The National Protections and Programs Directorate (NPPD) — the cybersecurity arm of the Department of Homeland Security — will be going through some changes this year, including getting a new name. But the name-change is more than cosmetic, according to NPPD Undersecretary Suzanne Spaulding, who sat down with Federal Times Associate Editor Aaron Boyd to explain.
What is NPPD's role at DHS?
DHS has the network defense mission. So, you have the law enforcement folks who are doing law enforcement activities and intelligence community that is looking at the threat that is coming at us from overseas. In NPPD, our mission is to work with critical infrastructure owners and operators and across the civilian federal government to help make wise risk management decisions; to provide baseline tools for the .gov world; to make sure that we are working with our critical infrastructure owners and operators so they understand the cyber risks and how to mitigate them providing assessments, tools, training, all of it for free so that we can lift the level of cybersecurity all across the country.
That is what DHS is about and we think it is really important that people understand that and understand the resources that are available.
NPPD is getting a new name. Is this just a new set of clothes or is the change more substantive?
The name for NPPD is really very important. The National Protection and Programs Directorate tells you nothing about what we do and I think a name like Cyber and Infrastructure Protection speaks for itself. It not only help our stakeholders understand what it is that we do but really helps our workforce to have that shared sense of identity, to understand that we are all engaged in the same overarching mission to strengthen the security and resilience of the nation's critical infrastructure.
But the changes go far beyond just the name change. The changes we are trying to bring about at NPPD have to do with reflecting the convergence of physical and cyber that we see in the real world and making sure that our institutional structure does not preserve stovepipes around cyber and physical that really get in the way of that holistic approach to risk management that we are asking private-sector folks to take. We are asking them to think about threats and vulnerability and consequences and mitigation across cyber and physical at every step of the way. Understanding that cyberattacks can have physical consequences but there are physical vulnerabilities that can cause disruption in your information communications technology, that there are mitigation measures for cyber incidents that could be physical mitigation. So, we think a holistic approach is important and we want to organize that way.
We are also elevating the NCCIC [National Cybersecurity and Communications Integration Center] and bringing a sharper focus to our operational activity. We really want to be about making a difference in the real world and making a difference on the ground.
Is there going to be a change in how NPPD — now CIP — fits into the hierarchal structure at DHS?
NPPD will become an operational component. Right now, it is considered a headquarters component.
It started out back in 2008 as about 500 employees at headquarters providing support to headquarters. We are now over 3,000 federal employees and 15,000 contractors engaged in operational activity all across the country. As an operational component, we will be able to take on more of that business support.
For example, IT support to folks in the field that headquarters was never resourced or equipped to provide but operational components have the ability to enter into contract vehicles all across the country and provide that agile, dynamic support that you need for the kind of operational tempo that we have today.
Why the focus on infrastructure protection?
This is something we have been talking about for a long time but it has taken on a special urgency since the attack in Ukraine in December, in which a cyberattack brought down the electric grid for 225,000 customers.
We believe this is something very important to bring to the attention of those who operate industrial control systems across sectors — not just in the electricity sector but water, transportation and critical manufacturing really across the board. It is something we hope CEOs will stand up and pay attention to. I would like them to see articles like yours talking about this and walk into their office the next day and put that down on the table and say, "What are we doing about this?"
We have put out mitigation measures. We know how to prevent this activity and we need people to pay attention and take action.
What trends are you seeing in private industry that can be applied to protecting federal networks?
There are all kinds of things that are happening out here that are very interesting to us and important to us. We have developed for the .gov space an important platform called Einstein that we hope to continue to build by adding innovation, innovative products and developments from the private sector. Similarly, our Continuous Diagnostics and Mitigation [CDM] program which looks at the health of the network and who is on your network from the inside is really bringing into the government technology and products produced by the private sector.
How do we make sure that the things that we are doing we can do at a scale that matches the scale of our adversary, the speed with which our adversary is moving, the ways in which we have to be able to learn do machine learning and be able to recognize things we have never seen before? This is work that we are undertaking at the department and we are benefiting from some of the innovation out in the private sector to achieve.
How do you attract the right cyber talent to government? How do you compete with private-sector salaries and how do you bring in individuals who might have learned their hacking skills doing things on the far side of legal?
In terms of building the cyber workforce, I have been talking for some time now with my colleagues in the private sector about working together to put resources into building that workforce, that pipeline. Going to colleges and universities to make sure that we are appealing to students to go into cybersecurity but also providing some resources to help there.
The deal that I would make with the private sector is I will hire them right out of school and we will give them on-the-job training for a few years. Then you lure them away with bigger salary and then when they have put their kids through college, they will miss the mission and they will come back to us. I think that is really the way we are going to have to begin to think about our workforce which is different for the government; not getting someone in and keeping them for an entire 30- or 40-year career.
And we are very interested in bringing on folks who have hacking skills, frankly. We have a very robust effort to do penetration testing, hot teams, and so those are skills we very much are in need of and are looking for. So, there are folks out there who have been doing these kinds of activities perhaps in response to bug bounty programs for example and we are very interested in talking to those folks.
I think there is a fairly robust, white-hat ethical hacking community out there that I think really has been a little nervous about how the law might be applied to them and I think we should provide clear guidance on that. There are international standards on bug bounty kinds of programs and I think those ought to be encouraged and I think we ought to be trying to hire the folks that have those skills.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.