From: FederalNewsRadio.com 1500 AM
The following is a full transcript of FedCentral’ s interview with Suzanne Spaulding, Deputy Under Secretary, of the National Protection and Programs Directorate, Mark Weatherford, Deputy Under Secretary for Cybersecurity, of the National Protection and Programs Directorate, and General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP, conducted by Jane Norris on December 6, 2012.
Jane Norris
Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today, to help government help America.
From cyber attacks to natural disasters, our national security faces serious threats and danger to our physical and cyber infrastructure requires a coordinated approach to keep them secure. It’s particularly appropriate because December is Critical Infrastructure Protection and Resilience Month.
Joining us to discuss the increasing connectivity of physical and cyber infrastructure and the need for a whole of nation approach are Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs Directorate. She oversees infrastructure protection, US visit, and the Federal Protective Service with a mission to reduce the risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification.
Mark Weatherford is the Deputy Under Secretary for Cyber security for the National Protection and Programs directorate at DHS. In that position, Mr. Weatherford leads the department’s efforts to create a safe, secure, and resilient cyberspace. Mr. Weatherford has a wealth of experience in information technology and cyber security at the federal, state, and private sector levels.
And Lieutenant General Harry Raduege, former director of the Defense Information Systems Agency and a four-time federal agency CIO. He’s now the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Thank you all for being here. It’s great to see you all.
Mark Weatherford
Thank you, Jane.
Harry Raduege Thank you, Jane. It’s great to be here.
Jane Norris Suzanne, I’m going to start with you. So tell us, what is the National Protection and Program directorate’s mission and how does it correspond with the intersection of cyber and physical security?
Suzanne Spaulding
Jane, the NPPD leads the Department of Homeland Security’s mission to enhance the protection and resilience of our nation’s critical infrastructure – you know, the energy, transportation, communications, water, financial services – those things which really form the backbone of our way of life, and what we have found is that these sectors have systems that are increasingly networked, and so the systems that control key aspects of the delivery of those services to the American public are now vulnerable to cyber attacks, and cyber attacks can produce physical consequences.
Mark Weatherford
I would just add – one of the things that we added to the NPPD about a year ago was a focus on cyber security, so within the organization, we have the Cyber security and Communications Organization, which really is responsible for coordinating with not only the federal government but state and local governments and the private sector among the 18 critical infrastructures on how we raise the bar on cyber security, how we respond to cyber security events, and as Suzanne said, how we can help build resilience into the system.
Harry Raduege
Well, let me just ask. It seems now that we’re recognizing that cyber and physical security are gradually becoming more connected making us increasingly vulnerable, so what is the history and why are they becoming increasingly connected?
Mark Weatherford
I think there are a couple of reasons for that. Certainly the efficiencies that digital technology has brought to the mix provides a lot of economic incentives for companies to bring the digital technology into infrastructures and organizations and businesses that historically have not depended on that digital infrastructure, and those digital infrastructures that we’re now overlaying on those critical infrastructures bring along with it a lot of the same vulnerabilities and are susceptible to the same threats that we see in other areas of our economy.
Suzanne Spaulding
So, Harry, we’ve talked about the consequences, physical consequences from a cyber attack, but it’s also the case that you can’t have effective cyber security, in most cases, without having effective physical security because we have to consider not only remote attacks but also the insider threat and gaining physical access to your IT systems, and in addition, physical security systems are among those systems that are now vulnerable to cyber-attacks because they, too, are networked, and so your security surveillance cameras, for example, are now potentially susceptible to remote access, and that threatens your physical security, so these are in many ways inexorably intertwined.
Harry Raduege
Well, this really makes perfect sense to me, and I don’t think we’ve really recognized the fact of the closeness of the physical and the cyber security in the past, and I’m glad that both of you are working so closely in this exciting area to bring these together. So Mark, what technology trends are you seeing now that support this evolving intersection of cyber and the physical threats that we’re seeing today?
