Where Next for Government Cybersecurity?

On the 14th anniversary of 9/11/01, there are plenty of reasons to be thankful regarding public safety in America. And yet, there is also a growing list of cyberthreats that are grabbing news headlines almost daily. To help understand where we are today and where we are going regarding federal government cybersecurity initiatives, I interviewed Dr. Andy Ozment, the U.S. Department of Homeland Security assistant secretary, who is the new point person for the National Cybersecurity and Communications Integration Center.

by / September 11, 2015

Dr. Andy OzmentDHS Assistant Secretary Andy Ozment. Photo: U.S. Dept. of Homeland Security

Everyone in America remembers where they were on Sept. 11, 2001. As we think back over the years, there have been physical attacks thwarted and numerous close calls.

The number of serious online incidents impacting national security has skyrocketed over the past few years. We live in a far different online world today than most people imagined back when the U.S. Department of Homeland Security (DHS) was formed back in 2003

Over the past decade, there have been numerous technology changes, critical system disruptions, a new cyber focus in several essential industries, including: health, finance, utilities and more. Global banks and foreign nations have become aggressively involved in cybersecurity initiatives. The National Governor's Association (NGA) has a major cyber initiative, as does the National Association of State CIOs (NASCIO) - which has cybersecurity as it's #1 priority. Even local governments now desire to work more with the Federal and states governments on cyberdefense.

And while the DHS leadership team has changed, the cyberthreat landscape has also grown dramatically, along with a new determination to strengthen our digital defenses. Meanwhile, the OPM data breach and several White House data breaches have propelled cybersecurity to the top of the national security priority list.

Recently, DHS Secretary Jeh Johnson appointed Dr. Andy Ozment to the role of assistant secretary of the Office of Cybersecurity and Communications (CS&C) within the National Protections and Programs Directorate (NPPD). As the DHS website points out, Ozment “oversees a budget of almost $930 million and leads a Federal employee workforce charged with enhancing the security, resilience, and reliability of the Nation’s cyber and communications infrastructure.”

Ozment has a very impressive background that includes leading such federal government efforts as:

  • Development and implementation of President Obama’s Executive Order (EO) 13636 on Improving Critical Infrastructure Cybersecurity.
  • Establishing the Cross Agency Priority (CAP) goal for cybersecurity.
  • Development of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a signature initiative by the administration to improve security and privacy across the Internet.

On a more personal level, I have had the opportunity to work with Ozment on several occasions – while CSO in Michigan government and in the private sector with Security Mentor. I have always found him to be smart, well-respected, articulate, humble, and a great overall ambassador for DHS initiatives. He is also persuasive in describing future cybersecurity strategies and ongoing solutions and challenges.

Interview Between Dan Lohrmann and DHS Assistant Secretary Andy Ozment

Dan Lohrmann: You were recently named by DHS Secretary Jeh Johnson as the new point person for the National Cybersecurity and Communications Integration Center (NCCIC). What does that new role entail? Are you excited about the challenge?

Andy Ozment: The most significant part of Secretary Johnson’s announcement is our recent addition of a new NCCIC Director of Operations, John Felker. John is running the day-to-day operations of the NCCIC and is responsible for ensuring that we effectively respond to increasingly frequent and sophisticated cybersecurity compromises, share information more quickly and with a wider scope of partners, and coordinate the national response to cyberincidents. John has the same day-to-day job as our previous NCCIC directors, such as Larry Zelvin. However, the critical role of the NCCIC requires that our secretary and other senior leaders have necessary visibility into significant incidents. For this reason, Secretary Johnson elevated the NCCIC director to an assistant secretary-level position, and I am now serving in this capacity along with my current role in leading our Office of Cybersecurity and Communications. Deputy Assistant Secretary Greg Touhill remains my deputy and directly manages our cybersecurity programs, including high-profile initiatives such as EINSTEIN and Continuous Diagnostics and Mitigation. Outside of incidents, I continue to report to Deputy Under Secretary Phyllis Schneck, who has brought a vast amount of private-sector knowledge and experience to our organization.

Lohrmann: What are the greatest cyberthreats facing our nation as we head into 2016?

Ozment: The past year has clearly demonstrated that the pace of cybersecurity incidents and their severity will continue to increase. Our adversaries have demonstrated concerted interest in targeting sensitive personally identifiable information (PII). I’m also very concerned about vulnerabilities in our nation’s critical infrastructure and the systemic risk that is potentially created by ubiquitous networking and connectivity, as realized by the Internet of Things. Across both government and the private sector, we have a shared responsibility to understand and rapidly disseminate information about cybersecurity threats, promote proven best practices and measure progress against them, and help organizations respond to and recover from incidents.

