The first panel of AFCEA’s Annual Homeland Security Conference had Cyber Security as a subject. That alone says something for the predominance and importance of this issue today. The discussion was a fine starting point for the event. It was moderated by Bruce McConnell, Counselor to the Deputy Under Secretary Reitinger, DHS’s cyber lead. He was joined by Steve Chabinsky of the FBI, Van Hitch, CIO of the Department of Justice, and Dave Wennergren, Deputy CIO of the Department of Defense.
McConnell began on a positive note, saying that there was finally real money behind the programs that needed to be executed. He pointed out that the first ever Quadrennial Homeland Security Review named “Safeguarding and Securing Cyber Space” as one of the department’s five core areas. He also said they were getting good private sector involvement with the development of the National Cybersecurity Incident Response Plan, and my personal favorite, that Secretary Janet Napolitano would announce the launching of the National Cybersecurity Awareness Campaign at RSA next week.
He mentioned that while many had called for the Awareness Campaign to be like the iconic “Only you can prevent forest fires” Smokey the Bear campaign, it was “more complicated that that.” While I agree with the complexity – every level of our society must be reached, from little kids to 50-year-old workers – we have to have something that has a resonance akin to Smokey, or at least the crying Brave.
Chabinsky gave a superb review of the threats. He noted that sometimes we over emphasize the remote access threats (important but not the only one) to the exclusion of supply chain threats (design, manufacture, delivery, installation and maintenance), proximate access (through WiFi), and insiders (deliberate infiltration, disgruntled employees, and the biggest, good people who are lazy or careless). He called for a more sophisticated view of risk management, and a new view of information sharing. He said that if we have to “share” info, it means we’re already working in a stove pipe. What we really need is continuous cooperative work.
Van Hitch and Dave Wennergren emphasized the role of the CIOs and the CISOs in leading their organizations to better cyber security. They all agreed that Howard Schmidt (who unfortunately had to cancel at the last moment) was doing a great job, quietly driving the needed coordination process forward. All lauded his effectiveness. They also spoke of US-CERT evolving into an action organization and learning from DoD’s experiences in interacting with the Defense Industrial Base (private sector) to inform how to go forward in both the “.gov” and “.com” domains.
The last tidbit was Chabinsky’s explanation of the experience the FBI had with info sharing with the private sector. They had thought they were doing well, until they solicited feedback form some industry leaders. It was not flattering. The private sector perceived it to be a one-way street. Chabinsky said that now rather than sending out reports which were universally seen as late to task and of little use to prevent damage, they were trying a different method. They analyze and compile the data, and then “open the books” to allow the private sector reps to see for themselves. Not only did they feel that they were getting the info faster, and with less “left out,” but they were adding to the analysis. Now the industry folks were writing parts of the documents that were going out, including how a certain threat might affect their industry, and recommendation on how the private sector might respond. I was very heartened.
Overall, it was a superb panel that covered a wide swath, and did it well. Kudos to the panelists and to AFCEA International.