Mark Weatherford
Well, there are a number of ways you could address that, but certainly the growing use of embedded systems. Embedded systems are really in all facets of our society, and while they’re not computers, they act much like computers and they can react like computers. So the growing ubiquitousness of these embedded systems that really are in everything from cars and airplanes to substations and water treatment plants and auto manufacturing – everything has these embedded systems and as I mentioned earlier, and have potential vulnerabilities that can be used for disruption. So the embedded systems are certainly one of the technology trends I think we’re seeing an evolving intersection. The growing use of wireless is something that we’re seeing more and more of. These systems, many of them are located in remote locations, so there’s a growing use of wireless technology to manage these things remotely. So there’s a variety of different technologies and things that, in fact, do play a part in that intersection of physical and cyber.
Harry Raduege
Well, on the heels of Hurricane Sandy we’ve all experienced here as a nation and are still experiencing, I might add, the results of, and also recent reports of vulnerabilities to the nation’s electric grids. Are there certain sectors or threats that keep you up at night from a physical and a cyber perspective?
Mark Weatherford
Well, I wouldn’t say there’s not one that maybe is more important than others although, some are certainly more visible than others. The electricity sector, as I mentioned a minute ago, the water sector, communications sector— they’re a bit more tangible, and people can see and touch and feel and smell them. Those are certainly things that I worry a lot about. From a threat perspective, we’ve recently seen attacks on the financial systems in America, and actually relatively low level technology attacking, but the response that it required from both the public and the private sector to address that has been pretty remarkable. So those kinds of things, you think that everything is high-tech and whiz-bang, and in fact, it can be something fairly trivial from a technology perspective that can cause some significant disruption.
Harry Raduege
So it sounds like these critical infrastructures are the ones that are your biggest concern.
Mark Weatherford
Well, they are. I mean, that’s what the job at DHS is about, protecting the homeland, and those services and systems and technologies that society and our citizens depend on for health and safety and welfare—those are the things that I focus on, and those things that keep me awake at night, as you say.
Harry Raduege
Great. Well, Suzanne, how about from your perspective?
Suzanne Spaulding
Well, one of the things we spend a good deal of time on is assessing – gathering data and doing analysis to help prioritize critical infrastructure. You know, what are the most essential? What are the ones where we have to really focus and allocate resources? And in order to do that, you have to understand the consequences if you lose that asset, facility, network, or system, and work your way back from that in terms of figuring out what are the highest priorities which highlights the need for a holistic approach. You can’t look at cyber security and prioritize on cyber security without assessing the physical consequences that will result from a cyber penetration or cyber attack.
Harry Raduege
Great. Well, Mark, you and Suzanne have been working very, very hard over there, how is DHS helping to set the example for best practices and connecting cyber and physical security, and are there ways that you can share publicly with us here during our broadcast?
Suzanne Spaulding
Harry, we have made a concerted effort to ensure that we are not working in stovepipes here. We have a cyber security organization and an infrastructure protection organization that is traditionally focused on physical security, and we have made concerted efforts to ensure we’re taking an integrated approach, and one of the specifics is we have set up an integrated analysis task force. That task force draws on expertise from the cyber side of the house and the physical security side of the house to do the kind of modeling and analysis that I’ve been talking about where you assess the consequences in the physical world and the cross-sector consequences so that you’re not looking just at one sector but the dependencies between sectors so all the sectors that rely on electricity, all the sectors that rely on transportation and communications.
Harry Raduege
That’s great. You’ve been doing some great work there Suzanne, and Mark, can you add to that, please?
Mark Weatherford
Yeah, we also have, I think another very successful thing that DHS is doing. We have our people scattered around the country in the different FEMA regions working with the private sector, doing assessments on the ground, and incorporating both physical security and cyber security components to those assessments and working in, as I said, both the private sector and state and local governments, people really literally across the country, and it’s probably one of the growing services that we are providing for the nation out of DHS. I’ve been around the country talking quite a bit lately, and this is the one issue that’s coming up, a lot that people are more and more interested in how we can help them on that from that perspective.
Harry Raduege
Well, you both have given us some great thoughts and ideas on the way that DHS is now taking a look at both the physical and the cyber areas of our critical infrastructure and how to protect that to the best of our abilities.
