Q&A: Why Phyllis Schneck needs the country to trust her
Between running a controversial-yet-crucial network security system for the federal government and working to set up a new nationwide program to improve private sector cybersecurity, Phyllis Schneck has her hands full.
However, the Department of Homeland Security’s deputy undersecretary for cybersecurity and communications is eagerly pushing the department to do more to make the country’s Internet-connected systems secure. Schneck, who holds a doctorate in computer science, has seven information security patents and previously served as chief technology officer of McAfee’s (now Intel Security) global public sector, is the senior-most official at DHS whose responsibilities are focused solely on cybersecurity. Managing DHS’ several multi-agency cybersecurity programs as the Obama administration and Congress have recently granted the department more authority to lead governmentwide on the issue has put her in the bullseye for the department’s critics.
Schneck sat down with FedScoop at the RSA Conference to talk about DHS’ efforts with information-sharing, how the government can better establish trust with private companies and what needs to be done to retain top security talent.
Editor’s note: The transcript has been edited for clarity and length.
FedScoop: A big part of the cybersecurity information sharing law [Congress passed at the end of last year] was the liability protection granted to private companies in order to spur threat data sharing. Yet some companies have still expressed hesitance to open up their info to the federal government. What is DHS telling companies to allay those fears?
Phyllis Schneck: We believe in action, not words.
The cyber adversary is fast. They have no lawyers, they have nothing to protect, they have great relationships with one another, and they’ve got plenty of money. We are up against very formidable adversaries that want to threaten our way of life, running the spectrum from monetary gains all the way to destruction. It’s our job to cause them pain and ruin their business model.
The model that we have, I believe that trust is awarded. The way you earn trust is to demonstrate your capability to be trusted. This is no different from anything else in life. It just moves faster and it’s harder to see.
Our killer app is the automated indicator sharing. [Congress] just gave [the National Cybersecurity and Communications Integration Center] the capability and function to collect cyber threat indicators. It’s raw materials that only machines understand. We have worked for months and months with our interagency partners to make sure that data is scrubbed of private information but gets pushed out at machine speed once it’s distributed.
Look, we are in a world where there is a lack of trust. There has never been a more important time to share information. There has never been a harder time to collect information. We have to get it right.
FS: Is there anything else beyond trust?
PS: I also think the government needs to demonstrate value. We have many programs that do link together. Our Einstein program is designed to show us who is coming in and out of our federal agencies and use that data to protect everyone else. It’s like a vaccine system. The measles is still alive and well, you still need to be vaccinated.
Einstein is foundational and critical, and private technology can’t replace it because of the breath of what the government covers at once. By building on top of it, what we’ve been doing is leveraging industry. I’m from the private sector, I say, ‘It’s time to buy, not build.’ It’s taking the best of industry today, putting it in the federal agencies and report back to the agency and department itself on what you are seeing. Then it all pipes back into our mother dashboard and we can start looking at the activity across our agencies so we can protect the federal government better. Then we take all of that and push it out to industry.
FS: I’m sure DHS tells companies they will be there to respond to a breach, but it’s on them to shore up their own cybersecurity stance. How do you flesh that out that beyond ‘Go read the NIST framework?”
PS: We have a lot of awareness campaigns. It’s well known across the federal government each agency is responsible for its own cybersecurity. We set a higher baseline and we help them, but they each have their own responsibilities. But on the private sector side, the NIST framework is a great tool because it takes this issue to the boardroom, and it simplifies it and says, ‘These are the steps you have to follow to get better cybersecurity to a risk and consequence equation.’ Our [Community Emergency Readiness Team], which operates out of the NCCIC, they are out 24/7 responding to events. They are doing it alongside our interagency partners and learning from those events. It’s also a little bit of hand holding as you clean up your network.
FS: How much does the Federal IT Acquisition Reform Act or the proposed IT modernization plan factor into how agencies can improve their cyber posture?
PS: Our job is protect and do the response and mitigation of cyber threats. My feeling is whatever it takes on the business side to make that happen, that’s what needs to happen. The mechanics of how one does paperwork to acquire tools should not be dictating how we respond.
It’s like the health care system. Most people agree that the financial semantics should not dictate what drug a person gets. A drug a person gets should be what is going to help them get better. It shouldn’t be what it costs or how it’s acquired. The science should dictate the response, not the paperwork. I came from private sector and I am bull-headed about that.
FS: Here’s an idea: What if the reinvestment from the proposed modernization plan went solely to cybersecurity? Could that help shore up government enterprises?
PS: I think we are lucky to be a part of an administration that understands the threat enough that they are ready to put money where the problem is. For me, the holistic plan is a good one because it does address key areas that might not be addressed in the way that if you told an agency, ‘Here’s money for cyber,’ they might choose to invest in different things. That’s where we are now. What we want to do is make sure that some of the things that are harder to address get that extra money.
I am very supportive of the [administration’s IT modernization] rollout; it helps with information sharing and updating legacy systems, which is hard. That’s a not a result of people being lazy; that’s a result of the many cases of software where if you update systems, the mission-critical software might not run. It really does take money, extra people and probably new software to do this. I think [the Office of Management and Budget] is targeting all that to get this done.
FS: Tell me how DHS is recruiting cybersecurity talent. Information security professionals in the private sector often can make much more money than they would in government. How do you combat that?
PS: That deck is stacked against us a bit. The future career path is both public and private. Our mission is amazing. None of the people that work with us want to go do something else. If they leave, sometimes it’s money, sometimes it’s family. Rarely do I meet someone that doesn’t like what they are doing. So we asking for people to explore a hybrid: Do a private sector career and do some time in government. Let’s work with companies to structure something where it’s almost expected to do a co-op.
FS: So like a U.S. Digital Service model, but for cyber.
PS: I would think the structure needs to be smoother. They worked hard at building the Digital Services model up very quickly. What people don’t know is that the Department of Homeland Security and our operation is responsible for all of the cyber threat mitigation across the federal civilian government and the private sector. We have this unique privilege to work with the private sector. Not just to protect them, but it’s consuming their tools and pooling them together to build more, and showing our future workforce you can be a part of both sectors.
This is the government of tomorrow; this is not the government of 10 years ago. We are hiring the hottest talent. We are working hard to speed up our hiring processes. I don’t take that lightly. Our hiring process was slow. We are really working hard to recruit top talent.
FS: The Defense Department announced a bug bounty program this week. Do you see anything like that ever coming to fruition on the civilian side?
PS: That sounds like so much fun! I actually think that program partly comes from the fact that our secretary of defense has a technical background. One of the things that DHS is doing is a hacker-in-residence. They are in the same spirit. Bringing in that talent set to the cyber operations of DHS is something we are working on. The deputy secretary [Alejandro Mayorkas] announced that at DEF CON last year. He was a prime example of what we want to do when we build trust. He not only has taken the time to learn cybersecurity but to also take time to speak to an audience that might never get to know them, about how important it is to build trust with our department. I support those efforts and you’ll see more from the department going forward.
Correction, 3/18/16: A previous version of this story referred to Alejandro Mayorkas as Deputy Director, not Deputy Secretary, of DHS.