December 6, 2012

The following is a full transcript of FedCentral’ s interview with Suzanne Spaulding, Deputy Under Secretary, of the National Protection and Programs Directorate, Mark Weatherford, Deputy Under Secretary for Cybersecurity, of the National Protection and Programs Directorate, and General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP, conducted by Jane Norris on December 6, 2012.

Jane Norris
Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today. To help government help America.

From cyber attacks to natural disasters, our national security faces serious threats and danger to our physical and cyber infrastructure that requires a coordinated approach to keep them secure. It’s particularly appropriate because December is Critical Infrastructure Protection and Resilience Month.

Joining us to discuss the increasing connectivity of physical and cyber infrastructure and the need for a whole of nation approach are Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs Directorate. She oversees infrastructure protection, US visit, and the Federal Protective Service with a mission to reduce the risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification.

Mark Weatherford is the Deputy Under Secretary for Cybersecurity for the National Protection and Programs directorate at DHS. In that position, Mr. Weatherford leads the department’s efforts to create a safe, secure, and resilient cyberspace. Mr. Weatherford has a wealth of experience in information technology and cyber security at the federal, state, and private sector levels.

And Lieutenant General Harry Raduege, former director of the Defense Information Systems Agency, and a four-time federal agency CIO. He’s now the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Thank you all for being here. It’s great to see you all.

Mark Weatherford
Thank you, Jane.

Harry Raduege
Thank you, Jane. It’s great to be here.

Jane Norris
Suzanne, I’m going to start with you. So tell us, what is the National Protection and Program Directorate’s mission and how does it correspond with the intersection of cyber and physical security?

Suzanne Spaulding
Jane, the NPPD leads the Department of Homeland Security’s mission to enhance the protection and resilience of our nation’s critical infrastructure – you know, the energy, transportation, communications, water, financial services – those things which really form the backbone of our way of life. And what we have found is: these sectors have systems that are increasingly networked. So the systems that control key aspects of the delivery of those services to the American public are now vulnerable to cyber attacks – and cyber attacks can produce physical consequences.

Mark Weatherford
I would just add – one of the things that we added to the NPPD about a year ago was a focus on cybersecurity. Within the organization, we have the Cybersecurity and Communications organization, which is responsible for coordinating with not only the federal government – but state and local governments, and the private sector, among the 18 critical infrastructures (on how we raise the bar on cybersecurity, how we respond to cybersecurity events, and as Suzanne said, how we can help build resilience into the system).

Harry Raduege
Well, let me just ask: it seems now that we’re recognizing that cyber and physical security are gradually becoming more connected, making us increasingly vulnerable. So what is the history and why are they becoming increasingly connected?

Mark Weatherford
I think there are a couple of reasons for that. Certainly the efficiencies that digital technology has brought to the mix provides a lot of economic incentives for companies to bring the digital technology into infrastructures and organizations and businesses that historically have not depended on that digital infrastructure. Those digital infrastructures that we’re now overlaying on those critical infrastructures bring along with it a lot of the same vulnerabilities and are susceptible to the same threats that we see in other areas of our economy.

Suzanne Spaulding
So, Harry, we’ve talked about the consequences, physical consequences, from a cyber attack; but it’s also the case that you can’t have effective cybersecurity, in most cases, without having effective physical security – because we have to consider not only remote attacks, but also the insider threat, and gaining physical access to your IT systems. In addition, physical security systems are among those systems that are now vulnerable to cyber-attacks because they, too, are networked, and so your security surveillance cameras, for example, are now potentially susceptible to remote access, and that threatens your physical security, so these are in many ways inexorably intertwined.

Harry Raduege
Well, this really makes perfect sense to me. I don’t think we’ve really recognized the fact of the closeness of the physical and the cyber security in the past, and I’m glad that both of you are working so closely in this exciting area to bring these together. So Mark, what technology trends are you seeing now that support this evolving intersection of cyber and the physical threats that we’re seeing today?