Jane Norris
And we’re going to come back and talk more about that as we return with our topic today, physical and cyber infrastructure protection, with our two experts from the Department of Homeland Security. We thank them for being here. Stay tuned; this is FedCentral brought to you by Deloitte on Federal News Radio 1500 AM. I’m Jane Norris.
Welcome back to FedCentral brought to you by Deloitte. Today we’re talking about the physical and cyber infrastructure protection programs that are going on at DHS, a whole of nation approach, and with us, Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs directorate; Mark Weatherford, the Deputy Under Secretary for Cyber Security for the National Protection and Programs directorate at DHS, and Lieutenant General Harry Raduege who is the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Harry?
Harry Raduege
Thanks, Jane. Earlier, Mark had mentioned the protected security advisor position, and for our listening audience here today, how important is it to work with the private industry and other government partners to devise a process that enables a holistic whole of nation, if you will, approach to cyber and physical security? Suzanne?
Suzanne Spaulding
Harry, it’s absolutely essential, and our protective security advisors who are DHS folks who are spread out across the country in all of the FEMA regions are an absolute essential part of that effort. They are on the ground in local areas, in cities and towns across the country working directly with their private sector stakeholders, in this case, with owners and operators of critical infrastructure. You know, we talk about critical infrastructure, at least 85% of it is owned by the private sector, and so this presents a challenge for the government, and we have got to work as partners with our private sector stakeholders and with our federal partners who have particular expertise. The Department of Energy is the lead agency for the energy sector, Department of Transportation for the transportation sector, and what DHS does is then to take the efforts that each of these lead agencies do and help coordinate and integrate them and bring a cross- sector approach, but our PSAs are an absolutely vital link between the government and the private sector.
Harry Raduege
Great. Mark?
Mark Weatherford
Well, and as I mentioned, in the PSA program, I just can’t emphasize how important it is to the state and local governments and the private sector organizations around the country and because of the success of that and the growing inter- dependencies between physical and cyber, it’s one of the other things that we’re growing within DHS is a cyber protective service – advisor program very much like the PSA program. So it’s a companion program because, as I mentioned, when these guys go out to the field and they’re working with the owners and operators, you can’t separate physical from cyber. There’s a need for both levels of expertise on the ground when we’re working with these folks, so really is a growing, important program for us at DHS.
Harry Raduege
Well, we’ve been talking about an awful lot of new activity and a number of issues and new ideas and concepts, so what are some of the challenges that DHS and the private sector are experiencing in collaborating on these issues, and what are some tips for the private sector on engaging the government?
Mark Weatherford
Well, certainly some of the challenges – it’s always been and will probably always be a challenge is sharing of information, and the sharing of vulnerable information always creates a little bit of fear, especially if you’re in a regulated environment that there’s going to be implications and ramifications back on your organization, but that sharing of information is really where we’re seeing a lot of magic and a lot of value within the public/private partnership. Within in our end-kick, the National Cyber security and Communications Integration Center, it’s a 24/7 365 operation center, and we have a variety of people that reside there but from a variety of different federal agencies, some of the information sharing and analysis centers representation from the electricity sector, the financial services sector, and then we also have law enforcement – FBI, Secret Service, and DoD representation, and there’s an incredible amount of information sharing that happens that would never happen anywhere else when you put all of these people together in a room. So the challenges of information sharing were breaking down that barrier by getting people and creating avenues for them to do better information sharing.
Harry Raduege
Great. Suzanne, could you add to that?
Suzanne Spaulding
Well, it is, as I said earlier, it is a challenge, this relationship between the private sector and the government in the area of critical infrastructure. It is a new, relatively new area focus for the government and as you know, the punchline so often is I’m from the government and I’m here to help you. What we’ve struggled to do and I think we’ve made great progress to convince the private sector that in fact the government has some value to add in tackling the challenges of physical and cyber security, but in terms of tips for the private sector and interacting with the government, one, I would encourage the private sector to be an active participant and partner with the government. We use that partnership word a lot, but I don’t think that we really understand that it requires both players be active, and the private sector can’t view themselves as simply a passive recipient of information, whether its threat information or other kinds of information sharing, but come to the table and help us understand. Bring your expertise, we’ll bring ours, and together we can meet this challenge.
