Feds, Private Sector Must Give Cybersecurity Defenders the Advantage, DHS Official Says
For Jeanette Manfra, the ending of National Cybersecurity Awareness Month is an opportunity to take stock of what her agency, the Department of Homeland Security, has done to enhance cybersecurity, and think ahead to all that can be done in the year to come.
Manfra, assistant secretary for the Office of Cybersecurity and Communications in DHS’ National Protection and Programs Directorate, ardently believes that the government needs to be in a deep partnership with the private sector on cybersecurity. However, there is much that DHS can do to enhance federal IT security in the months ahead.
Speaking Oct. 30 at the 2018 Symantec Government Symposium, Manfra said that her goal is to work with other agencies and the private sector to “create an environment where the defender has an advantage,” which is a rarity in cybersecurity, and agencies and companies are “not always on the back foot” in reactive mode.
The overarching goal is to be able to use the internet and benefit from connectivity, interoperability and openness, and to do so in a safe and secure way. “If we can’t get to that space, other countries are going to create a different world that works for them,” she said.
MORE FROM FEDTECH: Find out about the new cybersecurity risk score DHS will give to agencies!
DHS’ Vision for Cybersecurity in 2019
By this time next year, Manfra said, she hopes to return to the symposium to celebrate that, for the first time ever, the federal government has automated vulnerability management, particularly through DHS’ Continuous Diagnostics and Mitigation program.
Manfra also wants the government to have coordinated vulnerability disclosure policies and stronger partnerships with researchers and companies so that they know how to report vulnerabilities they discover to the government.
Additionally, Manfra wants the government to be discussing tactics, techniques and procedures, or TTPs, which illustrate how malicious actors orchestrate and manage attacks, and not indicators of compromise, or IOCs, which are pieces of forensic data that identify potentially malicious activity on a system or network. She also said that, inside agency inside security operations centers, she wants machine intelligence analyzing lots of data that machines are better at processing than humans, so that analysts can be focused on those TPPs and directing their resources more efficiently.
Agencies should also have playbooks in place to deal with catastrophic incidents — and hopefully will not have to use them.
Overall, Manfra wants the idea that government and the private sector need to work together on cybersecurity to gain more currency, and for “the concept of collective defense” to be “a reality that permeates throughout this country.”
DHS Has Made Progress on Cybersecurity
Manfra noted during her speech that she is proud of the progress DHS has made on cybersecurity, including calling out Russia and North Korea for malicious behavior.
There are also now security analysts from the private sector fully embedded in DHS’ National Cybersecurity & Communications Integration Center. The NCCIC, which opened in 2009, serves as a centralized hub within DHS that monitors cyberthreats across agencies and critical infrastructure. It also shares information among public- and private-sector partners to build awareness of vulnerabilities, incidents and mitigation strategies.
Through the CDM program and continuous monitoring tools, DHS now has “full visibility” into the federal attack surface, via agency dashboards that feed into a federal dashboard. “We know what is connected and where, and increasingly we will know when something is operating out of parameters and we can kick it off the network,” Manfra said.
DHS has also launched the National Risk Management Center, a cross-cutting risk management effort between the private sector and government to improve the defense of the country’s critical infrastructure. DHS took a hard look internally and asked, “What are we missing?” before launching the center, Manfra said. DHS was missing a focus on national risk and long-term risk, she said, especially for functions that businesses and citizens depend on, like the energy grid and financial system.
But DHS is not resting on its laurels. The agency and the private sector need to more closely to manage risk to critical infrastructure and “break down traditional walls of figuring out how we navigate this,” which will be a challenge, she said. That involves changing expectations for the information that the government and private sector give each other. DHS also needs to work with governors to create emergency management functions for cybersecurity incidents in the same way there is for other disasters.
And to reduce the federal attack surface, agencies need to modernize their infrastructure and services. “We have to think differently about our entire IT operation in the government,” she said, which is “no small thing.”