Mark Weatherford
Well, there are a number of ways you could address that, but certainly the growing use of embedded systems. Embedded systems are really in all facets of our society, and while they’re not computers, they act much like computers and they can react like computers. So the growing ubiquitousness of these embedded systems (that really are in everything from cars and airplanes to substations and water treatment plants and auto manufacturing) – everything has these embedded systems. As I mentioned earlier, they have potential vulnerabilities that can be used for disruption.

So the embedded systems are certainly one of the technology trends where I think we’re seeing an evolving intersection. The growing use of wireless is something that we’re seeing more and more of. These systems, many of them are located in remote locations. There’s a growing use of wireless technology to manage these things remotely. So there’s a variety of different technologies and things that, in fact, do play a part in that intersection of physical and cyber.

Harry Raduege
Well, on the heels of Hurricane Sandy which we’ve all experienced here as a nation – and are still experiencing, I might add – the results of it all. Add to that, recent reports of vulnerabilities to the nation’s electric grids… Are there certain sectors or threats that keep you up at night from a physical and a cyber perspective?

Mark Weatherford
Well, I wouldn’t say there’s one that maybe is more important than others; although, some are certainly more visible than others (e.g., the electricity sector, as I mentioned a minute ago, the water sector, communications sector – they’re all a bit more tangible, and people can see and touch and feel and smell them). Those are certainly things that I worry a lot about. From a threat perspective, we’ve recently seen attacks on the financial systems in America, and actually relatively low level technology attacking, but the response that it required from both the public and the private sector to address that has been pretty remarkable. So those kinds of things, you think that everything is high-tech and whiz-bang, and in fact, it can be something fairly trivial from a technology perspective that can cause some significant disruption.

Harry Raduege
So it sounds like these critical infrastructures are the ones that are your biggest concern.

Mark Weatherford
Well, they are. I mean, that’s what the job at DHS is about, protecting the homeland, and those services and systems and technologies that society and our citizens depend on for health and safety and welfare—those are the things that I focus on, and those things that keep me awake at night, as you say.

Harry Raduege
Great. Well, Suzanne, how about from your perspective?

Suzanne Spaulding
Well, one of the things we spend a good deal of time on is assessing, gathering data, and doing analysis to help prioritize critical infrastructure. Asking: what are the most essential? What are the ones where we have to really focus and allocate resources? And in order to do that, you have to understand the consequences if you lose that asset, facility, network, or system. Then work your way back from that in terms of figuring out what are the highest priorities which highlights the need for a holistic approach. You can’t look at cybersecurity and prioritize on cybersecurity without assessing the physical consequences that will result from a cyber penetration or cyber attack.

Harry Raduege
Great. Well, Mark, you and Suzanne have been working very, very hard over there. How is DHS helping to set the example for best practices and connecting cyber and physical security? Are there ways that you can share publicly with us here during our broadcast?

Suzanne Spaulding
Harry, we have made a concerted effort to ensure that we are not working in stovepipes here. We have a cyber security organization and an infrastructure protection organization that is traditionally focused on physical security, and we have made concerted efforts to ensure we’re taking an integrated approach, and one of the specifics is: we have set up an integrated analysis task force. That task force draws on expertise from the cyber side of the house and the physical security side of the house to do the kind of modeling and analysis that I’ve been talking about. There you assess the consequences in the physical world, and the cross-sector consequences. So you’re not looking just at one sector, but the dependencies between sectors. So that’s all the sectors that rely on electricity, all the sectors that rely on transportation, and communications.

Harry Raduege
That’s great. You’ve been doing some great work there Suzanne, and Mark, can you add to that, please?

Mark Weatherford
Yeah, we also have, I think another very successful thing that DHS is doing. We have our people scattered around the country in the different FEMA regions working with the private sector. They’re doing assessments on the ground; incorporating both physical security and cybersecurity components to those assessments. They’re working in sync, as I said. Both the private sector and state and local governments – people literally across the country. It’s probably one of the growing services that we are providing for the nation out of DHS. I’ve been around the country talking quite a bit lately. This is the one issue that’s coming up, a lot that people are more and more interested in how we can help them on that from that perspective.

