The FISMA Focus IPD

From: Federal Information & News Dispatch, Inc.

Senate Homeland Security and Governmental Affairs Committee Hearing

Chairman Carper, Ranking Member Coburn, and distinguished Members of the Committee, it is a pleasure to appear before you today to discuss the Department of Homeland Security’s (DHS) work to improve the cybersecurity of critical infrastructure. We view cybersecurity as key to the larger goal of infrastructure security and resilience. Therefore, DHS takes a holistic, cross-sector view of cybersecurity as a risk management decision that needs to be part of the executive discussion in organizations of all sizes across government and industry. America’s national security and economic prosperity are increasingly dependent upon critical infrastructure that is at risk from a variety of hazards, including attacks via the Internet. In this spirit, today I will speak to our cybersecurity mission, implementation of Executive Order (EO) 13636 and delivery of our Critical Infrastructure Cyber Community (C3, pronounced “C-Cubed”) Voluntary Program, which promote cybersecurity for critical infrastructure to enhance their shared security and resilience.

DHS Vision for Cybersecurity

DHS continues to strengthen trust and public confidence in the Department through the foundations of partnership, transparency, and protections for privacy and civil liberties, which is built in to all that we do. Our Department is the lead civilian agency responsible for coordinating the national protection, prevention, mitigation, and recovery from cyber incidents across civilian government, state, local, tribal, territorial (SLTT) and private sector entities of all sizes. DHS leverages our interagency and industry partnerships as well as the breadth of our cyber capabilities extending from NPPD, Immigration and Customs Enforcement’s Homeland Security Investigations, U.S. Coast Guard and U.S. Secret Service, to make our National Cybersecurity and Communications and Integration Center (NCCIC) the source of a “weather map” for global cyber indicators and activity.

We are working to further enable the NCCIC to receive information at “machine speed.” n1 This new capability will begin to enable networks to be more self-healing, as they use mathematics and analytics to mimic restorative processes that occur biologically. Ultimately, this will enable us and our partners to better recognize and block threats before they reach their targets, thus deflating the goals for success of cyber adversaries and taking botnet response from hours to seconds in certain cases. We are working with the DHS Science & Technology Directorate in many areas to develop and support these capabilities for NCCIC. The science of decision-making is about seeing enough behavior to differentiate the good from the bad, and that comes from the collective information of industry and government. That is voluntarily provided to us because of underlying trust.

We can increase the availability of information flow through stakeholder engagement, constant trust-building to optimize the information shared voluntarily and better use of current authorities. At the core of this effort, we also must continue to ensure that privacy and civil liberties protections are baked in to everything we do and we do this primarily by focusing on the sharing of cyber threat information that is non-attributable and anonymized to the greatest extent feasible.

To develop a National Oceanic and Atmospheric Administration-like capability in dynamic data aggregation to a “weather map” will require a significant leap forward from our current efforts sharing information at human speeds with mostly manual processes. DHS seeks machine-speed information sharing with a broad set of partners, which will require an internal data management system that provides real-time situational awareness from which people and tools can extract information. Some of this effort is currently being built in our Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII”) programs that we have begun offering as a free method for machine-to-machine sharing of cyber threat indicators to others in the government and private sector.

The programs that DHS has created provide a sound foundation for the above vision. DHS’s extensive visibility into attacks on government networks must be fully leveraged to protect all government networks as well as our critical infrastructure and local entities, in a way that is consistent with our laws while preserving the privacy and individual rights of those we protect. We continue to believe legislation providing a single clear expression of DHS cybersecurity authority would greatly enhance and speed up the Department’s ability to engage with affected entities during a major cyber incident and dramatically improve the cybersecurity posture of federal agencies and critical infrastructure.

Implementing Presidential Directives

In February 2013, the President signed EO 13636 on Improving Cybersecurity Critical Infrastructure and Presidential Policy Directive (PPD)-21 on Critical Infrastructure Security and Resilience. These presidential policy documents direct Federal agencies to use their existing authorities and increase partnership with the private sector to provide better protection for the computer systems and networks that are critical to our national and economic security. Critical infrastructure security and resilience requires partnership between public, private, and non-profit sectors, and a clear understanding of the risks we face. To that end, EO 13636 and PPD-21 emphasizes an integrated approach to promoting critical infrastructure cybersecurity. DHS’s role is to bring together all stakeholders–government officials and business leaders, security professionals and infrastructure owners and operators–to facilitate information-sharing and support adoption of standards and best practices to reduce and manage cyber risk.

Strengthening the security and resilience of critical infrastructure against growing and evolving cyber risks requires a layered approach. DHS actively collaborates with public and private sector partners every day to improve the security and resilience of critical infrastructure while responding to and mitigating the impacts of attempted disruptions to the nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems. Thus, to implement the EO and PPD 21, the Federal Government has actively sought the collaboration, input and engagement of all our partners.

Cybersecurity Framework & Voluntary Program

EO 13636 directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework, based on standards and industry best practices for improving cybersecurity and promoting cyber risk management. The EO also directed DHS to establish a voluntary program for critical infrastructure cybersecurity, to serve as a Federal coordination point for cybersecurity resources and support increased cyber resilience by promoting use of the Framework. The C3 Voluntary Program is an innovative public-private partnership that is critical to DHS. DHS leads this program as part of its mission of continuing outreach and collaboration with the civilian federal government, state, local, tribal and territorial governments and private sector. C3 helps to align critical infrastructure owners and operators with existing resources that will assist their efforts to manage their cyber risks, including through use of the Framework. The C3 Voluntary Program also facilitates forums for knowledge sharing and collaboration. It provides access to free and readily available technical assistance, tools, and resources to strengthen capabilities to manage cyber risks, and opportunities to exchange opinions with peers and other partners in the critical infrastructure community.