Lohrmann: After the OPM breach, there have been several "Cyber Sprints" all over government. Can you tell us what you have learned? Can you share your highest priorities for DHS flowing from that review?

Ozment: After the OPM breach, the Office of Management and Budget established a “30-Day Cybersecurity Sprint” to rapidly address key cybersecurity deficiencies across the government. DHS was a key partner in this effort. As an example, one focal point of the Cybersecurity Sprint called for agencies to identify and patch critical vulnerabilities in their Internet-facing devices. Such vulnerabilities, of course, can be easily exploited and should be immediately fixed. The Cybersecurity Sprint aligned perfectly with a recent directive from Secretary Johnson, using authorities granted by last year’s FISMA legislation, calling on agencies to fix critical, Internet-accesible vulnerabilities within 30 days of patch release. Our NCCIC conducts recurring scanning of agencies’ Internet protocol ranges to identify these Internet-facing vulnerabilities, and shares the results with agency chief information officers. Based upon this effort, agencies have patched almost all of the critical vulnerabilities that we identified when Secretary Johnson issued his directive.

Further, we are now exercising due diligence by conducting proactive vulnerability assessments of high-value assets, such as key data centers, across the federal government as part of the Cybersecurity Sprint. By identifying vulnerabilities before incidents occur, we are helping agencies better protect themselves and secure critical government information. We are now working closely with OMB to make sure that the success of the Cybersecurity Sprint is institutionalized and we continue to collaboratively address cybersecurity risk across the federal government in a coordinated and strategic manner.

Lohrmann: You have been a big advocate for the Continuous Diagnostics and Mitigation (CDM) program as well as the latest iteration of its EINSTEIN program, known as 3A. Can you tell readers about the benefits of those programs?

Ozment: Although federal government agencies are responsible for their own cybersecurity, DHS has the mission to provide a common baseline of security across the government and help agencies manage their cyber-risk. Of course, no single system provides a cybersecurity “silver bullet” and not all departments and agencies have the same level of cyberdefenses. DHS provides this baseline through two basic layers of cybersecurity protection: EINSTEIN for perimeter defense against threats trying to infiltrate the network, and CDM to monitor agency networks internally for any vulnerabilities that could be exploited by threats that may have come through the perimeter.

The first two versions of EINSTEN – EINSTEIN 1 and 2 – identify abnormal network traffic patterns and detect malicious traffic. This capability is fully deployed and protecting all federal civilian traffic that is routed through a Trusted Internet Connection (a secure gateway between each agency’s internal network and the Internet). EINSTEIN 3 Accelerated (E3A), which actively blocks known malicious traffic, is currently being deployed through the primary Internet service providers serving the federal government. We are working aggressively to ensure that all agencies are protected by E3A.

Given the federated nature and distributed responsibility of federal civilian networks, it is most effective and efficient for DHS to detect and block threats at the perimeter of federal agencies. However, there is a significant security gain to be enabled by identifying vulnerabilities inside agency networks. In the CDM program, DHS purchases commercial cybersecurity tools for federal agencies. These tools identify vulnerabilities on agency computers (Phase 1), detect unauthorized users and their activity (Phase 2), and identify potentially suspicious activity inside agency networks (Phase 3). Phase 1 tools are currently being deployed to federal agencies, with 97 percent of the federal government expected to be provided tools and integration support by the end of this fiscal year. Information from CDM tools will be fed to a dashboard at each agency. DHS will provide agencies with information about the impact associated with each vulnerability and, where possible, whether the vulnerability is being actively targeted by an adversary. With this information, agencies can prioritize their finite resources to fix the most significant vulnerabilities first. A summary of vulnerability information from each agency will be provided to DHS in near-real-time, so that the NCCIC can identify systemic vulnerabilities and correlate information between CDM and EINSTEIN to understand emerging risks. Once CDM is deployed across the federal government, agencies will more rapidly identify and fix their cybersecurity vulnerabilities, reducing the capability of adversaries to compromise an agency even if they penetrate perimeter defenses.

Lohrmann: Is there an update on the status of where federal agencies are regarding the implementation of the CDM and EINSTEIN programs and other cyberdefense measures?

Ozment: As Secretary Johnson announced at his speech at the Center for Strategic and International Studies in July, we will make CDM Phase 1 and basic EINSTEIN 3A protections available to 97 percent of the federal civilian government by the end of this calendar year. For both CDM and EINSTEIN 3A, however, each agency is an essential partner in actually deploying the needed protections. Each agency must work with the CDM vendor to implement diagnostic tools on its system. And each agency must work with the relevant Internet service provider to route its email and DNS traffic through EINSTEIN 3A. However, we are very confident in meeting Secretary Johnson’s aggressive target to make these critical programs available to nearly all of the federal government by the end of September, and making these programs available to the balance of agencies early in the next fiscal year.

