The Department of Homeland Security has a central role to play in the future of cybersecurity. Given U.S. reticence to involve the military in protecting civilian networks, DHS will serve as a hub of coordination between the government and private sector spaces, each looking to better secure the nation’s critical cyber infrastructure. In the Office of National Protection Programs, Bruce McConnell serves as the counselor to Phil Reitinger, and seeks to help him answer the tough questions surrounding the incredibly complex topic of cyber security. The New New Internet recently had the opportunity to ask him a few questions about his work at DHS.
TNNI: Could you describe a bit about your background? Why are your involved in cybersecurity?
Bruce McConnell: I’ve been involved in cybersecurity since 1985. From 1985 to 1999, I was at the Office of Management and Budget and eventually in charge of information technology policy for the government. That entailed, among other things, what was called computer security. We wrote the earliest guidance for the agencies on securing their systems. It has been a continuing interest since then. Toward the end of my stay at OMB in 1999, I was given a temporary assignment to run the International Y2K cooperation effort among governments around the world. About 120 countries participated in that effort, which was very useful from a cyber security standpoint. It was in a sense the first potential massive denial of service attack caused by a bug — the Y2K bug, and it was mitigated successfully. Y2K taught everyone about the interconnections of cyber and the critical infrastructures such as power, transportation, energy, and finance. From 2000 to 2008, I worked in the private sector with IT companies in the government IT space. Toward the end of that, I served as a member of the CSIS cybersecurity commission, and I led one of the working groups, which got me back into cybersecurity in a big way. When President Obama got elected, I was pleased and honored to be offered an opportunity to serve as part of the administration. DHS is where it’s at for cybersecurity for the civilian agencies in government and for cooperating with the private sector in the United States, so it is a great place to be.
TNNI: As a counselor to Phil Reitinger, the deputy undersecretary for national protection programs director at the DHS, what do your duties entail and what does a typical day look like for you?
Bruce McConnell: There is no typical day. Phil is the chief cybersecurity official in DHS; not for DHS Systems, but government-wide and for our national responsibilities. Secretary Napolitano has said, if you have questions about cybersecurity, go to Phil. My job is to help Phil always be ready to answer those questions. My real role is to step back from the day-to-day challenges that DHS faces as a very operational agency, one that is trying to protect infrastructure and cyber infrastructure and build a capability to keep those things protected over the long term. I look beyond today’s emergencies or potential emergencies and think about our strategic direction and position. One of the things that I am focusing on right now is developing the department’s strategy for securing the dot-gov domain and working with the private sector going forward. I’m fitting that into the national strategy that is being developed by the White House. Phil is not only the deputy undersecretary; he is dual hatted as the director of the National Cyber Security Center, which coordinates the activities of a number of different cybersecurity centers and watches in the federal government. I am working closely with Phil to help stand that organization up. It has been around on paper for about a year and a half, but it is just beginning to become operational. Finally, one of the things the White House Cyber Space Policy Review called for is a national public awareness campaign. The Department of Homeland Security has the lead on that under White House overall guidance and direction. I am the project manager for that public awareness campaign, which kicked off in October with National Cyber Security Awareness Month. It will involve a longer term effort to educate the population and critical infrastructure sectors about cybersecurity.
TNNI: You just mentioned National Cyber Security Awareness month. What role do you think education plays in this continuing effort to secure cyber space?
Bruce McConnell: Education is absolutely critical in securing cyber space. As the secretary has said, cybersecurity is our shared responsibility, and there is enough to go around for everyone to do something important and useful. It ranges from individuals keeping their anti-virus protection up to date and being mindful about which emails they open, to small and large enterprises securing their systems and following best practices, having contingency plans, and so forth. The IT industry has a big responsibility in providing the tools and the metrics for success. It’s a matter of getting everyone aware of what they can do, what their responsibilities are, and how those fit into the larger picture.
TNNI: There has been significant speculation recently regarding the naming of a coordinator for cybersecurity at the White House or commonly called the “cyber czar.” At the launch of the National Cyber Security Awareness Month, both Chris Painter currently at the White House and Phil Reitinger pointed out that the search is about selecting the best person for the position. How urgent is it to have someone in the position and is it limiting the United States’ ability to effectively coordinate on cyber issues in the interim at all?
