Don’t fall behind the adversary, DHS cybersecurity chief tells industry

SAN FRANCISCO -- Greg Garcia, assistant secretary for cybersecurity and telecommunications at the Homeland Security Department, warned leaders of the information security industry that they must stay ahead of those who are trying to disrupt or break into the network infrastructure on which commerce and government operations rely.

Speaking at a town hall meeting at the RSA Conference on Thursday, Garcia, who joined DHS four months ago, spoke about how government and industry can work together to combat cyberthreats that have become more sophisticated and frequent in recent years.

“Here’s how I see the cyber world, how I form the basis of my mission,” Garcia said. “We live in a world that operates on a vast infrastructure of information communications systems. Its integrated network supports and operates virtually everything we do and need to keep our economy growing and our citizens secure,” he said. Those systems support such diverse functions as finance, transportation, health care and manufacturing, he added.

It is not getting any easier to protect these networks, Garcia said. Ten years from now, a single, integrated IP network will likely handle most of the world’s communications needs. This converged broadband network will include long-distance phone communications, video, voice and data and will support an ever-widening array of services across millions of connected devices globally. This will create a breeding ground for security problems

And the more the IT industry becomes globalized, the more opportunity there is for vulnerabilities to be introduced somewhere along the supply chain. Attacks in the form of denial of service, viruses, worms, trojans, phishing and botnets continue to grow. “Estimates of direct financial loss to phishing exceed $100 billion annually," he said. "That’s what we are concerned about at DHS.”

Garcia addressed what needs to be done about such threats. The Office of Cyber Security and Telecommunications has three divisions to address the rise of cyber threats: the National Cyber Security Division, the National Communications Systems and the Office of Emergency Communications.

“The fact that cybersecurity and telecommunications is on our watch an essential element to our strategy, and we have the leadership team in place to execute that strategy,” Garcia said. He outlined three areas in which government and industry can work together:

• Preparation and deterrence. All enterprises, government, commercial, academic and nonprofit, need to systematically assess vulnerabilities and deter attacks before they happen. This has to be a collaborative effort based on sharing information about what organizations found and how they deterred attacks. “We are all too interdependent to do this independently,” he said.
• Response. DHS’ operations strike force, U.S. CERT, conducts situational awareness and incident response. “We are not doing it all ourselves but we are leveraging operational capabilities of other governments’ internationally and private-sector CERTS.” Garcia said  DHS needs to continue to build this type of capability to coordinate response to cyberattacks that have the potential for national significance.
  
• Building awareness. Home users, private companies, nonprofits and governments all must be aware of responsibilities for securing networks. “It’s a cliché we are only as strong as our weakest link," Garcia told RSA attendees. "Building awareness is my job and your job."

Garcia also advised industry leaders to work vigorously with federal agencies to adopt common security practices so government agencies can collectively raise the security bar. He said  DHS will help the private sector “strengthen our national preparedness and to integrate your incident response with our incident response.”

He also encouraged private-sector companies that are not a part of the Information Technology Sector Coordinating Councils and Information Technology Sharing and Analysis Centers to join those groups. The organizations were formed as part of the National Infrastructure Protection Plan to facilitate cooperation between government and the private sector.

“Any company that operates a network that manages proprietary business-sensitive information that connects to public networks should consider participating in the IT Sector Coordinating Councils and IT-SAC,” he said.

Garcia also encouraged industry to “stay ahead of the adversary. Don’t fall behind” in technology innovation. “Security is a network of partnerships,” he said.