U.S. Strategic Command



2010 Cyberspace Symposium: Keynote - Way Ahead For Critical Infrastructure Protection

By The Honorable Greg Schaffer | Omaha, Neb. | May 27, 2010

It's been a fast-paced morning and we're accelerating.

Our next keynote speaker is Secretary for Cybersecurity Communications, Department of Homeland Security. Mr. Schaffer was appointed to his current position in June 2009 where he engages the public and private sectors and international partners to prepare for, prevent and respond to catastrophic incidences that could degrade or overwhelm the nation's strategic cyber and communications infrastructure.

Prior to joining the department, Mr. Schaffer served as Alltel Communications Senior Vice President and Chief Risk Officer. He also served as a director in cybercrime prevention and response practice at PricewaterhouseCoopers where he developed computer forensic examinations in connection with major internal investigations at Fortune 500 companies.

Please help me in welcoming the Honorable Greg Schaffer.

Good morning, ladies and gentlemen, and thank you so much for having me here today. I come to you about a year into my time with the Department of Homeland Security. I was actually sworn into my position precisely a year ago yesterday, and I can tell you that in cyber, things move quickly. It feels more like dog years.

It has been a long year and a lot of progress is being made, but I think we all are faced with a very fast-moving piece of the puzzle, and that is one of the things that I'd like to talk about this morning.

I've seen this probably from a variety of different positions and a variety of different perspectives, whether as a federal prosecutor in crime cases at the Department of Justice many years ago, or as a consultant for large organizations or as a CISO, CSO, or a chief risk officer for a large company.

What's always been of interest, although I'm a lawyer by training, I've always been fascinated by the technology and all of the things that it can bring to us and has brought to us in all parts of government and all parts of our economy. The advances are phenomenal. The efficiencies are phenomenal, but we also have been presented with a range of risks which is why we are focused on cybersecurity today.

So this morning, as someone with the early adopter's disease, I had to grab the iPad and pull up Deputy Security Lynn's comments earlier in the week and looked at some of the things that he had to say about how cyber has been addressed and the risks. And what struck me about what his comments brought forward were the many similarities but also significant differences between what happens in the .mil spaces and some of the things that happen in the .com and .gov spaces.

The similarities are the challenges. And there was a discussion, and I'm sure throughout the rest of the time here there will continue to be discussions, about all of the threat environment that we deal with on a regular basis. And I won't go into the details around that. I think it's all too well understood by this organization. But at the end of the day, what I will say is that we consistently see that it is more sophisticated, more targeted, more focused on things of value than it has been certainly throughout my career in this space.

A dozen years ago when I was a prosecutor on computer crime cases, what we saw was a loud and proud threat environment where people behaved in a way that advertised what they were doing. And today, of course, exactly the opposite is true. What we see is a lot of stealthy behavior, a lot of behavior that is intended not to be slow but low and intended to fly under the radar, methodically chipping away at our infrastructure and taking things of value from us.

And the problems that were faced in that space and are in many ways, I think, focused on how fast things have gone, so the analogies have been made to the advancement of air power and how far we are in with air power advice, how far we are in with this technology.

I usually make the analogy in the automotive industry and talk about the fact that we have gone from before the Model-T to the Maserati that can go 250 miles an hour, and yet we've done it with speed and that advancement of speed as our focus and have spent much less time on the air bags and the antilock brakes and the seat belts that we need in order to do all of that safely and to be able to continue to achieve and advance the economic and efficiency advantages we get from this technology without dramatically increasing the risks. And I think that the challenge, that desire to quickly get the advantages of the technology without dramatically increasing risk is a challenge across all of the various domains, whether it is the .mil spaces, the .gov spaces, or the .com spaces.