Harry Raduege
Well, you both addressed the federal and private sector areas, but let’s delve now into something that I’m hearing more and more of. How can the state and local government and officials and police agencies and other key stakeholders help DHS to implement programs to integrate this physical and cyber security domain?
Suzanne Spaulding
You know, the state and local folks play a very important role, and we saw, for example, with Hurricane Sandy where there was this whole of nation approach both in the preparation and in the incident management and in the response, and now the restoration and long-term recovery. The state and local folks have a unique expertise capability role and authorities. I’ll give just one example. Prioritizing power restoration – that is a decision that is made appropriately at the local level and yet, DHS was able to pull data together, do modeling and analysis that we were able to provide to the state and local officials to help inform their decisions about where do they need to focus their efforts on power restoration? Where were there a real a lack of gas stations that had power that were open, you know, where folks were relying on generators and running out of gasoline to fuel those generators? Those kinds of things that are, you know, sometimes difficult for the local people, local officials to gather that data and do that modeling. We were able to provide some value added there.
Mark Weatherford
And to add to that, it goes back to information sharing most fundamentally, but there’s a number of programs that have been established that have been very, very successful; the National Association of State CIOs, the Multistate Information Sharing and Analysis Center, and a variety of other things, and being a former state CISO, I understand what the relationship requirements are working between the executive branch at the state level and the executive branch in the federal level and you know, there are so many inter-dependencies in the cyber arena, and you can’t distinguish between what a perimeter is anymore, there are no more perimeters. We share so much information on a daily basis between state and local governments and the federal government, and the relationships – it’s just critical that we are touching and talking on a very regular basis and you know, trust is so important, but trust is about personal relationships. You can’t delegate trust to policies or regulations. It’s built on personal relationships.
Harry Raduege
Well, we’re starting to talk now and getting into the personal relationship and the people aspect. I have heard over the last few years the human capital crisis that some feel that we are experiencing. What are your thoughts from a DHS perspective on awareness, education, and training in these critical areas of cyber security and physical security?
Mark Weatherford
Well, I’ve been quoted often as saying that I think this is a national issue and growing into an almost crisis stage that the growing need for professionals in the physical and cyber security arena is acute. As I go around the country and talk to companies, the one consistent issue is there’s plenty of people, but there’s not plenty – there’s not enough people that have all the talent that we need to do the cyber security and physical security requirements across the board. One of the things that we’ve done to address this, Secretary Napolitano instituted a task force in June that reported out in September for how we could address the growing gap of talent and skills within DHS, so we’re moving out rapidly on that with a number of tiger teams that are addressing the recommendations of the task force.
Harry Raduege Great. Suzanne, can you comment about that, and maybe also pick up one of your mission areas in resiliency, also, if you could just give us your thoughts on those areas.
Suzanne Spaulding
Sure. On the skills, cyber skills, one of the things that I’ve really been pushing is for more multidisciplined degrees in both polysci and cyber. So I think we, you know, got to groom more policy makers who have some of the technical expertise to be able to feel confident in setting policy in this really important arena, and I’m really glad that you brought up the resilience issue, Harry. It’s one that I have been thinking and a number of us over at DHS have been thinking about a great deal. How do we think about resilience of our critical infrastructure in this changed world, and the most recent example, of course, being Hurricane Sandy and extreme weather, but we’ve got aging infrastructure and we need investment.
Jane Norris
Well, I’d like to thank you all for joining us today. General Raduege, I didn’t give you a chance to thank everyone, but…
Harry Raduege
My pleasure, Jane. It’s always great being with Suzanne, Mark, and always with you. Thank you.
Jane Norris
An absolutely fascinating show. Thank you all for joining us today. Greatly appreciate your time and thank you all for listening. You’ve been listening to FedCentral on Federal News Radio 1500 AM. Our guests, Suzanne Spaulding, the Deputy Under Secretary for National Protection and Programs Directorate; Mark Weatherford, the Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate; and Harry Raduege; he is the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services, LP. Thanks very much for tuning in. I’m Jane Norris. This is Federal News Radio 1500 AM.
Leave a Reply