ActiveCyber Interviews Jeanette Manfra – Assistant Secretary for the Office of Cybersecurity and Communications at DHS on Cybersecurity Strategies and Plans

The DHS Office of Cybersecurity and Communications is at the nexus of private-public information sharing as well as the executive agent for the national strategy for Critical Infrastructure Protection (CIP) and federal civilian agency strategy when it comes to the United States’ cybersecurity. So as the leader for this office, Ms. Jeanette Manfra has a lot on her plate and a lot to discuss in this interview with ActiveCyber. Learn more about the priorities that she is working from, the cybersecurity initiatives that her Office is leading, and the technology she is investing in this interview with ActiveCyber.

I was attending the Integrated Cyber conference in October where I was able to hear a keynote from Ms. Manfra. Besides finding her speech containing the political polish and insight you normally encounter from a person in such a high level position, I was also quite impressed by her technical chops. So I stepped outside of my comfort zone and approached her for an interview with ActiveCyber which, as you now know, she quickly accepted. And she did not shy away from any of the questions I posed which also impressed me. So dig in to the interview below to learn how DHS is proactively leading on active cyber defenses in support of its national mission to protect federal and CIP resources.

Spotlight on the Honorable Jeanette Manfra

» Title: National Protection and Programs Directorate (NPPD) Assistant Secretary for the Office of Cybersecurity and Communications, Department of Homeland Security (DHS)
» Website: https://www.dhs.gov/office-cybersecurity-and-communications
» Linkedin: linkedin.com/in/jeanette-manfra-297681a

Read her bio below.

November 20, 2017

Chris Daly, ActiveCyber: What are your core strategic priorities and associated operational objectives when it comes to cyber protection and resiliency? How are you organized to carry out your mission and main priorities?

The Honorable Jeanette Manfra, Assistant Secretary DHS for Cybersecurity and Communications: Within NPPD, the Office of Cybersecurity and Communications (CS&C) component operates a distinct, non-regulatory mission focused on national cyber risk mitigation against the prevalence and impact of a growing cyber threat sophistication. We focus our efforts on cybersecurity risk that can significantly affect public health and safety, national security, economic security, and civil liberties. We use our authorities to protect the federal civilian networks and partner with the private sector on a voluntary basis, while maintaining privacy and civil liberties. Our mission requires close coordination with our customers within the federal civilian executive branch departments and agencies; state, local, tribal, and territorial (SLTT) governments; and private sector companies, particularly owners and operators of critical infrastructure, which range widely in location and capacity and include multi-national corporations.

We are focused on understanding national risk by considering possible dependencies to those services and functions that are critical to our way of life.  How could these services be disrupted through a cyber attack?  We want to assess our programs and capabilities and partner with industry to employ meaningful measures to tangibly reduce risk. To do this, we are focusing on identifying easy-to-implement and scalable solutions to some of our most pressing cybersecurity vulnerabilities. A New York Cyber Task Force report – Building a Defensible Cyberspace –  highlights this concept well, describing how we can create this advantage by building leverage. Building leverage ensures that new technology implements defensive innovation that makes it much more costly for adversaries and is a scalable, automated solution that works enterprise-wide. To foster this defensive innovation, at DHS we are investing in our automation and analytic capabilities. DHS sits at a unique nexus of data allowing us to combine what is collected from our sensors in the Continuous Diagnostic and Mitigation (CDM) program; and, public-private information sharing and collaboration programs. Now, as DHS receives indicators, we can trigger automated defensive actions at the boundary or within the infrastructure of an Agency. Looking ahead, DHS is working to further enrich these indicators by using information received from the vendor community and through behavioral analytics before we re-share it out. This will allow connected entities in the private sector or international community to automate actions on their end. Part of our vision for continued risk reduction is more focus on analytics. Proactive analytics is a key component to helping operators stay in front of cyber threats. This includes using non-signature based analytics with advanced techniques to quickly correlate large and complex data sets. With this information, we can distribute automated recommendations, response actions and products that better support agency analyst efforts to protect their systems.

ActiveCyber: How do you measure and report risk and resilience at the national level to prioritize operational responses to cyber and telecommunications threats and to what extent do these measures also guide investment and policy strategies to improve security posture?

