It used to be relatively easy for Greg Schaffer to carve out some time in his week to kayak or row and enjoy some time on the water. These days, however, most of his time is spent helping organizations navigate the choppy waters of cybersecurity.
As assistant secretary for cyber-security and communications at the Department of Homeland Security, Schaffer helps organizations safeguard and secure cyberspace at a time when cyberattacks are increasing and the use of new technology such as mobile devices is on the rise.
A lawyer by trade with an abiding interest in technology and a bad case of “early adopter’s disease,” Schaffer got involved early in his career with computer-related cases. Back in the 1990s, when almost half of his time was spent on cyber-related legal issues at the law firm of Manatt, Phelps and Phillips, Schaffer said it was clear that things were going to change.
“We predicted that as the economics started to be driven by this new thing called the Internet, so would go crime, so would go espionage, and so would go so many other things,” he said. “And that’s exactly how it has played out over the years. The more society le¬verages this technology to do good things the more those who would do us harm leverage this to do what they do.”
This article originally appeared in the latest edition of CGI Initiative for Collaborative Government‘s Leadership journal. For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, follow us on Twitter @AOLgov.
When Schaffer became a computer crime prosecutor in the Computer Crime and Intellectual Property Section at the Department of Justice in 1997, he became immersed in cyber crime full-time. Every day he witnessed the constant and persistent threats and intrusions – some known and some unattributed – aimed at federal and private-sector systems.
At DHS, Schaffer works to counter those threats by helping federal civilian agencies secure their computer systems and helping the private sector safeguard the nation’s critical infrastructure, such as utilities and financial and telecommunications systems.
DHS’ programs include consolidating the number of external connections federal agencies have to the Internet and deploying intrusion-detection capabilities at those points. Also, through the National Cybersecurity and Communications and Integration Center (NCCIC) and U.S. Computer Emergency Readiness Team (US-CERT), it works to identify threats with the public and private sectors and develop effective security responses. The world of cybersecurity can be murky, and threats are coming from many different places, Schaffer said.
“We find ourselves now with a threat picture that looks like society writ large.” There are petty criminals who aren’t very sophisticated but can get access to the tools that allow them to commit various intrusions and crimes, Schaffer said. There are so-called hacktivists who use technology to push a political agenda. There are more sophisticated criminals who are focused on following the money, whether it’s through stolen identities or cash stolen through credit card numbers or bank accounts. Sophisticated nation-state actors could also potentially conduct espionage, attack intellectual property or do harm to the national infrastructure, he added.
Facing multiple domestic and international threats, DHS and the Department of Defense established a memorandum of agreement, cleared for open publication on October 13, 2010, “to collaborate to improve the synchronization and mutual support of their respective efforts in support of U.S. cybersecurity.”
The threats “really run the gamut,” Schaffer said. “You can’t talk about this space as having a threat actor or a set of threat actors. You have the whole range of misbehavior that you see mirrored from the physical world happening in the cyber world.”
And while newer technology helps us do our jobs better, there can be a downside from a cybersecurity perspective. As the use of mobile devices, networks, cloud computing and other technologies rise, not surprisingly, so too do the number of cyberattacks launched against government and private networks.
“I think for IT and security professionals everywhere the pressure to stay ahead is enormous.”
In fiscal 2011, US-CERT responded to more than 100,000 incident reports and released more than 5,000 actionable cybersecurity alerts and information products, said DHS Secretary Janet Napolitano at a conference sponsored by the Washington Post in October 2011. Attacks are increasing in complexity, frequency and consequence, she said, adding that we’ve come close to having a part of the critical infrastructure shut down.
Schaffer is not averse to risk. Before joining DHS, he was senior vice president and chief risk officer at Alltel Communications, where he was responsible for logical security, physical security, internal and external investigations, fraud, law enforcement relations, privacy, and regulatory compliance.
For four years before joining Alltel, Schaffer was a director at PricewaterhouseCoopers in the Cybercrime Prevention and Response Practice, where he developed and implemented computer forensic examinations in connection with major internal investigations at Fortune 500 companies.
Assessing risk is one of the most difficult challenges in cybersecurity, Schaffer said. “It’s fairly easy for organizations to get a handle on their physical security. It’s much harder to do that on a network. People don’t necessarily know the value of their intellectual property or their digital assets. And networks change and evolve so quickly that it is extremely hard to know which part of this behemoth to focus on.”
Staying Ahead of the Mobility Curve
There is no denying that mobile devices are here to stay as part of the threat equation, said Schaffer, who is the proud owner of a BlackBerry, an iPhone and an iPad. But “people are just starting to realize what the impact of mobile really is on their networks.”
Mobile devices allow users to operate in spaces that they never could before – on a bus, in a coffee shop or at a park – but those environments are not typically as secure as the office enterprise network. “You’re connecting to networks over which you have less control. We roam about with these devices, and they have Wi-Fi capability and cellular capability and Bluetooth capability and location identification. There are a range of things these devices can do, and the applications are doing all kinds of things with your data potentially in the background.”