Lohrmann: How is DHS doing at attracting and retaining new talent in the cybersecurity disciplines? What more can be done?

Ozment: As you can imagine, this is a tremendous challenge for my organization and the federal government writ large. Cybersecurity professionals are in extraordinarily high demand and the market is only increasing. However, there are several steps that we are taking to ensure that we have the workforce needed to succeed in our essential mission. First, we must appeal to a candidate’s sense of purpose. While we will never compete with the pay scale of the private sector, we offer a mission that, in my opinion, cannot be beat. Every day, my organization works to protect our nation’s government and critical infrastructure from cybersecurity threats. Working in the public interest is what motivated me to join the government, and I hope that it similarly motivates potential applicants to DHS.

Second, we must understand the nature of the cybersecurity job market. This is not an industry where a talented individual is going to spend their entire career working for a single organization. While I’m disappointed every time a member of our team tells me that they are leaving for the private sector, I recognize that there are potential benefits as well: My sincere hope is that our personnel who leave government for a short while will gain invaluable skills and experience in the private sector and then come back to join us to continue their service.

Third, the DHS human resources organization is taking steps to aggressively leverage the expanded hiring authorities granted by the last Congress. While, as I mentioned, we will never compete dollar-for-dollar with the private sector, we can take additional steps to make sure that candidates for our key positions do not make an excessive financial sacrifice to join the government. The DHS human resources organization is also working to streamline the hiring process, so that we can bring talented candidates on board as quickly as possible. This will also be a challenge in the government, but we can take steps to better manage our hiring pipeline and fill our vacancies in a more efficient manner.

Lohrmann: How do you see cyberdefense evolving over the next few years?

Ozment: I see three key changes in cyberdefense over the next few years. First, we must continue our progress in developing post-signature defense that relies on mathematical analysis of potential threats. Second, we must focus on the implications of a broad transition to cloud and mobile technologies. And third, we must move away from stove-piped cybersecurity tools and apply data analytics to help us holistically understand and manage cybersecurity threats.

Regarding the first point, at DHS we are mindful that to stay ahead of the adversary, we must go beyond approaches that use indicators of known threats. To that end, we are developing advanced malware and behavioral analysis capabilities that will automatically identify and separate suspicious traffic for further inspection, even if the precise indicator has not been seen before. We are developing these capabilities internally and also procuring best-in-class technologies from the private sector to evolve to this next stage of network defense.

To my second point, we are proactively addressing the cybersecurity implications as an increasing volume of Internet traffic, government information and critical government services are moving to cloud and mobile computing. This transition, although enabling significant increases in efficiency and productivity, results in new vulnerabilities and potentially novel threat vectors. To this end, DHS has partnered with the General Services Administration to develop guidance that will ensure greater security of the cloud environment as agencies adopt cloud solutions. This effort will provide for the security not only of data within cloud environments, but the security of the network connections between agency networks and cloud services. As the result of this effort, cloud service providers (CSPs) are beginning to provide innovative tools for their government customers to gain situational awareness of the security in the cloud. By continuing to mature the standards and continued partnership with GSA and the CSPs, DHS will help address the protection of dot-gov data in the cloud and provide a model for the private sector.

Finally, we are implementing the capability to integrate information from our key programs, such as CDM and EINSTEIN, leverage data enhancements such as reputation scoring, and use the outputs to understand previously unidentified threats. When we identify new threats affecting government networks, we will share this information rapidly to our partners in the private sector, using a common schema called STIX/TAXII, and help ensure that a given threat can only be used a single time across all of our information sharing partners.

Lohrmann: Are there any final comments you'd like to make regarding your new role and the future of the NCCIC?

Ozment: While DHS is speeding up deployment of our current tools and developing new approaches, cybersecurity is inherently a shared mission. Every federal agency and private-sector company has a key role to play – to understand their own risk, implement best practices, participate in information sharing activities, and effectively respond to cybersecurity incidents. At DHS, we stand ready to help our partners in effectively managing their cybersecurity risks and adapting to threats that are increasingly a condition of our networked lives.

Lohrmann: I want to thank Andy Ozment for participating in this interview and answering my questions. I also want to thank everyone at DHS for their ongoing work in protecting our nation from both physical and cyberattacks. Your service to our country and sacrifices made are rarely recognized as they should be, in my opinion.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso