The official numbers seem daunting from the U.S. CERT regarding cyberattacks, with incident numbers rising sharply in 2015 (see chart below).
So how can we get our arms around this problem of protecting the homeland from the bad actors in cyberspace? What issues are most pressing? How is the U.S. Department of Homeland Security addressing these challenges? What partnerships and new developments are important?
Perhaps most important: Where is cyberdefense and infrastructure protection heading in 2016 and beyond?
To answer these questions and address a whole list of important security topics, I don’t know of anyone who has a more important and relevant perspective than Dr. Phyllis Schneck.
Schneck is the Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD) within the U.S. Department of Homeland Security (DHS).
Her impressive career includes senior leadership roles with McAfee, FBI’s InfraGard program, Secure Computing, SecureWorks and several other top technology companies. Schneck received her Ph.D. in computer science from Georgia Tech, and pioneered the field of information security and security-based high-performance computing at Georgia Tech.
On a more personal level, everyone who knows Phyllis sees her passion, excellent speaking skills and dedication to the security profession each and every day. When I spoke with her again last week by phone, she was still as refreshingly kind and humble as she was a decade ago when we met at a state government security leaders gathering as a part of the Multi-State Information Sharing and Analysis Center (MS-ISAC).
In 2015, Schneck provided President Obama with a tour of the National Cybersecurity & Communications Integration Center (NCCIC). The NCCIC (which we say "N-Kick") is a 24-hour watch and warning center that consolidates many of the department’s cyber and communications operations centers that respond to emergency incidents. The picture above was mentioned by Phyllis as one of the highlights of her years of service at DHS.
Here is a presentation given by Schneck at an Evanta event in June, 2015.
I hope you see her personality come out in this interview, which includes her strong customer focus, desire to always improve and focus on practical cyberactions and solutions, like this weather map approach for cyberthreats. I won’t name them all here, but Phyllis has won numerous professional awards, such as recently being elected to Wash100 for Public-Private Collaboration Leadership.
Now on to this exclusive interview with Dr. Phyllis Schneck:
Dan Lohrmann: Thank you for your service to our country. You have an impressive career working on security challenges in the public and private sector, can you share any secrets to your career success?
Dr. Phyllis Schneck: Thank you for your kind words and certainly for this opportunity to talk with you. And thank you for all that you do and have done for cybersecurity in both a public and now private sector capacity.
There are no secrets – I love what I do, we all work hard, I am part of a great team. I have found hard work, good advice from mentors, meeting and learning from other leaders such as yourself, and a little luck to be a good mix.
And, never be afraid to break glass to get the right things accomplished. Carefully!
I think career success is about dedication and passion for what you do, and such a large part of that is enjoying what you do. I enjoy both technology and people, and I gravitate toward the biggest challenges and most fun in both. I have had wonderful mentors throughout my career, and a Dad who taught me to write computer code, presented me with and explained my first integrated circuit before I was 10, and was the first and only person to explain that hacking was wrong when I showed him the art of the possible as a teenager.
My best advice is to always keep up your special core competency – for me, that is technical work. For example, I read the computer science journals, I can still write code, and even though I lead and manage and love that aspect, I am still very close to our technical cyberoperations at DHS. Likely more in the weeds than expected for my title, even leading the design of some of our next steps. However, I think that helps me as a leader. I can make decisions based on an understanding of my workforce, our most precious asset. Beyond the technology, for me, it’s a love of country, passion for mission, eye on the prize – in my role at DHS that is making our cybersystems and way of life safer. And then is all about our people, including reporting up to an incredible leader in Under Secretary [Suzanne] Spaulding, who is integrating cybersecurity in overall protection activities from cyber to kinetic.
I am surrounded by smart, dedicated people. It doesn’t get better than that!
Q: What have been the biggest surprises and challenges since moving into your current role as Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD)?
A: The biggest surprise is definitely how much the U.S. government does to ensure and protect our way of life, so that someone like me never had to think about it before I ended up right in the middle of it. We are very lucky as citizens.
On the other side, our adversaries are tremendous. Systems are coming online faster than they can be protected. Some of those systems hold our most private information, and some sustain our way of life. Our cybersecurity role at NPPD and operationally in the NCCIC includes response and mitigation of cyber threat across Federal Civilian government and private sector. My top priority is building trust with our customers – private industry and government – and leveraging those relationships to create an ecosystem where we all learn from each other. People work with people, machines talk to machines. The latter works at the speed of light.
However, each day I am reminded that I joined the finest team on the planet.
Q: What are the greatest cyberthreats facing our nation in 2016? Any specific examples you can give?
A: Cyberthreats are way-of-life threats. They can cause destruction, whether actively in attacks on the electronics that control critical infrastructure such as water and energy or passively in stealing and harvesting legitimate user credentials to use maliciously later while going virtually undetected from a flawless login.
