The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Featured Commentary: The Honorable Mark Weatherford, DHS Deputy Under Secretary for Cybersecurity

Thursday April 4, 2013
Summary by Marquita A. Moreland

During the introduction, Professor Spafford discussed Mark Weatherford's experience prior to becoming Deputy Under Secretary for cybersecurity at DHS. He mentioned that Mr.Weatherford was CIO of the state of Colorado and California and director of security for the electric power industry. He made it known that Mr.Weatherford has won a number awards and spent a lot of time in cybersecurity in the navy.

He also mentioned that under sequestration rules Mr.Weatherford was not allowed to travel. Mr.Weatherford desired to be present, but he could not attend, so he decided to create a video.

Mark Weatherford began his commentary with the For Want of a Nail rhyme because he believes it is a good way on how to approach the business of security. Mr.Weatherford expressed his appreciation for Professor Spafford, thanking him for how much he has helped advance the topic of cybersecurity and the development of some of the national security leaders.

Mr. Weatherford proceeded to state that "we're in business where ninety nine percent secure, means you’re still one hundred percent vulnerable." An example he used was from 2008, when a large mortgage company that is no longer in business, was concerned with the loss of their client’s information. They decided to disable the USB ports from thousands of machines to prevent employees from copying data. They missed one machine, which was used by an analyst to load and sell customer’s data over a two year period.

Cybersecurity threat, DHS’s role in cybersecurity, the President’s Executive Order on cybersecurity, and the lack of cyber talent across the nation are the four topics that Mr.Weatherford briefly explained.

Cybersecurity Threat:

  • The danger of a cyber attack is the number one threat facing the United State, bigger than the threat of Al Qaeda.
  • There is a lack of security practices, and water, electricity and gas are dangerously vulnerable for cyber attacks.
  • The banking and finance industry has been under a series of DDOS attacks since last summer. Almost every week there are a new set of banks under siege, such as the Shamoon attack on Saudi Aramco and the attack on Qatari RasGas.
  • In February of this year the emergency broadcast system in four states were attacked, with a message that said the nation was being attacked by zombies. The fact that someone can get into these systems raises safety and security concerns.
  • The office of cybersecurity and communication (CS&C) has the largest cybersecurity role in DHS.
    • They help secure the federal civilian agency networks in the executive branch primarily the .gov domain.
    • They also provide help with the privacy sector in the .com domain, with a focus on critical infrastructure.
    • They lead and coordinate the response of cyber events.
    • They work on national and international cybersecurity policies.
  • There are five divisions; Network Security Deployment, Federal Network Resilience, Stakeholder Engagement and Cyber Infrastructure Resilience, the Office of Emergency Communications, and the National Cybersecurity and Communications Integration Center.
  • Last year U.S. CERT resolved over 200,000 incidents involving different sectors, and ICS-CERT responded onsite to 177 incidents.

President’s Cybersecurity Executive Order (EO):

  • The EO was announced during the State of Union speech.
  • There were two paragraphs regarding cybersecurity in the President’s State of Union Speech. Mr. Weatherford mentioned when he was CIO, he worked every year to try and get at least a single sentence in the Governor State of State speech but was unsuccessful.
  • The EO significance will help achieve:
    • Establishment of an up to date cybersecurity framework.
    • Enhancement of information sharing amongst stakeholders by:
      • Expanding the voluntary DHS Enhanced Cybersecurity Services program (ECS).
      • Expediting the classified and unclassified threat reporting information for private sectors.
      • Expediting the issuance of security clearances of critical infrastructure members in the private sector.

Cyber Challenges:

  • Mr.Weatherford stated that "the common denominator to all the work we do is the requirement for well trained and experienced cyber professionals."
  • DHS sponsors Scholarship for Service (SFS) with the National Science Foundation.
  • DHS co-sponsored the National Centers of Academic Excellence (CAE). Purdue was one of the first seven universities in the nation designated as a CAE in 1999.
  • The lack of qualified people is one of the biggest problem and Mr.Weatherford’s suggestions are:
    • Make people want to choose cyber security.
    • Government, academia and industry need to work together to change the public perception and to figure out how to make cybersecurity "cool".

Mr.Weatherford closed this commentary by stating "DHS wants to be your partner in cybersecurity whether you’re in the government, academia or the private sector. No one can go it alone in this business and be successful, so think of us as partners and colleagues, we really can help."


Leave a comment

Commenting is not available in this section entry.