Mark Weatherford, deputy undersecretary for cybersecurity at DHS, wants to set up a cyber 9-1-1 system for critical infrastructure. He outlined his vision today at the Cloud Security Alliance Summit, held as part of the RSA Conference.
Weatherford pointed to a massive malware attack against Saudi Armaco that infected 30,000 workstations at the Saudi national energy company. That incident sent "a lot of ripples" through the critical infrastructure industry in the U.S. So did the DoS attacks that flooded the systems of financial service providers this past fall. "All of these types of things are a sliver of what occupies my thoughts on a day-to-day basis," Weatherford said.
Weatherford's cybersecurity unit at DHS provides help to secure the various federal department agencies and works closely with critical infrastructure industries to help them secure their systems. The agency also works closely with the FBI and various other government law-enforcement agencies to fight cyber threats.
"Currently, there is a lot of confusion when it comes to who organizations should call should they suffer a breach, or find themselves under significant attack pressure," he said. "We want to make DHS the cyber-91-1. Currently, people don't know why they should call, and we want to change that," Weatherford said.
Toward that aim, Weatherford's goals include expanding government and private industry attack-data sharing. "The president has given us a mandate to up the ante on data sharing. When I was in the private sector, that was a big challenge. If the government had threat information, I wanted to know about it," he said.
He also called on private industry, both practitioners and the security industry itself, to push for more security innovation. "Why are we still sharing information that we shouldn't? Why aren't some of the solutions we have today being used, put into place? Why are we still relying on passwords?" Weatherford asked. He said just as security evolved from the mainframe to client/server architectures, so it must evolve for an increase in cloud computing.
The final and arguably most challenging hurdle for the government and private industry when it comes to security is finding the talent they need. Weatherford asked audience members if they had the security talent they needed. Nobody in the audience raised their hands, indicating a clear shortage in IT security professionals. "This is one of the more common themes that I see as I travel around the country. We need people that can think about where the trends are going in IT security," he said.
Some of the solutions Weatherford proposed included hiring professionals with non-traditional backgrounds but who do possess the right security skills, and encouraging more kids and college students to pursue a career in security. However, when it comes to fixing his immediate need for the right skill sets at his agency, Weatherford's peers at other federal agencies might want to look out. "I'm not bashful about stealing people away," he said.