Bruce McConnell: To clarify, it is not a czar. In fact, it is a coordinator. I think that is a critical distinction. It is a matter of coordinating and facilitating cooperation among the agencies. It’s important to have the right person. I was pleased a couple of months ago when Art Coviello from RSA said that he once took seven months to find the right CFO. I think it is important that they are doing a thorough job to find the right person, and in the meantime we are coordinating and cooperating very effectively. Chris Painter and Phil and their staffs meet regularly to discuss key issues. There is a robust interagency process. I think it is working well. We are looking forward to having the coordinator to help us set priorities, but no one is letting the grass grow under their feet. The president released a video on the White House website in October underscoring the importance of cybersecurity, and I think we are moving forward.
TNNI: There has also been a recent movement toward cloud computing, particularly within the government space. What do you see as some of the benefits and risks associated with the cloud-computing model?
Bruce McConnell: I’m fascinated by this cloud-computing model. In fact, I was reading an article yesterday in The Wall Street Journal about how the French are having trouble finding French words to describe cloud computing because when you say “in the cloud,” it means that you are kind of fuzzy-headed in French. We have that expression also of course, but we all know that what we are talking about is that fuzzy area that on Internet diagrams. Cloud computing is the latest rebranding of building intelligence into the network. If you look over time, the pendulum goes back and forth between having the intelligence at the edges of the network or in the center. In the early days, you had dumb terminals, and all of the intelligence was in the mainframe. Then, it migrated out to the desktop and the network was pretty thin. We go back and forth on that. So, there is a lot of experience in dealing with security in the cloud; we just called it different things in the past. The cloud offers benefits and risks both from a general operational and financial perspective as well as for a cybersecurity perspective. Since we are talking primarily about cybersecurity, I’ll focus in on the latter. The benefit is that if you do it right, your security is better because you have consolidated the data and have made security less a matter of individual responsibility. It’s less complex, less a matter of reconfiguring and catching every work station, and more a matter of dealing with it at an enterprise level or in a consolidated way. That consolidation can also produce risks, in that if you do it poorly you have data and computing power that is out of your control. The data may be more vulnerable to a physical attack or cyber attack and loss. It raises the stakes for cybersecurity, because on a good day it is more secure, but if it is done wrong the potential losses are higher.
TNNI: The vast majority of the nation’s cyber infrastructure is still in the private sector; some people say up to 85 percent. What role can and should the private sector play as we look to move cybersecurity forward?
Bruce McConnell: The private sector has a number of roles. First, it needs to secure its own systems, and, in particular, the cyber infrastructure — the networks and the devices that are on the networks. All of that equipment and software needs security built in, not bolted on. It needs to be operated in a secure manner, especially the networks and websites that support the daily functioning of the economy and that we all, including the national security community, rely on. We are all buying our leased lines and network services from the same carriers, so it is an interdependent ecosystem. So it is their responsibility to secure their own assets both for their own business purposes and for national reasons. Second, the industry has a responsibility to offer solutions to the rest of us, the consumers, whether those be private sector consumers or government consumers: secure software, reliable and secure hardware, assured supply chains, and to offer us a suite of reliable, easy to use tools. I think those are the two main responsibilities.
TNNI: What advice would you give to the private sector, particularly government contractors as they consider the best security practices for their organizations?
Bruce McConnell: Focusing specifically on government contractors, I think one of the most useful things that is going on right now is with some of the companies in the defense industrial base. As you know, the defense industrial base is one of the critical infrastructures. It is the suppliers that supply the Defense Department and other parts of the national security community with what they need to do their jobs. The Defense Department is working with key companies in that to help them protect their critical data, because the contractors have the designs for the weapons systems that they are building and other sensitive data. So, it is critically important that that data be at least as well protected as the government’s own data. Building on that example, I would suggest that other government contractors follow that lead and work with their customer agencies to share what they are learning about threats and vulnerabilities so that the products and tools and services that the government is being delivered are as a secure as possible.
TNNI: What issue in cybersecurity is of greatest concern to you and why?
Bruce McConnell: One of the challenging things about cybersecurity is its complexity. One thing that worries me is that we are not clear enough about our priorities. One of the reasons we have that problem is that we are short on metrics. Today, if you own a small business or manage a large business, and you go to your chief information security officer and say, “I have another dollar to spend on cybersecurity, where should I spend it in order to be most effective? Should I spend it on employee training? Should I spend it on stronger firewalls? Should I spend it on better authentication?” There are no metrics that the CSO can give that business manager to tell him, “this is where we see the most cost effective use of the marginal dollar of investment in cybersecurity.” That is just because the field of cybersecurity is still immature, so we don’t have those metrics and we don’t know, “how much will my security be increased by sending another employee to training,” versus building a stronger firewall or having longer password protection. Until we get those metrics, our decisions about investments in cybersecurity are going to be based on anecdote and unclear criteria, rather than a more rigorous scientific data based approach to those decisions.