Harry Raduege
Well, you both have given us some great thoughts and ideas on the way that DHS is now taking a look at both the physical and the cyber areas of our critical infrastructure and how to protect that to the best of our ability.

Earlier, Mark had mentioned the protected security advisor position. For our listening audience here today: how important is it to work with private industry, and other government partners, to devise a process that enables a holistic, whole-of-nation, approach to cyber and physical security? Suzanne?

Suzanne Spaulding
Harry, it’s absolutely essential. Our protective security advisors, who are DHS folks who are spread out across the country in all of the FEMA regions, are an absolute essential part of that effort. They are on the ground in local areas (in cities and towns across the country), working directly with their private sector stakeholders. Working, in this case, with owners and operators of critical infrastructure. We talk about critical infrastructure; at least 85% of it is owned by the private sector. This presents a challenge for the government. We have got to work as partners with our private sector stakeholders and with our federal partners who have particular expertise. The Department of Energy is the lead agency for the energy sector, Department of Transportation for the transportation sector, and what DHS does is then to take the efforts that each of these lead agencies do, and help coordinate and integrate them, and bring a cross-sector approach. But, yes, our PSAs are an absolutely vital link between the government and the private sector.

Harry Raduege
That’s Great. Mark?

Mark Weatherford
As I mentioned regarding the PSA program, I just can’t emphasize enough how important it is to the state and local governments, and the private sector organizations around the country. Because of the success of that effort, and the growing inter-dependencies between physical and cyber – it’s one of the other things that we’re growing within DHS. This cyber protective service – an advisor program very much like the PSA program is a companion program. As I mentioned, when these guys go out to the field and they’re working with the owners and operators, you can’t separate physical from cyber. There’s a need for both levels of expertise on the ground when we’re working with these folks. So, it really is a growing, important program for us at DHS.

Harry Raduege
We’ve been talking about an awful lot of new activity, and a number of issues, and new ideas and concepts. So, what are some of the challenges that DHS and the private sector are experiencing in collaborating on these issues, and what are some tips for the private sector on engaging the government?

Mark Weatherford
Well, certainly some of the challenges – it’s always been, and will probably always be, a challenge. This sharing of information, especially the sharing of vulnerable information, always creates a little bit of fear. Especially if you’re in a regulated environment, fear that there’s going to be implications and ramifications back on your organization. But that sharing of information is really where we’re seeing a lot of magic and a lot of value within the public/private partnership. On our end, the National Cybersecurity and Communications Integration Center is a 24/7-365 operations center. We have a variety of people that reside there from a variety of different federal agencies. Some are from the information sharing and analysis centers; with representation from the electricity sector, the financial services sector, etc. We also have law enforcement – FBI, Secret Service, and DoD representation. There’s an incredible amount of information sharing that happens that would never happen anywhere else when you put all of these people together in a room. So the challenges of information sharing were breaking down that barrier by getting people together and creating avenues for them to do better information sharing.

Harry Raduege
Great. Suzanne, could you add to that?

Suzanne Spaulding
As I said earlier, it is a challenge. This relationship, between the private sector and the government, in the area of critical infrastructure, is a new, relatively new area focus for the government. As you know, the punchline so often is: “I’m from the government and I’m here to help you.” What we’ve struggled to do and I think we’ve made great progress to convince the private sector that in fact the government has some value to add in tackling the challenges of physical and cybersecurity. Now in terms of tips for the private sector and interacting with the government; I would encourage the private sector to be an active participant and partner with the government. We use that partnership word a lot, but I don’t think that we really understand that it requires both players be active. The private sector can’t view themselves as simply a passive recipient of information, whether its threat information or other kinds of information sharing. I’d tell them: “Come to the table and help us understand. Bring your expertise, we’ll bring ours, and together we can meet this challenge.”