Ms. Manfra: We generally view risk as a function of threat, vulnerability, likelihood, and impact. In the context of cybersecurity, an adversary or “threat” may attempt to compromise a particular device or network, through a vulnerability that permits a successful attack. This interaction of a threat and a vulnerability results in an impact. Consequences can include loss of confidentiality, integrity, and availability of sensitive information, or degradation of a critical services such as electricity or communications.

We are currently focused on understanding potential consequences to our critical services and functions. This requires identifying how these critical services and functions are delivered, if there are any inter-dependencies both within and across sectors, and how they could be disrupted. This understanding is essential for DHS because it feeds into our information sharing and contingency planning efforts.

Many threat actors can be stopped by best practices such as promptly patching vulnerabilities and segmenting networks. Sometimes these practices can be resource intensive to implement—particularly when the organization is large or complex—but they are the foundation of cybersecurity. It is important for organizations to take a risk-based approach to ensure they are appropriately allocating resources according to risk.

The collaborative work with our Integrated Adaptive Cyber Defense (IACD) partners enables us to work with vendors to ensure their solutions are interoperable with other programs. This effort provides agencies a variety of options to purchase and deploy security tools to really improve their security posture.e. My office serves a leadership role in driving the market toward more secure and interoperable security solutions. Although the market will be the principal driver of innovation, government has a key role to ensure that security is not de-emphasized in favor of convenience or expediency.

ActiveCyber: A recent DHS vision paper (see https://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf) describes a cyber ecosystem built on distributed, cooperating, and autonomous endpoints that provide proactive and collaborative defenses. The NSA, DHS and DARPA have on-going efforts guided by a similar vision of active cyber defense. How are the results from these efforts being considered for development and adoption into on-going projects at DHS such as Continuous Diagnostics and Mitigation (CDM)? What is the timeframe when we can expect a fully operational capability for federal agencies related to active cyber defense that features automated incident response playbooks and threat-informed defenses?

Ms. Manfra: Managing a changing cyber environment requires the government and the private sector to work together to build a more secure cyber ecosystem. Progress toward a strong cyber ecosystem will require investments in both technology and people. As part of this, DHS and the NSA are working together on the Integrated Adaptive Cyber Defense (IACD) framework which seeks to improve the ability to quickly and broadly share information and prevent and respond to cyber attacks by combining and coordinating commercial technologies in new and adaptable ways. The Financial Services-Information Sharing and Analysis Center recently announced an effort to operationalize the IACD framework, and DHS will be able to leverage lessons learned from this and assess how we can apply to Federal departments and agencies.

We are identifying the lessons learned from several efforts that will increase our enterprise-wide capabilities available to agencies.  These capabilities, tools, and services help build capacity and maturity at agencies, and they also help ensure security at an enterprise level. For DHS to effectively execute its mission long-term, it is imperative to clearly understand the landscape of the Federal mission space.

We are expanding our capabilities for situational awareness into threat activity and the cybersecurity risk posture across dot-gov.  Through those activities, we can bring federal cybersecurity risk down to an acceptable and manageable level. In all of our efforts, we will stay focused on buying down systemic risk to national security, public health and safety, economic security and civil liberties. d. Right now, DHS tracks government-wide progress in implementing critical patches and other security enhancements via agency self-reporting and manual data calls to agencies. By leveraging automated tools to improve accuracy, the CDM program is greatly increasing the Federal Government’s ability to see and understand the cybersecurity issues that exist on agency networks and to issue guidance to further strengthen our defenses.

The CDM Agency Dashboard is a data visualization tool that displays the current status of cybersecurity metrics and rankings for an agency. The CDM Federal Dashboard consolidates summary information from each Agency Dashboard to form a picture of cybersecurity health across all civilian agencies. This enterprise view across the dot-gov environment will open up new opportunities for DHS to improve risk management at the federal level, and provide actionable information to agencies to strengthen their respective security postures.

Every Chief Financial Officer (CFO) Act agency has its dashboard installed and operating.  Two agencies have already successfully exchanged data with the federal dashboard this year. We intend to complete data exchanges with each CFO CDM agency dashboard by the end of February 2018.  At the same time, we are helping operationalize those dashboards, incorporating the information now available into improving risk-based decision-making.

ActiveCyber: CDM reflects the vision and follows the basic goals of the NIST Risk Management Framework. How is CDM changing behaviors at the agency level to make security part of the day-to-day mission planning and execution of each agency? Are you seeing changes in risk posture and understanding of cyber risk over the time the program has been in effect? Or are agencies just simply viewing it as a part of another compliance regime? In what ways do you expect the program to evolve and improve over the next 2-3 years?

