Rob Zitz has worked on national security for 35 years, 32 of them in the intelligence community, and now is a senior vice president at Leidos, the company that split last year with SAIC. It’s a top contractor for the Defense Department with nearly $6 billion in annual revenue.
Zitz spoke with Five By Five in an interview Friday about cybersecurity and the Department of Homeland Security. (Leidos has a number of prime contracts with DHS, some of which are related to cybersecurity, and Zitz is a former DHS official himself.) Here are some highlights:
Do the cybersecurity information sharing bills in the House and Senate go far enough?
I think the recent legislation in both the House and Senate are positive steps forward. I think they both recognize we need to modernize our national cybersecurity programs. I think it’s important that they both emphasize public and private partnerships and public and private information sharing. I’m optimistic from reading in the reporting that’s coming out this week about recent meetings between the leadership of DHS and FBI and NSA that indicate there’s even greater understanding for the need for partnerships on the government side. I think the bills indicate that on the legislative side, everybody understands that the stake are high, that progress is going to take a “whole of nation” approach. It used to be trite to say “whole of government.” This isn’t just government. It’s the government and private sector working together. HPSCI [House Permanent Select Committee on Intelligence] and SSCI [Senate Select Committee on Intelligence] leadership both expressed optimism about the capability to bring together their two bills on information sharing, although the Senate legislation has yet to be formally introduced. I think that what they’re talking about doing is a major step forward.
If you pivot off that question, and ask it differently, what’s been changing inside DHS regarding information sharing, there has been quite a bit of work of late over the last few years, really remarkable progress in that arena.
Looking at what’s happening inside DHS the last couple years, there’s a lot of progress in terms of how they are addressing the threat. I can give you examples. When I think about DHS and their role, I tend to think of it not just from a technical side. I look at it from the standpoint of prevention, protection, mitigation, response and recovery. DHS has got a central role in terms of coordination. When I think about what DHS is doing, they have the NCCIC [National Cybersecurity and Communication Integration Center]. The NCCIC has U.S. CERT [Computer Emergency Readiness Team], which is working the operations side. I think about things like Einstein, systems that are monitoring and looking for intrusion and doing protection, doing that work. It’s not in a vacuum. There are hundreds of stakeholders working with the department, including international. A little known one is ICS, the industrial control systems CERT. The ICS CERT is working with all 16 sectors of critical infrastructure in the U.S., out there training, helping with response to cyber attacks, onsite evaluations. It’s heavily involved in working closely with the sector specific agencies that make up those 16 critical sectors for critical infrastructure protection. An interesting example lately is when you think about a medical device, including those implanted in a patient, that has wireless capability. It’s a threat, a vulnerability, somebody could hack into that and disrupt that. The DHS ICS CERT worked with the national health information ISAC [Information Sharing and Analysis Center], NHISAC. They worked with them to bolster medical devices protection.
Culturally, I think that DHS is propagating the idea from a cultural standpoint that you’ve got to educate and train to understand the problem. As an organization, they’re very good at helping the government and private sector to see that organizationally cyber cannot be something that is jut the IT department’s responsibility.
DHS has understood for years now and helped other people understand this is about defense in depth, or layered defense. It’s about building blocks that start with basic hygiene, firewalls in place, patches in place. Solid defense don’t stop there. They understood to go beyond that they have to move to continuous diagnostics and mitigation. They have been really helping to lead the way in that regard.
If you look beyond that, where is DHS going now, they’re very much interested in the idea of being able to go beyond signatures. What’s understood now is people are starting to much more understand this: Cybersecurity signatures are very much like driving a car while you’re looking in the rear view mirror. It’s based on past events, past intrusion and past viruses. It’s absolutely critical to understand, characterize and build effective defenses against those, but that only defends against that exact signature and attack.
Yet there is skepticism from some on the Hill and in the business community about how big a role DHS should play, and we’ve seen legislation that would’ve expanded the role of DHS watered down in the past. Why is that, and what can be done about it?
DHS’s cybersecurity mission and capability has not been around that long. It’s really been about 10 years now. During that period of time there was a maturation process that took place. Overall there was a question about the threat, how significant was the threat and then once that threat was understood, how many resources were needed within DHS to start to address the problem. As the resources started to mature and grow, the individuals and level of expertise to work the problem matured and matured significantly inside DHS. The processes and relationships, the trust that takes time to build — those have matured over that time span, the last couple years. Like anything, it takes a little time to build from the crawl/walk/run stage. I can tell you that we see a much more advanced and much more mature thinking, much more advanced processes, a much more advanced set of technical capabilities that are about to be procured at DHS.
What are the biggest threats to U.S. cyber-infrastructure?
What keeps me up awake at night are catastrophic attacks on energy, transportation, finance. if we look at the SCADA — the control systems of those industries — if a nefarious actor were to penetrate those they could cause damage that goes far beyond temporary damage or temporary denial of service. The effects could be catastrophic. I think about not being able to be cool in the hottest time in the summer or to be able to heated in the coldest of the winter. This is not about an inconvenience, this is about loss of life.
What can be done to address the shortage of cybersecurity professionals, either in Congress, in the executive branch or in industry?
There was a bill last year to address the need to be able to hire and provide compensation of cybersecurity professionals at the department that I think is a step forward. I know that DHS has been aggressively recruiting and hiring. Clearly people with the appropriate skills are in high demand. There will probably be some discussion about the standards that are required — for example, often times in the government in order to fill a certain position level there is a requirement to have had a college degree. On cyber now, more and more in industry and government, that is being reviewed, and it’s really more about not so much, “Do you have the college degree?” but, “Do you have the current knowledge of the systems and the software and the current experience that’s applicable?” That will also help some with hiring.
What are some trends you’re seeing in the cybersecurity sector of business?
I think that you’re going to see, with where the industry is going, the trends are enabling protection in an encrypted environment. More and more stakeholders are using encryption for data at rest and data in motion — the development of an environment where legitimate and malicious traffic are being co-mingled. With advanced persistent threats, one of the things everyone is concerned about, we may have to operate in an environment where there are malicious actors in the network in the data, and a way to be able to operate in that environment is to have your most sensitive and most important data be encrypted. So you have have both encrypted and unencrypted in the open co-mingle.
Another example is real-time machine-to-machine interactions. We see examples of that machine-to-machine now. The trend of the future is that will be the norm. People will refer to that as autonomous.
There will be more focus on protecting the data itself in addition to protecting the networks, tagging sensitive data at the stakeholder level, monitoring and alerting outside its protected location. I’m working on a project where information that makes up that project is tagged, and if that project showed up somewhere it should not be, unexpectedly, you know it immediately, you protect on that, you alert on that and you prohibit any further manipulation of that data.
Another example: policy levels for being able to integrate open, unclassified information with classified information to have multilevel domain software and systems so you can bring together myriad sources of information that are classified and unclassified to be able to have that real time common operating system. There are experiments that are going on now, including at Leidos, on the use of automated behavioral analysis. It’s still in the lab. The approach is born from the clinical psychology world. Psychologists have known that in order to break a disruptive behavior of an individual, it’s based on antecedents. If you find the antecedent and stop it from occurring, you stop the behavior and prevent the consequence. Understanding the antecedents to know that this is a malicious attack lets us know in real time whether the level of expertise and deception embodied in that data packet is such that we should alert analysts and be able to take immediate action in response to that packet.
(This interview transcript was edited for length.)