Interview:

Greg Schaffer

Assis­tant Secretary for CyberSecurity & Communications

DHS

OTFL: The volume, scope and speed that data moves through networks make cybersecurity a daunting challenge. How is DHS facing that challenge?

Greg Shaffer, DHS: When we talk about volume what we mean is that the amount of data that we as a society generate and consume continues to grow.

The federal government is no different and that has value to those who would try to get access to that data inappropriately. So as a practical matter that’s a constant challenge for us.

As we try to reduce the number of places the government connects to the open Internet—for example through the Trusted Internet Connections (TIC) program—more and more data has to flow through these (fewer) access points. Deploying security capabilities at those locations, as we do through that program, becomes more of a tactical challenge, because it’s got to handle volumes of data that are ever increasing.

The scope problem is similar in that we are attaching more and more to our networks. We are finding creative and effective ways to make use of networks and computer technology over time.

So, back in the day when I first got a computer, it was primarily being used by number crunchers to do work sheets. Eventually it got into the word processing space and now of course we use it for absolutely everything right down to my 7 year-old insisting that she can’t get her homework done unless she has access to the Internet.

As that expansion comes, that scope change occurs. It just means there’s more and more things to secure and we’ve got to secure different places and different kinds of devices as we go from wired devices to wireless devices.

A whole set of other risk analysis has to be done and controls need to be put in place. As we start patching things like industrial controls and manufacturing facilities and power grids and other non-traditional capabilities, we’ve had to stand up programs like the Industrial Control System security program (ICS Cert) to address the ever broadening scope of things that we are attaching to the networks.

When we talk about speed ultimately it is simply that the pace of change is so dramatic in this space that traditional government approaches to things like acquisition programs and procurement aren’t necessarily tools for the kinds of aggressive change that we see in cyber.

It’s all well and good that you go through a carefully calculated analysis before you expand on major programs, and that’s appropriate. But it also means that if it takes 2 years to get something through the system and deployed, that capability may no longer

be state-of-the-art when it hits the networks. And that’s a challenge for us as we go forward and try to develop good capabilities and solutions that can address both the current set of issues and the ones that we see coming at us down the pike.

OTFL: Cyber Storm III was held in September. How did that go?

Greg Schaffer, DHS: Cyber Storm III was our biennial national level exercise and it went very well…it was a very successful exercise in that it did what we needed to do. It let us kick the tires with respect to several new capabilities that have been coming on line.

We stood up the National Cybersecurity and Communications Integration Center (NCCIC), about a year ago. We’d been using it for managing a variety of incidents, but we hadn’t had a major incident that we needed to test these capabilities against. So having the exercise was an opportunity to see how the NCCIC would function in a major incident, and that went quite well.

We also had the National Cyber Incident Response Plan (NCIRP) which recently has come through the process. It’s got an interim status at this point, but we need to test its capabilities.

We are operating under that incident response plan today, but we are in the process of making our final changes to that document based on some things that we have learned through Cyber Storm III and that should make a success story as well.

We had wide participation. We had 7 agencies from the federal government, 11 states participated, we had 60 private sector companies and 12 international partners, all of who were engaged and involved.

We had an opportunity to work through how the information sharing with all of those various entities is supposed to work and how it would really work in an event. And so that was a tremen­dous opportunity as well, to work with a group of partners that we work with on a daily basis but that we need to work with even more extensively during an emergency event.

OTFL: October was Cyber Awareness Month. How are activities like that that helping change the cyber cultural landscape?

Greg Schaffer, DHS: In many ways we spend a lot of time throughout the year focused on the cybersecurity experts. I like to refer to them sometimes as the cybersecurity choir. In October, we get to focus on the folks who are not part of that choir, but have respon­sibilities none-the-less.

So we’ve spent a lot of time dur­ing October talking about Cyber Storm III; how it came out and all of the work that’s being done now to bring the message of what roles and responsibilities the public has to the forefront as well.

We’ve got an awareness cam­paign that’s ongoing called “Stop, Think, Connect” to try to bring that message to folks who are just using a home computer or a small business computer but they’ve got some of the very same risks associated with potential vulnerabilities as the rest of us do.

(As to the cultural landscape) I don’t think there’s any ques­tion. There is more activity, engagement, and sense of purpose right now than there has been in a long time. I think that phenom­enon is what we need. We need to continue to make progress and have creative ideas brought to bear so that we don’t stagnate, we continue to move forward. I feel that sea change; I’ve felt it over the course of the last 18 months as we’ve worked through getting a lot of these capabilities stood up.

OTFL: In the next 2 years, how do you see cybersecurity improving?

Greg Schaffer, DHS: I am particularly enamored with the fact that we are at a point now where we’ve stood up a lot of these new capabilities like the National Cyber Security Integration Center and the National Cyber Incident Response Plan.

Now we are adding people and we are putting the operational concepts into full operational practice. What I think you are going to see over the course of the next couple of years is our really moving from these new things being set up and going from the testing process with Cyber Storm III to “honing the sword” and getting it to work the way we want it to work, to being much more operationally effective.

I think taking what we have now developed as a construct and now shaping it and making it work effectively is what the focus and the attention will be. And that’s a great place to be.

We’ve spent a lot of time trying to figure out what the con­structs ought to be and it’s great to be in a position now where we’ve got that construct, we just need to execute well on it.

(That means) getting all the people that we need in place so that we are able to do that.

And really make things like Einstein 2, which is our intrusion de­tection capability, Einstein 3 which is coming forward as an intrusion prevention capability, making sure those are delivering what we need, and protecting our systems both on the .gov side and in the commercial sector helping them come up with their constructs and our participa­tion in information sharing to en­sure that they’re able to do what they need to do as well.

OTFL: What excites you about your job? Why do you like to go to work in the morning?

Greg Schaffer, DHS: I like to think of myself as a people person and a problem solver. I think the great thing about my job and about what I’ve been able to do over the course of the last 17 or 18 months is to get to meet and work with just an extraordinary energized and capable set of people.

I was privileged to work in this space as a federal prosecutor on computer crime back in the late 1990s. Today it is just really heartwarming to see representation from the Department of Jus­tice, from the Department of Defense, from the intelligence com­munity, from DHS, from various other departments and agencies, and all of the private sector players who are in the various critical infrastructure and key resource sectors, including the IT sector and the communications sector…really pulling together to figure out how to solve some of these problems and come up with solu­tions that are both creative, dynamic and that actually work in the real world.

So coming online with the NCCIC and the National Cyber In­cidence Response Plan; to see people who are so engaged and involved; that gets me fired up and makes it really a job worth doing on a daily basis.