Ms. Manfra: CDM will allow the Department to quickly view the prevalence of a vulnerability across the Federal Government so that analysts can provide agencies with timely guidance on their risk exposure, and if needed, support to address it.

The CDM Agency Dashboard provides an effective way to count and rank issues of concern found on agency computer networks (both hardware and software) and enable agency leadership to prioritize resources to fix their most pressing issues first. The Federal Dashboard provides a tactical summary data will be used to inform strategic decision-making regarding systemic cybersecurity risks across the Federal Government.

We have now deployed a dashboard out to each CFO Agency. We are finding that for some, this is the first time that agencies have full visibility into their networks. Other agencies can quickly leverage the CDM agency dashboards to strengthen existing continuous monitoring processes. Using the CDM agency dashboard, know with confidence to shift their resources to fix the most important and the worst problems first. There is still a lot of work that needs to be accomplished to give agencies the ability to understand how their data is protected and we will be working with them to validate dashboard data quality, timeliness of reporting and operationalization of the dashboard to further strengthen their network security.

ActiveCyber: Your office has a significant national security role in sharing cyber threat and indicator information with critical infrastructure providers and others through the National Cybersecurity and Communications Integration Center (NCCIC), US CERT, ICS CERT and related programs such as Automated Indicator Sharing (AIS), Enhanced Cybersecurity Services (ECS), and Cyber Information Sharing and Collaboration Program (CISCP). How are you measuring the quality of intelligence reported and shared? What kind of feedback are you getting from users and what are you doing to improve the quality and speed of sharing of cyber intelligence? How is privacy prioritized and handled in the way you share threat and indicator information? What types of improvements are you planning to implement over the next 2-3 years?

Ms. Manfra: Information sharing is essential to safeguard the cybersecurity of our Nation and the feedback we solicit and receive from users help us better hone the information we are sharing. For instance, AIS information today is better than when it first started because of the feedback we received from industry. During the first 12 months of AIS, we met numerous times with our connected partners and resolved many identified concerns to improve technical context. For example, we updated the data fields that comprise a cyber threat indicator to add more technical context. We also meet 90 days after a new company first connects to the server to gather feedback on the overall AIS process and how they are using the indicators. In the near future, we plan to add capabilities that will enable us to get feedback at machine speed on whether indicators were seen by receiving organization or if a response action was taken. However, one thing we stress about AIS is that it is about volume and velocity, not human validation of each indicator.

Another initiative to improve quality, we are working with our commercial, Federal and international partners tackling tricky problems like creating shared definitions for confidence and risk scoring, revocation of false-positive indicators and identifying duplicates to improve the quality of what is being shared.

Currently, we have engineers working on analytics to take advantage of what machines can do in processing large volumes of data, like the AIS indicators. Humans shouldn’t do the things that machines can do, and automating the aggregation and correlation of vast amounts data will allow our analysts to focus on identifying high-level, national trends and help us understand the broader national risk.

The Cyber Security Act of 2015 enhanced collaboration and information sharing between the private sector and the government, and provided targeted liability protection for companies that share information with the NCCIC or with private sector-developed and operated information sharing and analysis organizations.

One of the best examples of information sharing that I enjoy talking about is the WannaCry attack that affected thousands in Europe and Asia. On Friday, May 12th, Our National Cybersecurity and Communications Integration Center, NCCIC, which is the federal government’s main cyber operations center, stood up enhanced coordination procedures to respond to the incident. NCCIC analysts began sharing information and coordinating with other CERTS around the world, as well as industry, security experts and researchers, and other government agencies to understand the scope of the malware and how best to mitigate it. Within a matter of hours, the NCCIC released information on WannaCry, identifying the specific vulnerability being exploited by the virus. Later, they distributed a technical alert, identifying the indicators of compromise, distributed the indicators to all organizations connected to our AIS server, and posting signatures to detect them. Through the weekend, DHS continued to share information broadly, identify potential victims, and share with them best practices and technical information, as well as gather more information about the malware. The diligent coordination and round the clock work of more than 45 entities (cyber analysts at DHS, international community and private sector) ensured that stakeholders had the most up-to-date information and support. Personally, I was incredibly impressed by the professionalism and dedication of this effort and, to me, it is a good example of the information sharing model we strive to achieve every day.

