From cyber-attacks to natural disasters, our national security faces serious threats. Dangers to our physical and cyber infrastructure require a coordinated effort to keep them secure. Can a “whole of nation” approach be the answer to the increasing connectivity of physical and cyber infrastructure protection?
•The increasing connection of cybersecurity and physical infrastructure •The “whole of nation” challenge: public-private partnerships among federal/state/local governments, the private sector, and critical infrastructure sectors •A post-Hurricane Sandy perspective •Technology trends to address “intrusion detection and prevention” programs •Combating the human capital crisis in cybersecurity protection
The following is a full transcript of FedCentral’ s interview with Suzanne Spaulding, Deputy Under Secretary, of the National Protection and Programs Directorate, Mark Weatherford, Deputy Under Secretary for Cybersecurity, of the National Protection and Programs Directorate, and General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP, conducted by Jane Norris on December 6, 2012.
Jane Norris Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today. To help government help America.
From cyber attacks to natural disasters, our national security faces serious threats and danger to our physical and cyber infrastructure that requires a coordinated approach to keep them secure. It’s particularly appropriate because December is Critical Infrastructure Protection and Resilience Month.
Joining us to discuss the increasing connectivity of physical and cyber infrastructure and the need for a whole of nation approach are Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs Directorate. She oversees infrastructure protection, US visit, and the Federal Protective Service with a mission to reduce the risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification.
Mark Weatherford is the Deputy Under Secretary for Cybersecurity for the National Protection and Programs directorate at DHS. In that position, Mr. Weatherford leads the department’s efforts to create a safe, secure, and resilient cyberspace. Mr. Weatherford has a wealth of experience in information technology and cyber security at the federal, state, and private sector levels.
And Lieutenant General Harry Raduege, former director of the Defense Information Systems Agency, and a four-time federal agency CIO. He’s now the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Thank you all for being here. It’s great to see you all.
Mark Weatherford Thank you, Jane.
Harry Raduege Thank you, Jane. It’s great to be here.
Jane Norris Suzanne, I’m going to start with you. So tell us, what is the National Protection and Program Directorate’s mission and how does it correspond with the intersection of cyber and physical security?
Suzanne Spaulding Jane, the NPPD leads the Department of Homeland Security’s mission to enhance the protection and resilience of our nation’s critical infrastructure – you know, the energy, transportation, communications, water, financial services – those things which really form the backbone of our way of life. And what we have found is: these sectors have systems that are increasingly networked. So the systems that control key aspects of the delivery of those services to the American public are now vulnerable to cyber attacks – and cyber attacks can produce physical consequences.
Mark Weatherford I would just add – one of the things that we added to the NPPD about a year ago was a focus on cybersecurity. Within the organization, we have the Cybersecurity and Communications organization, which is responsible for coordinating with not only the federal government – but state and local governments, and the private sector, among the 18 critical infrastructures (on how we raise the bar on cybersecurity, how we respond to cybersecurity events, and as Suzanne said, how we can help build resilience into the system).
Harry Raduege Well, let me just ask: it seems now that we’re recognizing that cyber and physical security are gradually becoming more connected, making us increasingly vulnerable. So what is the history and why are they becoming increasingly connected?
Mark Weatherford I think there are a couple of reasons for that. Certainly the efficiencies that digital technology has brought to the mix provides a lot of economic incentives for companies to bring the digital technology into infrastructures and organizations and businesses that historically have not depended on that digital infrastructure. Those digital infrastructures that we’re now overlaying on those critical infrastructures bring along with it a lot of the same vulnerabilities and are susceptible to the same threats that we see in other areas of our economy.
Suzanne Spaulding So, Harry, we’ve talked about the consequences, physical consequences, from a cyber attack; but it’s also the case that you can’t have effective cybersecurity, in most cases, without having effective physical security – because we have to consider not only remote attacks, but also the insider threat, and gaining physical access to your IT systems. In addition, physical security systems are among those systems that are now vulnerable to cyber-attacks because they, too, are networked, and so your security surveillance cameras, for example, are now potentially susceptible to remote access, and that threatens your physical security, so these are in many ways inexorably intertwined.
Harry Raduege Well, this really makes perfect sense to me. I don’t think we’ve really recognized the fact of the closeness of the physical and the cyber security in the past, and I’m glad that both of you are working so closely in this exciting area to bring these together. So Mark, what technology trends are you seeing now that support this evolving intersection of cyber and the physical threats that we’re seeing today?