Harry Raduege
You both addressed the federal and private sector areas, but let’s delve now into something that I’m hearing more and more of questions such as: “How can state and local government officials, police agencies, and other key stakeholders, help DHS to implement programs that integrate this physical and cybersecurity domain?”

Suzanne Spaulding
As you know, the state and local folks play a very important role. We saw, for example, with Hurricane Sandy where there was this whole-of-nation approach, in the preparation, in the incident management, in the response, and now in the restoration and long-term recovery. The state and local folks have unique expertise, capabilities, roles and authorities. I’ll give just one example. Prioritizing power restoration – that is a decision that is made appropriately at the local level. And yet, DHS was able to pull data together, do modeling and analysis that we were able to provide to the state and local officials to help inform their decisions about where do they need to focus their efforts on power restoration. Where was there a real a lack of gas stations that had power that were open? Where were folks relying on generators and running out of gasoline to fuel those generators? Those kinds of things are sometimes difficult for the local officials to gather together and do the modeling necessary. We were able to provide some value-add there.

Mark Weatherford
And to add to that; it goes back to information sharing most fundamentally. There are a number of programs that have been established that have been very successful: the National Association of State CIOs, the Multistate Information Sharing and Analysis Center, and a variety of other things. Being a former state CISO, I understand what the relationship requirements are working between the executive branch at the state level and the executive branch in the federal level. There are so many inter-dependencies in the cyber arena, and you can’t distinguish between what a perimeter is anymore, there are no more perimeters. We share so much information on a daily basis between state and local governments and the federal government. It is critical that we are touching and talking on a very regular basis. Trust is so important, and trust is about personal relationships. You can’t delegate trust to policies or regulations. It’s built on personal relationships.

Harry Raduege
Well, we’re starting to talk now and getting into the personal relationship and the people aspect. I have heard over the last few years about the human capital crisis that some feel that we are experiencing. What are your thoughts from a DHS perspective on awareness, education, and training in these critical areas of cyber security and physical security?

Mark Weatherford
Well, I’ve been quoted often as saying that I think this is a national issue, growing into an almost crisis stage. The growing need for professionals in the physical and cybersecurity arena is acute. As I go around the country and talk to companies, the one consistent issue is there’s plenty of people, but there’s not plenty – there’s not enough people that have all the talent that we need to do the cyber security and physical security requirements across the board. One of the things that we’ve done to address this: Secretary Napolitano instituted a task force in June that reported out in September on how we could address the growing gap of talent and skills within DHS. We’re moving out rapidly on that with a number of “tiger teams” that are addressing the recommendations of the task force.

Harry Raduege
Suzanne, can you comment about that? Maybe, also speak of one of your mission areas in resiliency as well. It would be great if you could just give us your thoughts on those areas.

Suzanne Spaulding
Sure. On the skills, cyber skills, one of the things that I’ve really been pushing is for more multidisciplined degrees in both polysci and cyber. So I think we have to groom more policy makers, who have some of the technical expertise, to be able to feel confident in setting policy in this really important arena. I’m really glad that you brought up the resilience issue, Harry. It’s one that I, and a number of us over at DHS, have been thinking about a great deal. How do we think about resilience of our critical infrastructure in this changed world? The most recent example, of course, being Hurricane Sandy and extreme weather – but we’ve got aging infrastructure and we need investment.

Jane Norris
I’d like to thank you all for joining us today. General Raduege, I want to give you a chance to thank everyone.

Harry Raduege
It’s my pleasure, Jane. It’s always great being with Suzanne, Mark, and, as always, with you. Thank you.

Jane Norris
An absolutely fascinating show! Thank you all for joining us today. Greatly appreciate your time and thank you all for listening. You’ve been listening to FedCentral on Federal News Radio 1500 AM. Our guests, Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs Directorate; Mark Weatherford, the Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate; and Harry Raduege; he is the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services, LP. Thanks very much for tuning in. I’m Jane Norris. This is Federal News Radio 1500 AM.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.