SAN FRANCISCO -- One of the federal government's top cybersecurity officials has big plans for shoring up the nation's information security posture, including formalizing a "cyberattack 911" service and creating a new set of voluntary security standards for private companies.
When I was in the private sector, one thing I wanted more than anything else was if [the government] had threat info I need, I wanted to know that. We're going to fix that.
Department of Homeland Security
Mark Weatherford, deputy under secretary for cybersecurity at the Department of Homeland Security (DHS), used his opening keynote at the Cloud Security Alliance Summit 2013, a precursor to the 2013 RSA Conference, to outline his strategy for using the capabilities and influence of DHS to improve national cybersecurity, particularly for organizations that manage critical infrastructure.
Weatherford said his group's four major responsibilities are: to oversee cybersecurity at federal civilian agencies; provide infosec support and best practices to critical infrastructure firms; coordinate cybersecurity attack response for major incidents in the private sector (like the recent distributed denial-of-service attacks against several financial companies); and engage in cybersecurity diplomacy and policymaking nationally and internationally.
Weatherford said one of the challenges he's faced in the 15 months he's been at DHS is that private sector organizations often don't know who to contact when they need urgent cybersecurity support from the government. However, he said that's about to change.
In part to support that goal, Weatherford said he reorganized his group within DHS into several teams with specific responsibilities, one of which is offering urgent support and ongoing outreach across the nation, especially to state and local governments, educating them about the cybersecurity resources available to them via DHS.
"We want to be that first call," during a cybersecurity emergency, Weatherford said. "If we can't deal with it, we'll get you to the right people to talk to."
DHS, NIST to work on new cybersecurity standards
Weatherford lauded President Obama's cybersecurity executive order, announced a few weeks ago during the annual state of the union address. He said one of the results of that order will be the creation of an up-to-date national framework for critical infrastructure firms that ties cybersecurity to physical security.
He said DHS is working closely with NIST to establish consensus-based standards, which will be voluntary for the private sector, and aimed at organizations that don't fall under an information security framework from another government agency.
"This is baseline stuff; stuff that most people are already doing, but not everybody," Weatherford said. "It still astounds me as I go around the country and I ask basic [cybersecurity] questions -- 'Do you do this?' and I get blank stares."
Weatherford said the executive order will enhance cybersecurity information sharing within the government and the private sector. That will include more sharing of classified information -- like anti-malware signatures and countermeasures -- with select critical infrastructure companies, and provide a great volume of less-sensitive threat intelligence to a broader swath of private-sector companies.
"We get a lot of threat and vulnerability information, both from the private sector and around the globe, and oftentimes this stuff gets classified or put in a bucket, and doesn't get shared back with the private sector as quickly or efficiently as it should," Weatherford said. "When I was in the private sector, one thing I wanted more than anything else was if [the government] had threat info I [needed], I wanted to know that. We're going to fix that."
Part of that effort will include expediting security clearances for select cybersecurity stakeholders in critical infrastructure organizations so threat information that can't be declassified can still be shared when necessary, Weatherford said.
Addressing shortage of information security professionals
Weatherford lamented the shortage of trained, talented information security professionals in the industry, and challenged private-sector companies to support efforts to encourage high school students to pursue careers in cybersecurity.
"How often do you hear someone wants to grow up to be a cybersecurity professional? Not too many kids want to grow up to be a hacker," Weatherford said. "I think that's changing, but it needs a national impetus to do so. Government and education need to work together to make it seem a little bit cooler so people gravitate toward it."
Weatherford encouraged companies to reach out to high schools to foster the creation and support of student cybersecurity programs, and to sponsor local teams competing in competitions like the National Collegiate Cybersecurity Challenge.
"The trivial amount of money it costs to sponsor one of those teams -- five, 10 or 20 thousand dollars -- you make back in spades," Weatherford said. "All you have to do is hire someone every year or two, and you are more than making that money back. It's good for the nation and good for your companies."
FISMA, FedRAMP enable government cloud use
Weatherford briefly touched on the potential of cloud computing, saying the cloud represents "the next great evolution of technology" and is changing the way many companies buy IT products and services. He said cloud computing is an important part of the Federal Information Security Management Act (FISMA), and is being enabled by the Federal Risk and Authorization Management Program, or FedRAMP, the initiative to standardize the security requirements that cloud computing service providers must meet in order to be eligible to win contracts with government agencies.
Announced in 2011 and launched last year, FedRAMP was developed jointly by the GSA, Department of Defense and Department of Homeland Security, and in consultation with several other government entities, including NIST. It is intended to be an on-ramp of sorts, helping government organizations speed up their drive toward cloud computing by reducing the time and cost of cloud provider security assessments. By using a FedRAMP-approved vendor, agencies can forego the time and effort of conducting their own security reviews.
However, so far only two vendors have received the FedRAMP seal of approval: Autonomic Resources and CGI Federal. Reportedly dozens of other vendors are undergoing the process.
Weatherford noted the importance of the new information security technologies being developed by cloud computing providers. "It's important to the government that you guys are developing the kinds of technology that'll leap us ahead as a nation."
An industry veteran, Weatherford earned his government stripes as CISO for the states of Colorado and California, and then took on the role of vice president and CSO at the North American Electric Reliability Corporation (NERC) before being appointed to his current position in 2011.
SearchCloudSecurity.com contributor Ed Moyle, founding partner of Amherst, N.H.-based consultancy SecurityCurve, said he enjoyed the talk but would have liked to hear more on the intersection between continuous cloud monitoring and cybersecurity in the federal space.
"There's this impetus to go out and find ways to monitor concrete things that tell us something about security; there's a whole [NIST] program built around this," Moyle said, "but what do you need to get from your cloud providers to do that? What's the expectation for the [vendors] in this room?"
View all of our RSA 2013 Conference coverage.