The Cipher Brief sat down with Suzanne Spaulding, the Department of Homeland Security’s Under Secretary for the National Protection and Programs Directorate. She shared her thoughts on areas of collaboration between the public and the private sector, and the ways DHS can help.
The Cipher Brief: What is your role at DHS?
Spaulding: I am the Under Secretary for the National Protection and Programs Directorate. We have the overarching mission of strengthening the security and resilience of the nation’s critical infrastructure. Critical infrastructure is really all the things that enable our way of life. It is not just roads and bridges: it is the electric grid; it is the water systems; it’s agriculture; it’s public health and emergency communications; all of the basic goods and services that we really depend on each and every day. Our role is to work with both our government partners and our private sector partners to do everything we can to ensure that those are safe, secure, and reliable.
TCB: What are the greatest challenges that you face in terms of protecting the nation’s infrastructure?
Spaulding: One of the challenges is that this is a new kind of relationship between the government and the private sector. We have to really work with the private sector as full partners in finding and implementing solutions.
TCB: How do you operationalize that partnership? How do you actually work together?
Spaulding: We have a lot of face-to-face interaction both in Washington – through coordinating councils that the private sector sets up around these various areas of critical infrastructure – but also across the country. We have protective security advisors in all fifty states who work with the critical infrastructure owners and operators, and with their state, local, territorial, and tribal counterparts. They make sure that folks understand what their vulnerabilities are, and what we can do to strengthen their security, their resilience and their ability to bounce back from disruptions.
TCB: DHS is about to set up a cyber intelligence center. Can you tell us about that?
Spaulding: The government is setting up a cyber threat intelligence integration center within the intelligence community. We will work closely with them. I’m very much looking forward to having all the different parts of the intelligence community and all of their different insights brought together in one place.
TCB: Let’s shift gears to the cyber threat. What would you say should be the private sector’s biggest take away from the OPM hack?
Spaulding: There are a number of things I think that businesses ought to take away from this, as well as government, at both the federal and state level. One is, we really do need to think hard about what it is that you have that others might want. That’s basic under the NIST cyber security framework, which I would encourage all businesses to look at and try to use as a resource. But the first step is to identify your assets and identify your risk. Any company that has any customer information needs to be thinking about this. If you’ve got sensitive secrets, if you’ve got any kind of business information that is proprietary – that you would not want others to have access to – you have to be thinking about this. If you have machinery, it’s likely that that machinery is on some kind of a network, and you need to be thinking about this.
TCB: What do you think about the evolution of the cyber threat? What do you think is coming down the pike that businesses and government need to be thinking about?
Spaulding: One of the things I think we all need to be thinking more about is how physical and cyber are connected. We need to make sure, and I’m working hard with my organization on this, that we don’t put cyber in a stovepipe – that we don’t just think about the ones and zeroes, but think about the impact in the real world. We need to think about all the ways in which you can reduce that risk.
A lot of that is basic cyber hygiene—so when you get a new piece of IT equipment, it comes with a password—change that password. That’s the kind of basic level of things. There’s a handful of cyber actions that can be taken that will reduce 80-90 percent of the cyber intrusions that a company sees. Having said that, that last 10-20 percent is really hard, so we need to be thinking about other ways to buy down that risk. Some of those might be physical; some of those might be other kinds of ways you can reduce the risk that you see emerging. If the risk is customer confidence, part of your solution to that, part of the way you reduce that risk, is you think hard about messaging in the wake of an event. Don’t wait until it happens. What are the ways you’re going to build back consumer confidence even as you’re rebuilding your architecture more securely?
TCB: There’s so much pressure now with CEOs to educate themselves on an issue they probably don’t have a lot of background on. They have to be able to explain and prove to their board that they have done what they need to do to protect their company. In your experience, what are some of the things that would help turn things around a little bit faster overall if everyone understood?
Spaulding: It’s a good question, and I don’t want to sound parochial, but I would say that companies are missing the resources at the Department of Homeland Security that are there to help them. We have a ‘C cubed’ Program. C cubed stands for Critical Infrastructure Cyber Communities Voluntary Program. There are a whole series of resources available, including questions for CEOs to ask their CIOs and chief information security officers, because you’re right, these CEOs are not cyber experts. And part of the problem we’ve seen is that CEOs—like policy makers—are intimidated by this, and tend to then cede the decision making to the ‘techies,’ and they need to recapture that – they need to be in charge of this.
CEOs need to know how to have that conversation. It starts with basic questions like: “Do we have a plan? What is that plan? What’s the threshold for when you’re going to bring incidents to my attention?”
I think the other key aspect for CEOs and boards is to not just think of this in terms of IT network, but think of this in terms of your business continuity of operations. So if they start by talking about the business that they know about—and CEOs are risk managers—this is risk management.
TCB: Is there anything else that you think is important for people to know?
Spaulding: The other thing that I would encourage companies to think about is joining together with other companies to share information.
TCB: That’s terrifying to some people.
Spaulding: It is, but it’s important, and there are lots of companies doing it today. We are about to award a grant to set up a body for establishing best practices for information sharing. That will help companies of all sizes that want to work with their colleagues, whether it’s other businesses like their business or other businesses in their geographic area or just people they know and trust. They will have now a place to go to get best practices and guidance on how to set up this organization in a way that protects them from any kind of liability and in a way that they understand how to protect the information they’re sharing. So stay tuned. Very soon we will stand up this body and develop best practices.
There are varying degrees of engagement that companies can have with DHS. We have private sector representation on our operations floor at our national cyber security and communications integration center (NCIC). We have agreements where we can share classified information with private sector and we have these resources where we can help do cyber security assessments, and provide mitigation recommendations.