The unique role of the Department of Homeland Security (DHS) in leading cybersecurity efforts for the entire civilian Federal enterprise presents a unique challenge and one that requires the government to rethink its understanding of risk, DHS’ Jeanette Manfra said Thursday at MeriTalk’s Akamai Government Forum.
But that challenge has also given the department new authorities, which she says are yielding tangible and positive changes in the technology ecosystem.
Manfra is the assistant secretary for the Office of Cybersecurity and Communications at DHS’ National Protection and Programs Directorate (NPPD). NPPD leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure, and thus, its role is nearly all-encompassing.
“We at DHS need to be understanding enterprise risk for the Federal civilian enterprise. We can’t just think about each agency on its own,” Manfra said. “We’re very interconnected, and we’re pushing through our modernization and cloud adoption, we’re going to become more interconnected, and that means we’re more interdependent. One decision made by one organization is going to impact another.”
Manfra said that many agencies have fallen into a trap of failing to connect risk to mission. Legislation and policy requirements, like those in the Federal Information Security Modernization Act (FISMA), she said, turned the idea of risk at agencies into a matter of box-checking.
“It was never intended to be that. All of these processes were put in place to help people think about risk management, but it kind of devolved into this compliance approach,” she said.
In the process, Manfra said this has individualized the idea of risk within agencies. The big change she’s now advocating for is stepping away from that thinking and adopting a bigger picture approach. Instead of thinking about individual risk – including what networks or what systems each agency needs to protect – the Federal government instead needs to focus its attention on “national critical functions,” she said.
“Let’s not think about assets. Let’s not think about systems. Let’s think about the functions and services,” she said. “This sort of rigorous thinking about what is critical to our nation’s functions hasn’t been done in a long time, and importantly hasn’t been done with the thought of our IT or OT [operational technology] dependency on those functions.”
Manfra said this shift in thinking will allow for better threat data sharing. By understanding who owns each piece of that national critical function, it will be easier to alert a stakeholder – in the private sector, intelligence community, civilian agency – when an adversary is seeking to disrupt that function.
“We see ourselves as national risk managers,” Manfra said. “Our organization is that one place that has the authorities and the capabilities to be able to take a step back and think about risk, and what are those tools we have to manage that risk.”
While FISMA may have shifted agencies toward a compliance approach, it also had the benefit of granting DHS expanded authority. Manfra’s department, through FISMA, has the authority to issue binding operational directives to agencies. These legal mandates to agencies have been used to, for example, require agencies to reduce the amount of time it takes to patch critical vulnerabilities.
That’s an area where NPPD has seen much progress, and publishing these directives publicly is reaping benefits beyond Federal agencies, Manfra said.
“We’ve seen that others are starting to follow in our footsteps,” she said. “When the department’s putting out something, even if I don’t have any authority to tell anybody in critical infrastructure, the private sector, who oversees whatever it may be, we are seeing that people are taking it and saying, ‘You know what? DHS thinks it’s a good idea, maybe I should do this.’”
Manfra said those are the kind of wins that allow positive progress in the broader ecosystem around cyber and national security.
“How can we change the ecosystem in tangible, discrete ways?” she said. “We’re not going to rebuild the internet. But there’s a lot of things we can do to take advantage of this amazing thing that we have built and that we have reaped tremendous benefit from. And we can work together to make some really tremendous progress in securing that.”