Department of Homeland Security's Rob Pate Podcast on Protecting Country's Critical Infrastructure
RICHARD SWART: This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today, we will be speaking with Mr. Rob Pate, who is Deputy Director for Outreach and Awareness for the National Cyber Security Division at the Department of Homeland Security, DHS. Mr. Pate is also a founder of the Government Forum of Instant Response and Security Teams, (GFIRST). GFIRST is the first U.S. government-only information sharing group dedicated to instant response and security teams. The group has grown from twelve initially invited members to more than 1,000, representing approximately 100 different government instant response teams across the nation. Before joining DHS, Mr. Pate was the Director of Strategic Operations for the United States Computer Emergency Response Team, US-CERT. Good morning, Rob.
ROB PATE: Good morning.
RICHARD SWART: Well, could you please explain for our listeners your responsibilities as the Deputy Director for Outreach and Awareness for the National Cyber Security Division, and also, how do you interact with the banking and finance community?
ROB PATE: Our job at NCSD is to help government agencies, federal, state and local, and the private sector, as well as our international partners, to better defend themselves against cyber attacks and disruptions. Also, if you want, Iâ€™ll touch briefly, a little bit on US-CERT, and then we can touch on the financial sector things that we were talking about. If youâ€™re not familiar with US-CERT, the United States Computer Emergency Response Team, that is the focal point for cyber incident response for the nation. One of the ways that we are meeting our goals is by the establishment of our 24/7 cyber security watch and warning center, called US-CERT. US-CERT works closely with the public, private and international partners on cyber incident detection, as well as response and reconstitution after incidents occur. A couple of the key elements that we are involved in are the National Cyber Alert System, and as you touched on, the GFIRST community, which is made up of a large community of incident responders. Some of the elements, or things, that I would like to bring up that relate to our financial sector is and messages that I think the NCSD wants to make sure that we communicate to the financial sector, is as a financial institution, your customers, your families, and your fellow citizens all count on you to get their paychecks, pay their bills, and to keep out $13.5 trillion economy moving. America owes much of our economyâ€™s success to our open and transparent society. But, these strengths also leave us vulnerable to our adversaries, whose motives may be criminal or terrorist in nature. I guess the bottom line is that NCSD is here to help. By putting security first, we can work together to keep the $5.5 trillion in funds that flow every day through US financial systems out of the hands of criminals and terrorists.
RICHARD SWART: So, NCSD has a large role in critical infrastructure protection?
ROB PATE: The department, as a whole, sees critical infrastructure protection is extremely important to the department. DHS is focused on protecting the national cyber space, because online vulnerabilities can have real world consequences, and I think that is a message that we need to continue to communicate to folks out there. Itâ€™s kind of like something that I think is very parallel is that when you look at the seatbelt campaign, and how long it took for that to catch on. I think weâ€™re seeing the same thing with cyber security. Folks hear about the consequences of cyber attacks, and making sure they understand that, yeah, these online vulnerabilities can add physical and real world consequences, is a message that we want to continue to keep hammering home with folks. Itâ€™s funny, because I think about when I was a little kid riding in the car with my parents, and we had seatbelts in the car, but we never wore them. But, now, when I go down the street, I mean, I wonâ€™t go a block without having my seatbelt on. And I think the education aspect is something that we want to continue focusing on.
RICHARD SWART: You are a knowledge expert in incident response and intrusion detection. How did you get your experience, and how did you get started in information security?
PATE: I was fortunate enough to be involved in information security and CERT capabilities before 9/11. Itâ€™s interesting, because back before 9/11, it seems like there were, not a lot of people were interested in security, and much less cyber security. My background is in mathematics. I always found it kind of interesting. And looking at the ways that people would probe networks, and if you look back, historically at hackers, they were folks that were looking at trying to solve problems, at least initially. And now that obviously has changed to more of the state-sponsored cyber crime and cyber terrorists. One of the things that is really interesting -- our adversaries of today are really Ph.D. level skill set attackers. Theyâ€™re not just people that are poking around or just the script-kiddies defacing websites that we have seen in the past.