So Secretary Lynn describes three approaches to dealing with the defense of the .mil networks. He talked about ordinary hygiene which he predicted would prevent about 50 percent of attempts, and perimeter security, which he predicted would prevent another 30 to 40 percent of the attempted intrusions, and then about active defense which he noted would be necessary for the last 10 to 20 percent of attempted breaches. And all of those predictions and percentages that struck me were focused on the world of military networks where as a general proposition there's consolidated authority and control over centrally-managed networks. There was set of missions historically focused on security as a primary goal, and where the command structure exists to execute rapidly on reduction of risk and the changes that are necessary in order to implement security programs across all of the services in the .mil domain.

When I think about the .gov and .com domains, what is primarily different is the complexity of those environments? In those domains, the world has developed in a way where each department and agency and certainly every company has organically built out their infrastructure and their networks in a way that is designed to meet a variety of mission sets, mission sets that are very diverse and that have not historically necessarily had security as their primary goal.

Indeed the range and breadth of missions and applications and capabilities that live in the .com and .gov worlds is as broad and complex as our economy itself. And so whether it's the Department of State, the Department of the Interior, the Bureau of Indian Affairs or any number of other federal agencies, they have built solutions and capabilities to be able to communicate with those constituencies that they work with on a daily basis.

And of course in the .com space, they're not just figuring out how to safely make use of new technologies which in the government spaces we sometimes worry through. How do we implement something new that our users want to have on our networks and do it in a safe way, but in the .com space? They are developing those very popular new applications that are being used by everyone. And so as we go forward, we continue to think about the need to consolidate in a way and the need to move in a direction that allows us to be secure and yet get the efficiencies and capabilities.

Other differences include the fact that we are as we consolidate, for example with .gov trying to reduce the number of places that we connect to the larger infrastructure. In other parts of the environment, there's cloud computing, virtualization and other technologies that are making the perimeter harder to find, let alone secure. And in many of the domains, it is no longer just about the IT systems and communication systems that we have been focused on from a security perspective for so long. It is also about the industrial controls, the power grids, the security cameras, the physical access devices, the pipelines, the manufacturing equipment, all of which are now being connected in a way that takes advantage of the economic advantages and the efficiency advantages of these IP technologies that we've developed over the last 20 years but also connect those capabilities to the networks that we know have been and continue to be under attack in a variety of challenges.

So what do we do from a Department of Homeland Security perspective to address this range of risks and challenges and complexity? For the most part, we focus on partnership. As a practical matter, partnership is critically important to how we execute from a Department of Homeland Security perspective in both the .gov and the .com spaces because at the end of the day, both the knowledge and ownership of the infrastructure is usually in the hands of someone else. The knowledge of the data and the value of the data that is managed and controlled and leveraged by those systems again is owned and controlled elsewhere. And of course, the knowledge of the business operations and the goals of the networks that have been deployed to deliver solutions is in the hands of those who are using them and building them. So our need to partner with those individuals and those entities in order to bring security ideas forward is critically important.

Several examples I'll talk about this morning. In critical infrastructure and key resources and all of the industrial control spaces, we've put a lot of energy and effort into partnering with those who actually develop, deploy and use those solutions. We do that in a variety of ways, but we've been leveraging some new solutions that we brought to the table in the last year. We have stood up, for example, an industrial control system cyber emergency response team which parallels to a great extent what we have done with US-CERT for many years, trying to aggregate and disseminate information about threats of vulnerability to the community that uses industrial controls.

We have also worked hard to make sure that in those spaces where our economy and our broader solutions are all dependent, we are able to provide a range of support. So we now have on-site capabilities and fly away teams that can respond to those who ask for assistance in an event that is ongoing.

We perform assessments and testing of the equipment and solutions that are in the process of being deployed and try to identify the vulnerabilities that may be brought forward by new solutions.

We've developed some tools like the cybersecurity evaluation tool that allowed the owners and operators of critical infrastructure to test the deployment of these solutions within their own networks and determine whether or not they raise risk or have vulnerabilities that need to be addressed.

We do a tremendous amount of training of individuals who manage these solutions, and so in the last year, about 14,000 individuals have been trained through this process of actually seeing what capabilities can be brought to bear against industrial controls and how they can be mitigated and protected.