Remember this: Almost everything in our world that you can’t eat is either connected or being connected to electronic logic a.k.a. a “computer.” That means it can be controlled from somewhere else, by someone else. That control needs to be protected, and we are currently designing and innovating great new technologies faster than we can secure them. NPPD recently led an awareness campaign about malware known as “Black Energy.” Black Energy is currently resident on a tremendous number of networks that control or monitor critical infrastructure such as electricity. The notion that there is dormant malware present on such critical systems for use by an adversary to create an event of their control, is not only simply frightening, but it demonstrates 2 key points:
1. Many are unaware of the control others may have over systems that affect our way of life, and that us why DHS has such strong outreach programs to our customers on a spectrum from awareness and education to technical collaboration.
2. Such widespread adversarial access to our systems is why we need resilience. We need to accept that many electronic systems are open and vulnerable, and we need to take risk mitigating steps to protect them, while being ready to operate under attack. We work with industry to prevent attacks but we cannot prevent everything. We thwart the adversary by running through an injury and healing after.
Q: What are your NPPD priorities for 2016? Are there certain projects that you plan to complete before the end of the Obama administration?
A: On the cybersecurity side, my priorities have always been:
1. Building trust with our customers, including private sector, state and local governments, academia and federal government.
2. Situational awareness (to include real-time information sharing between government and businesses and cyberthreat intelligence via connecting our EINSTEIN and CDMprograms).
3. Bringing cybersecurity to the boardroom, leveraging the NIST Cybersecurity Framework and promoting cybersecurity as a risk management discussion.
In the technical weeds, I want to get beyond using only “signature” technology in our protection programs. As you know, EINSTEIN was designed to detect and block events via signature, meaning we already know those events are bad. Signatures are like vaccines. We prepared them based on previous knowledge. EINSTEIN also gives us situational awareness of all of the traffic that flows in and out of the federal agencies. Working closely as always with our privacy and civil liberties experts, we use this traffic to spot other instances of bad actors. EINSTEIN can detect in real time and can use classified information to prevent unclassified networks. EINSTEIN is absolutely unique and critical to our success in detecting and mitigating cyberthreats. It can, however, only prevent things we have seen before EINSTEIN cannot thus far detect events that are new (a.k.a. zero-day events), but it is unique and necessary, and we are using it as a platform to create new capabilities to recognize new events and to leverage innovation from the private sector.
My goal is to incorporate reputation technology, inclusive of behavioral analytics, this year. We are already piloting and this is a terrific step. We are combining the data we receive from our EINSTEIN program as well as our Continuous Diagnostics and Mitigation (CDM) program, which puts the best of industry innovation into our Federal agencies to protect their networks and constantly monitor events for the agency as well as reporting back to the NCCIC. All of our programs connect elegantly, each augmenting our overall visibility into threats and how to mitigate them.
Again, we have an amazing team of cyberexperts!
Beyond pure cyber:
As you may know, NPPD is currently re-aligning our organization in two ways:
1. We have elevated the NCCIC to report directly to my Assistant Secretary, Dr. Andy Ozment, giving more visibility and access to our core operations, which is what NPPD is all about.
2. We are integrating our cyber and physical infrastructure partnerships and field forces to respond more efficiently to events. We will strengthen our partnerships with industry across all sectors with a more coordinated way of engaging, and an ability to bring experts in critical infrastructure together with our amazing cyberscientists to look at incident response, resilience and preparedness as a more holistic risk-management effort. I will maintain oversight of the NCCIC, the large cyberprograms and the joint partnerships – so cyber is not shrinking, it is in fact growing and lighting up the physical infrastructure side. This is exciting!
I came to DHS to work for Under Secretary Spaulding partly because she had this vision to bring cyber and physical response, and resilience back together. My sense is that over the next decade, there won’t be just “cyber” events. There will be events. And a coordinated effort that we are building now will be the norm.
I should add also that our proposed organizational changes were designed by our workforce. Under Secretary Spaulding engaged the whole team to determine with their expertise how they envisioned their organization would work best. This is a great way for our workforce to determine the impact that they want to make as individuals and as a team. We are of course waiting for guidance and approval from Congress to go fully forward, but we are ready.
This is transformational for cyber and infrastructure protection and will absolutely strengthen our cybersecurity capabilities, partnerships and response.
Q: How is DHS working with state and local governments to protect citizen data? Are there resources available to help security professionals at the front line with their missions?
A: As a whole, DHS works closely in many areas of our department with our state, local, tribal and territorial (SLTT) governments to establish relationships and collaboration between people and, again, between machines. Specifically in cyber, the Multi-State Information Sharing and Analysis Center helps us to reach multiple state and local governments, and helps them communicate threat information with each other as well as to inform our NCCIC.