Mark Weatherford Well, there are a number of ways you could address that, but certainly the growing use of embedded systems. Embedded systems are really in all facets of our society, and while they’re not computers, they act much like computers and they can react like computers. So the growing ubiquitousness of these embedded systems (that really are in everything from cars and airplanes to substations and water treatment plants and auto manufacturing) – everything has these embedded systems. As I mentioned earlier, they have potential vulnerabilities that can be used for disruption.
So the embedded systems are certainly one of the technology trends where I think we’re seeing an evolving intersection. The growing use of wireless is something that we’re seeing more and more of. These systems, many of them are located in remote locations. There’s a growing use of wireless technology to manage these things remotely. So there’s a variety of different technologies and things that, in fact, do play a part in that intersection of physical and cyber.
Harry Raduege Well, on the heels of Hurricane Sandy which we’ve all experienced here as a nation – and are still experiencing, I might add – the results of it all. Add to that, recent reports of vulnerabilities to the nation’s electric grids… Are there certain sectors or threats that keep you up at night from a physical and a cyber perspective?
Mark Weatherford Well, I wouldn’t say there’s one that maybe is more important than others; although, some are certainly more visible than others (e.g., the electricity sector, as I mentioned a minute ago, the water sector, communications sector – they’re all a bit more tangible, and people can see and touch and feel and smell them). Those are certainly things that I worry a lot about. From a threat perspective, we’ve recently seen attacks on the financial systems in America, and actually relatively low level technology attacking, but the response that it required from both the public and the private sector to address that has been pretty remarkable. So those kinds of things, you think that everything is high- tech and whiz-bang, and in fact, it can be something fairly trivial from a technology perspective that can cause some significant disruption.
Harry Raduege So it sounds like these critical infrastructures are the ones that are your biggest concern.
Mark Weatherford Well, they are. I mean, that’s what the job at DHS is about, protecting the homeland, and those services and systems and technologies that society and our citizens depend on for health and safety and welfare—those are the things that I focus on, and those things that keep me awake at night, as you say.
Harry Raduege Great. Well, Suzanne, how about from your perspective?
Suzanne Spaulding Well, one of the things we spend a good deal of time on is assessing, gathering data, and doing analysis to help prioritize critical infrastructure. Asking: what are the most essential? What are the ones where we have to really focus and allocate resources? And in order to do that, you have to understand the consequences if you lose that asset, facility, network, or system. Then work your way back from that in terms of figuring out what are the highest priorities which highlights the need for a holistic approach. You can’t look at cybersecurity and prioritize on cybersecurity without assessing the physical consequences that will result from a cyber penetration or cyber attack.
Harry Raduege Great. Well, Mark, you and Suzanne have been working very, very hard over there. How is DHS helping to set the example for best practices and connecting cyber and physical security? Are there ways that you can share publicly with us here during our broadcast?
Suzanne Spaulding Harry, we have made a concerted effort to ensure that we are not working in stovepipes here. We have a cyber security organization and an infrastructure protection organization that is traditionally focused on physical security, and we have made concerted efforts to ensure we’re taking an integrated approach, and one of the specifics is: we have set up an integrated analysis task force. That task force draws on expertise from the cyber side of the house and the physical security side of the house to do the kind of modeling and analysis that I’ve been talking about. There you assess the consequences in the physical world, and the cross-sector consequences. So you’re not looking just at one sector, but the dependencies between sectors. So that’s all the sectors that rely on electricity, all the sectors that rely on transportation, and communications.
Harry Raduege That’s great. You’ve been doing some great work there Suzanne, and Mark, can you add to that, please?
Mark Weatherford Yeah, we also have, I think another very successful thing that DHS is doing. We have our people scattered around the country in the different FEMA regions working with the private sector. They’re doing assessments on the ground; incorporating both physical security and cybersecurity components to those assessments. They’re working in sync, as I said. Both the private sector and state and local governments – people literally across the country. It’s probably one of the growing services that we are providing for the nation out of DHS. I’ve been around the country talking quite a bit lately. This is the one issue that’s coming up, a lot that people are more and more interested in how we can help them on that from that perspective.
Harry Raduege Well, you both have given us some great thoughts and ideas on the way that DHS is now taking a look at both the physical and the cyber areas of our critical infrastructure and how to protect that to the best of our ability.