And we, of course, publish good practices and materials designed to assist the owners and operators of these solutions to actually reduce risk over time.

Other pieces of that puzzle consists of coordinating what we do in all of the space with our partners in the IP world, meaning the infrastructure protection organization within Homeland Security that is focused on the physical aspects of infrastructure protection.

Today we really can't do physical infrastructure protection without doing cyber at the same time. As a practical matter, the access controls to our facilities are networked. The camera implementations are networked. The explosive radiological biohazard detection capabilities are networked. Many of the solutions that are used for physical security purposes are dependent upon the cyber pieces of the puzzle in order to perform at their best and the need to make sure that we are coordinating our efforts with respect to protection of those systems requires us to be focused on both the cyber and the physical aspects at the same time.

Outside of the industrial control spaces, we're of course doing a variety of things as well. At the Department of Homeland Security, we do most of what we do in partnership with the private sector through the National Infrastructure Protection Plan framework and the 18 sectors that have been established through that process.

We at DHS are the sector-specific agency of course for the IT and the communication sectors, and we work extensively with the Sector Coordinating Council, the Government Coordinating Council, and our partners within the interagency in order to be effective at moving things forward for industry. We have the Cybersecurity Cross-sector Working Group, an acronym that always slips off my tongue, that really works with the cyber aspect of all 18 critical infrastructure sectors to try to bring together those who are engaged and involved in applying cyber to the workings of each of the sectors as well. And then we work extensively with the ISACs, the Information Sharing and Analysis Centers in order to ensure that information is, in fact, being shared and that it can be information that is not just available but executable in order to reduce and address risk.

One example of one of the projects that we have focused a lot of energy on over the course of the last year was the IT sector baseline risk assessment. This was an effort through the IT Sector Coordinating Council and the Department of Homeland Security and others in government to really do a functions-based assessment of the risk associated with IT and the dependencies between the IT sector and other sectors. It was a government-industry effort from the start.

I'm really focused on bringing forward the ability to focus R&D priorities, risk mitigation techniques and resource decisions with a focus on real risk analysis. And this year the comm sector will similarly do a functions-based risk assessment to bring forward in that sector as well.

We're also engaging in a variety of pilots intended to work with our partners in order to advance and move the ball on a wide range of cyber-related issues. Some of those partners are governments such as the partnership with the State of Michigan. A pilot to bring forward the capabilities of the Einstein program, in this case the Einstein 1, flow monitoring capability to a state government recognizing that each of the states is part of the critical infrastructure and delivery of services to the constituents of that state. So through this program, we are sharing and getting data from the Michigan networks and able to share that information through US-CERT, the investment critical infrastructure players and both the government and industry partners and are in a position to leverage that data and provide to Michigan a better sense of what their risk in mitigation and techniques ought to be.

We also have pilots with DoD and the financial services industry to share sensitive information bi-directionally in a way that helps both the government organizations and the private sector organizations ensure that they're covering the full range of potential risks associated with their operations and, again, with a focus not on simply sharing for the sake of sharing but focused on sharing with a reduction in operational risk and ensuring that both sides, government and industry, are in a position to leverage as much data as we make available about the risk and vulnerabilities that are out there.

We also have programs that are designed to make it easier for our partners in the industry to gain access to the information that they need in order to knock down risk. So the Cybersecurity Partners Local Access Plan is one program, a pilot that has been designed to give our critical infrastructure and key resources partners access to classified information at the secret level in the field through the fusion centers rather than having them come to Washington in order to gain access to that level of information. This brings together critical infrastructure owners, fusion centers, state CIOs and CISOs in an environment that allows for collaboration and movement of information that otherwise might require travel to the D.C. area.

We have also been sponsoring clearances for critical infrastructure owners to ensure that they can gain access to the kind of information that they need. The government has developed as they go forward in trying to address the various risks that they are faced with on a daily basis.