ActiveCyber: How is the new dynamic of threat-based security approaches (hunt for the threat) affecting the perspectives of the CISOs you support versus the current focus on vulnerability abatement (fix the vulnerability)? How is your office stepping up to provide better shared situational awareness of malicious cyber threats and activity for particular industries and across the federal government? How important to your constituents is attribution – knowing who the adversary is and their possible motives – in the development and sharing of threat intelligence?

Ms. Manfra: For DHS to effectively execute its mission long-term, it is imperative to clearly understand the landscape of the Federal mission. We intend to expand our capabilities for situational awareness into threat activity and the cybersecurity risk posture across the federal government. Also, we will seek opportunities with federal civilian departments and agencies (D/A) to aggressively test their network defense capabilities with our National Cybersecurity Assessments and Technical Services red team.  These cooperative tests would provide D/As with an objective third-party perspective on their current posture and grow their ability to better defend their networks. Through these efforts, we can bring federal cybersecurity risk down to an acceptable and manageable level.

Our goal is a cyber environment where a given threat, such as a malicious email, can only be used once before it is blocked by all other potential victims. Connecting defenders will reduce the frequency of successful cybersecurity exploits and deter adversaries by increasing the investment required for a single successful attack.

We are seeing increased activity and sophistication from both nation states and non-state actors.  Threat actors are constantly innovating and finding new ways achieve their goals.  Widespread ransomware is a clear example of this – knocking hospitals, transportation companies, and other critical infrastructure offline for hours or even days.

Determining attribution in a cyber incident is a function of the intelligence community (IC).  However, we work closely with the IC to provide any analysis or findings we have.  In several cases, DHS and the FBI have worked together and issued Joint Analysis Reports that provided attribution.  But more importantly, these reports provided details of the tools and infrastructures used to compromise and exploit the U.S. government, political and/or private sector entities.

In all these efforts, fixing the vulnerabilities is still very important. However, that being said – advanced adversaries aren’t always exploiting known common vulnerabilities and exposures (CVEs).  They exploit inherent weaknesses in enterprise architectures, such as lack of proper network segmentation, credential reuse, abuse of legitimate OS functionality, and other non-exploitation tactics, techniques and procedures (TTPs). This is why the most important defense is a layered defense or defense-in-depth, with appropriate visibility and monitoring to include hunt and response capabilities. We need to move beyond just sharing indicators (which are sometimes only used once by adversaries) and towards sharing the actual TTPs to improve our defensive capabilities.

ActiveCyber: Artificial intelligence and machine learning are being discussed as the next big thing to improve cyber security. What is your view of the role these technologies can play or should play to support active defenses? What do you expect the timeline to be for broad adoption of these technologies in cyber defenses?

Ms. Manfra: Artificial intelligence has great potential in shaping the future of big data/analytics.  The ability to identify malicious traffic based on “learning” patterns can be leveraged by security operations centers to automate detection and prevention of previously undetected or zero day attacks. Another area that Machine Learning is gaining momentum is the behavioral/heuristic based detection capabilities, such as next generation anti-virus (NGAV). At DHS, we are incorporating machine learning techniques as part of efforts to move beyond signature based IDS/IPS.  While there has been great evolution in the use of machine learning to address cybersecurity challenges, it is still in the early stages of maturity and we expect it to evolve in the next 2-3 years. For advanced machine learning, we think it could be upwards of 5 years to mature.

ActiveCyber: CPS and IoT smart devices increasingly enable cities and communities to improve services, promote economic growth and enhance quality of life. At the same time, most CPS and IoT devices have come to the marketplace without the security architectures and measures needed for smart cities to operate securely and well over the long-term. What types of minimum standards need to be in place to provide reasonable cyber protections as these IoT devices come on line? Do you believe that adoption of new Identity-Based Networking technology and protocols can play a role in “taming” the IoT from a security perspective? e.g.,

1. IBIP – https://www.mitre.org/sites/default/files/pdf/12_0928.pdf
2. HIP – https://en.wikipedia.org/wiki/Host_Identity_Protocol
3. SDP – https://cloudsecurityalliance.org/group/software-defined-perimeter/#_overview
4. ILNP – https://en.wikipedia.org/wiki/Identifier/Locator_Network_Protocol

Ms. Manfra: In line with our mission to secure cyberspace, protect critical infrastructure, and ensure public safety, DHS published its Strategic Principles for Securing the Internet of Things. It comprises six voluntary and non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices. Furthermore, these principles reflect and elevate suggested practices to advance security on IoT devices, systems and networks, while highlighting opportunities for enhancing current approaches. The publication of these principles was just the beginning of a longer term coordinated effort between government and industry to develop solutions to address the systemic risks and resilience of IoT.