SLTT governments as well as the small-medium business sector are large concerns for us. Budgets are smaller, yet the risks are still high. Compounding that, when these entities don’t use cyberprotection technologies, we all lose visibility into what threats may be attempting to enter or execute there. That visibility is what protects all of us. A threat detected at one entity can generate protection for all others in seconds via automated indicator sharing in the NCCIC. If the threat isn’t detected, that is a loss for the ecosystem, and a win for the adversary.
Q: You have focused a lot energy on attracting and retaining cybertalent. How is DHS, and the federal government as a whole, dealing with this issue now? How is it going? What more needs to be done?
A: As I mentioned earlier, I lead a team of approximately 2,000 of the finest you will ever find in cybersecurity. The amazing thing about each of these people and the team as a whole is that everyone is here for the mission. These roles are long hours, intense situations, and not the most lucrative compensation. The draw is truly the work and the team, and the ability to make an impact on not only cybersecurity, but for our country and globally.
We can and do attract the best cybertalent. Our challenges have been in hiring and of course in the length of time it can take between an offer letter and a first day of work. I have been encouraged and energized by the successful efforts of our DHS Management Directorate in shortening some of the processes that are most tedious. We have much more work to do, but DHS is making rapid improvements.
Additionally, at the end of 2014, Congress gave us hiring authorities to help us acquire top talent more directly.
In NPPD, we are using all of the above, in addition to finding ways to provide better financial rewards as well.
Finally, we are working with many in private sector and government on programs such as Scholarship for Service and internships. We are working with these partners to help develop not just hiring opportunities, but career paths for the future. These career paths will combine government service with time in private sector to not only provide an exchange of expertise, but also a way to offset financial issues and enable top talent to serve in government while bringing government perspectives more fully into business and academia.
Our work is hard, retention is hard. Our mission is second to none, our passion is everything, and we will continue to build this strong and very capable team.
Q: How do you see cybersecurity evolving over the next five years in society? How will the Internet of Things (IoT) affect DHS’ cyberdefense missions?
A: I view the Internet of Things as mentioned earlier: Everything that we can’t actually eat has a processor, computer logic, memory and some sort of input/output. That means all of these “things” are vulnerable to someone else calling the shots on their functions. The Internet of Things means that our entire world is becoming a cyberecosystem. Defending and protecting this thus requires an ecosystem approach.
Congress just passed the Cybersecurity Information Sharing Act (CISA). This legislation names the NCCIC the central portal for the machine-to-machine sharing of cyberthreat indicators (we call this “automated Information iharing” or AIS). In English, this means that the NCCIC will be the place where machines send indicators of cyberthreats, and the NCCIC rapidly distributes those to all machines that can speak to each other via security protocols. For the cyberpeople reading this, that is of course “STIX” (cyber threat expression language) and “TAXII” (transport protocol for cyberthreat info), but the key point is machines can now communicate about cyberthreats in milliseconds. Much faster than the adversaries!
We are implementing “See Something, Say Something” for cybersecurity. One threat indicator detected at one spot in the ecosystem can be communicated in near real-time throughout the ecosystem. Other machines can add to that, and the NCCIC as at the core, putting together the more complete picture, using all of these indicators as clues to create better indicators and redistribute the augmented information. This is similar to how the human body fights disease – we are creating an immune system among this Internet of Things.
In a few years, we can have the beginning of a more fault-tolerant, self-healing connected world. We will continue to make use of the tremendous innovations coming from private industry, and have more rapid adoption of those technologies into our government networks.
Nothing replaces human awareness, as we teach through our “Stop. Think. Connect.” Campaign, but we now use the speed of machines to protect machines. Those machines enable our way of life.
That brings me back to one of my first comments about why we protect cybersystems as part of the mission of Homeland Security. We are enabling our country and our world to build, innovate and enjoy new technology. We will work together with our customers and interagency partners to keep cybersystems safe so that our way of life is protected, secure and, most of all, fun and enjoyable!
Q: Are there any final comments you'd like to make?
A: It is truly an honor to serve in this role!
Dan Lohrmann: Thank you so much for taking the time to give these thorough, passionate answers.
My hope is that readers of this interview can gain a small glimpse of the drive, experience, determination and expertise that you bring to your DHS role. All the best for 2016 and beyond!
As a final note, Schneck will be presenting (at least) three times at RSA 2016 in San Francisco. Here are those sessions:
1. Is Rome Burning While Nero Fiddles?
2. One Team, One Fight
3. Understanding Malware Provenance: A Federal View
I encourage readers to go listen to Dr. Schneck firsthand, and bring your own questions and comments to these important topics.