Other programs that go beyond the pilots are also underway as well. One, for example, is the National Cyber Incident Response Plan which is called out in the president's cybersecurity policy review. This is an effort built with partners from the start both across the interagency and with the private sector to develop a plan to address national-level incidents in cyber in a way that is consistent, repeatable, and defines the roles and responsibilities of the various entities so that when an incident occurs, we will be in a position to execute well.

That process, the development of the plan has been underway for some time, and ultimately we will test at the cyber-storm-three exercise which is scheduled for September of this year, the workings of that plan with the interagency, and with the private sector. It's really the first time we had that level of a national incident response plan put forward, tested, and developed jointly across the entire cyber eco-system. That will, of course, give us an opportunity to put to the test one of the new institutions that we have stood up in the last year with DHS, and that is the National Cybersecurity and Communications Integration Center.

The NCCIC, as we call it, really brings together the operational capabilities of several organizations. The NCC, the National Coordinating Center for Telecommunications, which focuses on the physical aspects of the telecommunications assets of various departments and agencies, US-CERT and the logical security controls and aggregation of information. The industrial control systems, CERT, the National Cybersecurity Center, the intelligence and analysis capabilities at DHS, as well as eventually private sector partners will all be able to operate on a single watch floor that allows for very transparent and rapid sharing of information, threat vulnerability and response and remediation data across all of those domains.

We also have been moving forward, of course, on the various initiatives under the CNCI in order to address the front line of defense for the .gov domains. So DHS as you know has been very much involved in the executing of several programs in that space, the TIC, the Trusted Internet Connection, consolidation of the connectivity for the .gov domains to the larger open Internet which includes a variety of solutions both in terms of standards and approaches for security at the TIC locations as they're stood up.

We are also deploying intrusion detection capabilities, what we refer to as Einstein 2 at those TIC locations, and we have at present 11 of the 21 TICAP agencies deployed and operational. We are seeing in those deployments about 180,000 security events on a monthly basis, so there's a huge amount of data being generated. And as those deployments continue, we expect there will be more data generated that will allow us, again, to share situational awareness and help departments and agencies to execute on knocking down risk and addressing potential vulnerabilities.

Finally, Einstein 3 which is an intrusion prevention capability, is in the development stage. As many of you are aware, that process which we are working with NSA and other government partners to develop the ultimate solution is really intended to bring the capability not just to identify the risks and vulnerabilities but actually to prevent them before they ever get onto our networks. That all moves forward in an environment where we recognize there has to be not just a perimeter defense but also a defense-in-depth strategy being applied.

And so, in addition to the Einstein programs and the CNCI, we also have been moving forward to work on the departments and agencies and with the departments and agencies as they deploy solutions within their own infrastructure and networks. Just last month, the Office of Management and Budget issued a memo that is focused on the FISMA requirements and changing the FISMA operational capability from a paper exercise to a real operational improvement opportunity. And that effort will focus on essentially getting to automated feeds of data with respect to current capabilities and configuration from security management tools directly into a FISMA reporting environment.

It will involve government wide benchmarking on security posture to give us, again, much better situational learning as to where the departments and agencies are in their walk towards better security, and it will ultimately have agency-specific interviews and discussions between the security resources and DHS and OMB in order to ensure that we understand and know what tasks have to be executed and where we have opportunities to continue to improve security as time goes on.

I think the need to combine all of these capabilities and to work extensively with our partners in the federal agencies as well as with the private sector will just grow over time. There simply isn't a way in the .com and .gov spaces to execute this without strong cooperation of all of the various players. And needless to say, DHS has had a phenomenal relationship with DoD and with NSA and others in moving forward and finding ways to execute well in order to improve these capabilities.

And with that, I'll say it has been a delight to be here. I appreciate the invitation to participate. I hope you have an excellent conference and thank you for your time.

Thank you, Mr. Schaffer. That was very informative, and we really appreciate your insight and perspectives.

At this time, the event staff will need the room to set up and prepare for lunch. We ask that you please take advantage of this time to network and to visit the exhibition center on the first floor of the Qwest Center. Please return to this room promptly at 12:30 when lunch will be served.

Thank you.