In the current environment, it is too often unclear who bears responsibility for the security of a given product or system. Going forward, DHS plans to convene with partners to discuss and solicit ideas on critical matters such as, but not limited to, legislation, regulations, voluntary certification management, standards-settings initiatives, and other mechanisms that could improve security while still encouraging economic activity and groundbreaking innovation.

One particularly promising area of discussion is a voluntary safety certification for IoT devices. Such a certification could “raise the tide for all boats,” while not being unduly burdensome on innovators. DHS is exploring ways to partner with and support organizations working on this concept.

Based on discussions with the IoT Security Working Group, DHS and the IT Sector Government Coordinating Council (GCC) and Sector Coordinating Council (SCC) recently started a project to develop IoT procurement guidance for Federal departments and agencies. The IoT spans a huge range of forms and topics, many of which are specific to the sector in which the IoT product or service operates and to the particular functions it performs. IoT devices by nature share information using existing communications networks, and therefore should be accounted for when performing security and risk management operations. The goal for this project is to focus on a subset of IoT implementations meaningful to the Federal environment – and to identify potential baseline security considerations for procurements of IoT in those environments.

ActiveCyber: Blockchain technology promises to bring about some revolutionary changes in commerce, banking, logistics, and even medical systems. What security challenges still need to be addressed in your view to consider the adoption of this technology? Do you envision block chain as a way to aid active cyber defenses?

Ms. Manfra: DHS is still assessing the challenges and benefits of Blockchain in the homeland security environment, however, we recognize its potential. This summer, the President’s National Security Telecommunications Advisory Council (NSTAC) recommended in their Report to the President on Emerging Technologies that the government should evaluate the national security and emergency preparedness applications and risks of blockchain technology. In September, DHS Science and Technology awarded a $750K to Digital Bazaar, Inc. to develop fit-for purpose blockchains for identity and access management.

ActiveCyber: Recent events have raised considerable concerns over the cyber supply chain. The recent banning of Kaspersky software and previous revelations regarding NSA’s alleged use of zero day exploits in other commercial software seem to point to a supply chain war that may have consequences on commerce in cyberware. How is DHS involved in protecting the cyber supply chain and what type of industry collaboration is needed to improve the supply chain protections while maintaining free and open commerce?

Ms. Manfra: DHS is highly dependent on vendors and integrators of commercially available information and communications technology to accomplish its missions, and as a result we know that the cyber supply chain is a significant source of risk. In order to appropriately manage these risks, DHS needs increased visibility into, and understanding of, how the products and services it buys are developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products and services.

Over the last five years, DHS has made great strides to protect against information and communications technology (ICT) supply chain threats, including updating and issuing more robust information security program policies for its own operations. While these actions have materially improved the Department’s supply chain risk posture, the Kaspersky Lab threat makes clear that the evolution of supply chain threats is moving at a rapid pace. To keep up with these evolving threats, we reviewed our Cyber Supply Risk Management (SCRM) policies and practices, established a working group to recommend improvements, and surveyed other agencies’ SCRM implementations and industry best practices. As we build on these best practices to improve our own activities, we will coordinate and share broadly with our stakeholders in federal, state, local, tribal, and territorial governments, as well as owners and operators of critical infrastructure.

Also, we work with the public, private, and international communities and standards organizations to develop and encourage the adoption of sound software development and acquisition processes and practices.  The Software and Supply Chain Assurance (SSCA) Forum and Working Groups provide a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective mitigation strategies, and any gaps related to the people, processes, or technologies involved. They focus on software security-related advances in practices, products, and standards for software development, supply chain management, education and training, tools, and measurement in order to reduce risk. Shifting the security paradigm from post deployment patch management to life-cycle software assurance will enable more resilient software and support mission requirements across IT enterprises.

Thank you Ms. Manfra for a such a comprehensive look at the different cybersecurity initiatives and activities going on at DHS. It is quite apparent from such an extensive portfolio of services and research that there is a significant commitment by our government to improve our cyber defenses and to lead in this area. I appreciate (as I am sure my readers do) your leadership in this area as well as the commitment, expertise and resourcefulness of your team.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.