Tornadoes happen fast. Cyber happens faster: Interview with Phyllis Schneck

As a nation, we are faced with pervasive cyber threats. Malicious actors, including those at nation-state level, are motivated by a variety of reasons that include espionage, political and ideological beliefs, and financial gain.

The U.S. Department of Homeland Security (DHS) and its National Protection and Programs Directorate works to assistance federal agencies to understand and manage cyber risk, reduce the frequency and impact of cyber incidents, readily identify network security issues and take prioritized action.

Dr. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and Communications, within the National Protection and Programs Directorate (NPPD), U.S. Department of Homeland Security recently joined me on The Business of Government to discuss the mission of her office, its vision and cybersecurity priorities, challenges faced, and her efforts to develop a “weather map” approach to predicting cyber. Here’s a glimpse of our exchange.

On the Mission the National Protection Programs Directorate

The mission of DHS’ NPPD is to lead the national effort to secure and enhance the resilience of the nation’s infrastructure against cyber and physical threats. This is very important because we must look at all threats and their potential consequences. When something happens for example, we may not know if it is a cyber or a kinetic event. We have to mitigate that. We have to have been prepared in advance. We have to know who to call. We have to understand the specific sector whether it is water, electricity, or communications.

Within the NPPD, I lead its Office of Cybersecurity and Communications, which is responsible for enhancing the security, resilience, and reliability of the nation’s cyber and communications infrastructure.  CS&C works to prevent or minimize disruptions to critical information infrastructure in order to protect the public, the economy, and government services.  CS&C leads efforts to protect the federal “.gov” domain of civilian government networks and to collaborate with the private sector—the “.com” domain—to increase the security of critical networks.  In addition, the National Cybersecurity and Communications Integration Center (NCCIC) serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration.

When I look at cyberspace, I think of all things electronically connected – can one machine talk to another machine. Whether the machine is these days a car, a refrigerator, a laptop, a mobile phone, some other device, all of that connectivity, that communication would count in my mind as what we have to secure in cyberspace.

On the Role of Deputy Under Secretary for Cyber Security and Communications

It is a long title with multiple responsibilities. I am deputy for cybersecurity and communications to the Under Secretary of the NPPD, Suzanne Spaulding. I am the chief cybersecurity official for the department  and support its mission of strengthening the security and resilience of the nation's critical infrastructure. This involves making sure that our cyber mission is always fully integrated into the under secretary’s vision of how to enhance our resilience against physical and cyber threats. Secondly, I also oversee the entire cybersecurity and communications operation. Whether it is the Einstein Program, the Continuous Diagnostics and Mitigation, or the National Cybersecurity and Communications Integration Center (NCCI), it’s all about forging and sustaining partnerships. It is about people talking to people, sharing science and knowledge, and building relationships, so when something happens we know who to call and what to do.

If you can’t connect, you can’t share information and that is what we’re protecting, our connections and our way of life. All of this comes under my purview as well as understanding how we work with the cyber mission in each of the components that comprise DHS.

On Priorities and Challenges

My challenges are linked to my priorities.

• Building Trust -- Number one is building trust with all of our stakeholders. My first priority therein for those stakeholders/customers is building their trust so they share with us information about cyber events. Every time we learn something about a cyber event we can use that information to protect others. Gaining such trust is also a challenge in this environment. I hear from my private sector colleagues and I know from my experience, there has never been a harder time to share information or even, in some cases internationally, be affiliated with the U.S. government as a private company. But there has also never been a more urgent time to put information together, to put knowledge together, to connect the dots, to have that resilience in our infrastructures, both cyber and physical. Building that trust is both a top priority, and a significant challenge for me.

• Building Situational Awareness - My second priority and challenge involves building situational awareness -- that means every time we protect something, we should learn from that event, and use that information to protect, mitigate, and respond to events as quickly as possible. Again, I can flip that and say that’s an enormous challenge. We are widely interconnected. We face an adversary that has plenty of money and no lawyers. They have absolutely nothing to protect and they execute with amazing alacrity. We are building that same alacrity. We have to overcome the asymmetry. If we don’t protect our privacy, civil liberties, and infrastructure, then we are not in the right business. Building situation awareness is both a priority and a challenge.

• Leveraging the Cybersecurity Framework – My third priority and challenge centers on leveraging the cybersecurity framework called for in Executive Order 13636 and developed in 2014 by the National Institute of Standards and Technology. The Executive Order called for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. It is my priority and challenge to take the subject of cybersecurity once and for all into the boardroom. Cybersecurity demands the attention of senior leadership to understand the potential risks and consequences, so that they can invest properly in defending their resources and infrastructure. The cybersecurity framework has helped us get the message out where it matters and in a form that is compelling to both private and public sector leaders.  

On the Importance of the National Cybersecurity and Communications Integration Center

The National Cybersecurity and Communications Integration Center (NCCIC) is a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for federal government, intelligence community, and law enforcement. The NCCIC shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions. The NCCIC mission is to reduce the likelihood and severity of incidents that may significantly compromise the security and resilience of the Nation’s critical information technology and communications networks

NCCIC is at the core of our effort to pursue rapid information sharing. As the president noted, the central collection of cyber threat indicators would be housed within the NCCIC with targeted liability protection for those entities that send in such indicators. These indicators are the raw materials of cyberthreat indication, which entails machine readable, executable code that could tell your machine to talk to others or share things with other machines that it shouldn’t.

On Developing a ‘Weather Map’ Approach to Cybersecurity

This is one of my favorite topics. I studied high speed tornado forecasting with high performance computing before I entered into cybersecurity. Everybody can picture a weather map. You probably looked at one this morning. It will show you visually detailed weather information in near real-time. You don’t need detailed information on upper atmospheric behavior. You just need to know if it’s going to rain and if you’re going to wear a hat.

That’s very much what we need in cybersecurity.  Let me illustrate: A colleague who grew up in the Midwest would run for cover when the sky turned yellow – the sky turning yellow is the indicator. Meteorologically, frozen dirt may be in the upper atmosphere. In the summer, if you’re seeing an indication of freezing and you have really hot air below convective behavior manifests thus leading to bad storms. The “weather map” initiative aims to apply what the National Weather Service analysts do to predict climate conditions to cybersecurity threats.  

Tornadoes happen fast. Cyber happens faster.  The goal is to get a full-scale, real-time model of the potential cyberthreat agencies face. This effort is in the early stages.

I invite you to listen and/or download my complete interview with Dr. Phyllis Schneck on The Business of Government Hour