capabilities as well? There are some rather cumbersome older processes in place that are very compliance-based for securing federal systems. We want to get a better operational understanding of systems, use more automated tools, use more things that allow a mission owner to know — or at least have a better understanding of — the risk that their networks and systems pose to them versus relying on a compliance checklist.
DHS, having a bunch of networks itself, also is a part of that. That work falls under the CIO side of our department. Over the past few years, DHS has made a lot of strides in modernizing our systems. But now, it'll of course be even a higher priority.
FEDTECH: Would modernization be easier if people used more shared services?
MANFRA: Shared services is definitely a key tenet of what we're trying to achieve. We want to do shared services smartly, obviously. For example: If a company or a government says, "Okay, I'm going to enter into a shared-services agreement. I'm going to have somebody else manage my data for me." If you don't manage those shared-services agreements correctly, and you're not thinking about risk the right way, an agency might just outsource the entire thing, right? And they may say, "Well, it's not my issue anymore, somebody else is managing that," whether that's a company or another agency that's taking on that shared service.
How do we tackle both? With shared services, we don't have a lot of duplication, and we can get some cost and operational efficiencies. But we also ensure that if you are an owner of a mission, even if you've outsourced some of this technical capacity, you're still responsible for managing the risk to your mission, and that means you still have to ensure that your data is secure.
FEDTECH: You're trying to keep government systems secure, yet information is being stored in the cloud, with private sector involvement. How do you reconcile that?
MANFRA: Just because it's the government doesn't necessarily mean that it's naturally going to be more secure than a company. A company has a lot of capabilities to be secure as well. It's not the fact of outsourcing it that introduces security risks, because you can write your contracts in a way that might even raise your security, because you're requiring a certain level of security. But you are removing yourself from the actual ownership.
Go back to the mission. What is your mission? What is critical about your mission? What data and systems are critical? Let's think differently about those high-value assets, and make a different set of decisions about what we do with those systems than we might make with other systems and capabilities that have a lower criticality. I think there's a lot of creative ways that we can do that.
FEDTECH: How valuable was the experience of putting the federal Trusted Internet Connection and Continuous Diagnostics and Mitigation programs into place?
MANFRA: TIC started several years ago when the government wanted to consolidate internet connection points. That was a really important step; we needed to be more thoughtful and deliberate about how the government is connecting its systems to the internet. It also allowed us to place sensors at those points, so that for years, frankly, much of the data that we were getting was from those sensors. There's a lot of value there. How does that fit into a layered defense model with agencies and companies on the outside?
Now we want to move toward recognizing cloud, recognizing mobile, recognizing net. Everything is changing about how people do IT, and how the government wants to do IT.
CDM is a newer program. I think it's been really successful. There were a few lessons that we learned, but I think we've mostly addressed those in the new contract vehicle that's out now called CDM Defend. It now can do cloud and mobile.
The first phase really shined a light on agencies and on the department, highlighting the breadth of our networks, what's connected. And finding that out in a way where it can be automated, so they can really have a kind of no-kidding answer about what's actually on their network.
This sounds easy, but it can be quite hard when you're dealing with large, sprawling networks. And many large agencies are made up of a bunch of smaller agencies. So, by deploying those tools, agencies and DHS now have full insight into what's actually connected to the network, which is really important, because now you can start to understand, "Well, this is my exposure." We're at the first step to understanding.
Our next step now — what we're working on really hard — is the operationalization of the CDM dashboard, deploying that to every agency and turning that into a better federal vulnerability management process. Now that we know everything that's on the network, we can have insight into what systems may be vulnerable.
FEDTECH: How can the procurement process be changed to help improve security from the beginning?
MANFRA: One of the things that we learned through the process of the Kaspersky Binding Operational Directive was that, if you think about procurement, much of the way the rules and the laws are written, it's looking at financial risk for the government or that agency. It's not necessarily looking at all forms of risk, like cybersecurity risk, if an entity were to buy certain products.
Risk-based procurement is broadening and building a procurement community that is better tied to the mission owners. Some agencies do this very well.
There's some limitation in what procurement officials can and can't do. Generally speaking, how do we make sure that the procurements are informed by mission risk? How do we ensure that the procurement officials have the information that they need to make those decisions, and what does that structure look like? I don't really have the answer yet, but that's what we want to focus on, building that for the civilian government.
DOD's a little bit ahead of us on this, but for the civilian government, how do we think about supply chain risk and all of those things when we're talking about procurement decisions?
FEDTECH: Did this stem from Kaspersky, or had this concept been talked about before?
MANFRA: I first became aware of the challenges as a result of the Kaspersky process. This has nothing to do with that company or anything like that; the process highlighted some of these gaps. I think others have been more aware of this challenge and have been working to address it in various channels, so we're working very closely with GSA and OMB to look at the different options to address. It's a very complicated problem.
FEDTECH: What do you see as the biggest challenge for the future?
MANFRA: I see tremendous opportunity in the role that DHS can take, particularly with federal cybersecurity, but also with critical infrastructure being much more forward-leaning and proactive. The whole IT modernization effort is not going to be easy. It requires funding and dedicated, sustained attention. I'm committed to having that dedicated, sustained attention, but I know that it is not easy to make these major government transitions like this. I think that is a very practical challenge.
Then the bigger challenge, of course, is just the number of devices and amount of traffic that is on the internet or network in some way. Our increasing dependence upon that is an extraordinary challenge. That goes back to the original point that we know we can't do it alone, and we need to have everybody thinking and working together. It may require some innovative, creative ways of working with industry or working internationally that the government hasn't thought about before, and I think we should be open to those.
I think that's our collective challenge. I hope we can lead the way to make some progress.