With the growth of mobile applications, most people are starting to see their work and private lives comingle. “I have a 9-year-old and a 12-year-old, and they are pretty convinced that that iPads and iPhones are gaming platforms,” Schaffer said. “People are no longer keeping separate those things that they do for business and those things they do for pleasure, and again that creates certain risks. I am pretty careful not to do that, but I don’t think everyone goes down that same road.”
“You have the whole range of misbehavior that you see mirrored from the physical world happening in the cyber world.”
Once users start putting both business and personal data on a single device, there are a range of security issues to consider. For instance, what if the device is left on the backseat of a taxi? What if there is a lawsuit and the device is part of a personal legal matter? “Now you have suddenly exposed the other side whether it’s the personal side or business side to some kind of legal process simply by having it all comingled on the same device,” Schaffer said.
The technological challenges of those devices, he added, are that “they are evolving so fast and the application space is evolving so fast that it is hard to keep up and secure things in the demand curve that has been created. So I think for IT and security professionals everywhere the pressure to stay ahead of that is enormous.”
So how do organizations keep their data safe as the use of mobile devices increases? The guidance in many cases is awareness, Schaffer said. “It’s making sure that people really understand what they are buying into when they connect certain things to this ecosystem,” he said. “Having people who really understand what these challenges are and how careful they need to be is one of the things we spend a lot of time doing. We do that through training, awareness programs and education programs.”
Getting Cloud Security Right
The same goes for cloud computing, which allows agencies to make their data accessible from anywhere, even via a mobile device. That poses new risks that need to be mitigated, Schaffer said, but if those risks are appropriately addressed, cloud computing can be done in a secure way.
“Indeed, by aggregating and having a single place where you can deploy strong security measures for many entities, you may be able to do security more ef¬ficiently and effectively in a well-managed secure cloud than, say, 100,000 small businesses might be able to do on their own. The same is true for small departments and agencies within government.”
It’s very important that users ask the right questions before moving to the cloud, he said. A poorly secured cloud makes an organization extremely vulnerable be¬ause many assets are aggregated in a single place. They must be sure their cloud provider has the appropriate controls, defines different levels of security to be deployed, and provides important data such as log and audit files if a breach occurs.
DHS supports the governmentwide Federal Risk and Authorization Management Program, which is designed to help agencies to move to the cloud by providing a standardized approach to assessing and authorizing cloud providers.
It is another way DHS helps federal agencies “get their security right,” Schaffer said. “We will also put boots on the ground to assist someone during an intrusion or as preventive work to help them make sure they are ready for any problems that may occur in the future. We are able to do some red-teaming with government entities to give them a sense of how things are working or not within the security regimes that they have put in place.”
Schaffer drives home the message that cybersecurity is a shared responsibility that we are all going to have to deal with. The more people who engage in and deploy solutions for cybersecurity, the better off we will be because this will help lower the cost, Schaffer said.
“This is like a public health issue,” he said. “If we are not all washing our hands, a significant portion of us will get sick and it will cost us more. The goal here is really to get to a baseline level where we are all more secure than we are today. Caring is a self-fulfilling prophecy in certain cases. What we really need is for the baselines to come up.”
Legislation introduced by the White House in 2011 and currently before Congress would help DHS further its cybersecurity agenda. The legislation would give DHS tools it needs to secure the nation’s most critical infrastructures, close potential gaps in DHS’ patchwork of cyber authorities, strengthen criminal penalties, make it easier to share cyber information, and enhance the agency’s work with the private sector, among other things.
In addition, DHS has been given temporary direct-hiring authority from the Office of Personnel Management and seeks permanent, additional hiring authorities in its legislative proposal to continue to build its cybersecurity workforce. It also now leverages some of the National Security Agency’s resources to help develop intrusion-detection technologies that will prepare alerts for the private sector to create patches and workarounds when needed, Napolitano said in October.
Much of what DHS does requires cooperation and collaboration with other agencies and companies. Fortunately, Schaffer said that in the past 15 years, it has gotten easier to do. “It’s not perfect, but it’s better,” he said. “I think there is a recognition of how important this is. I think departments and agencies have worked together on some serious intrusions over the years that have really educated them.”
Also, there is now a National Cyber Incident Response Plan that delineates what the roles and responsibilities are for many of the players and “gives the DHS a responsibility to play that central hub and aggregation and distribution point for incident response.” The 24/7 NCCIC provides a common operational picture for government agencies as well as the private sector. “It puts people in a position to feel a higher level of confidence that they have the data they need in order to execute well when things are happening.”
As agencies and business owners become more engaged in the risk management process, there will be a much greater emphasis on cybersecurity than there has been in the past. “There will be a recognition that these are enormously valuable assets and the only way I can protect them is to make sure we’ve got the right solutions in place,” Schaffer said. “And that will be good for everybody.”