RICHARD SWART: When you were with the federal Computer Incident Response Center, your responsibility for vulnerability management and patch management, what lessons did you learn that we can apply, in terms of managing vulnerabilities, and also coordinating such large scale efforts?
ROB PATE: One of the things Iâ€™ve been involved in, and it was very enlightening was taking a look at your incident response capability, and what does that actually mean? A lot of people out there might say they have an incident response capability, and when they look at it, if youâ€™re involved in incident response, is it an incident reporting capability, or is it an incident response capability, and what are the components of an incident response capability. What Iâ€™ve found is you really can break it down into four areas: protection, detection, response and sustained capability. What Iâ€™ve seen as one of the true lessons learned over the years has been that you can have really smart guys doing the protection. You can have very robust detection capabilities, whether youâ€™re looking at net flow analysis, IDSâ€™s or other technologies out there. You can have skilled people on the monitors. And even on the response capability, youâ€™ve got your handful of guys with the skills that can go out and take care of business. But, where I have found a lot of time has not been spent is in the sustainability area, making sure that if somebody on your team gets hit by a bus, what happens? What are the checklists, the procedures, the policies that keep your operation up and alive beyond, just the couple of guys that are keeping things put together? So, I mean, I think thatâ€™s an area that all incident response capabilities and folks that are interested in this area need to focus on. You really need to make sure â€¦. And itâ€™s tough for the techies, I mean, believe me making sure that you take the time, you write down the policies, the procedures, and the checklists, and you capture the knowledge from these technical folks is key. Knowledge management and retaining this, as people move in and out of your security organization is absolutely essential to maintaining that incident response capability for the longer term.
RICHARD SWART: If I was going to be staffing-up a CERT team or an incident response team, what key skill set should I be looking for in the people that I hire?
ROB PATE: I think thatâ€™s really a financial, I think itâ€™s really going to be determined by what are the available, whatâ€™s the available financial support that you have for your incident response capability? I look at our organization, and I look at some of the very technical key people that we have on our malware analysis team. When you get guys that can reverse engineer malcode, first of all, they are very difficult to find, and second of all, their skill set and talent is in high demand. So, if you get them, holding onto them is very difficult. So I look at, at least in the federal government, the resources that weâ€™ve built, hopefully making them available as much as possible to other organizations, so that they can leverage the capabilities that we have, and that you donâ€™t see the dollars getting spent, over and over again across the government. So, the skill sets are very difficult to find. What I think, at least at an initial capability, I mean, you do need to have at least a tier one incident responder. This is, if you think about First Aid training and, youâ€™re a life guard and you arrive to the scene, and you want to make sure that you are able to stop the bleeding, and at least keep things under control until, a tier three, or an advanced incident responder, and in this case, if you think about CPR and arriving to the scene, as the nurses and doctors come on, or the EMTs are able to take over. And I think just basic incident response training is very key. One of the things that I wanted to mention is, we have, within NCSD, we have looked at skill sets across a number of domains, and weâ€™ve come up with an essential body of knowledge thatâ€™s identified skill sets â€“ and I believe weâ€™ll be releasing that publicly in October â€“ that will help to really identify the key skill sets for the different components within the cyber security arena.
RICHARD SWART: Iâ€™m sure it will be a great resource for everyone. I was curious, if you were still manning a watch and warning desk, what would you be worried about? What would be keeping you up at night?
ROB PATE: What would, what would be keeping me up at night? Thatâ€™s kind of interesting. I just had a discussion with a CISO for a state, and it was interesting to hear what, they were talking about keeps them up at night, and it was different from what keeps me up at night. And they were talking about the insider threat. And thereâ€™s a lot of different areas that people focus on. But, I will tell you, I donâ€™t know if itâ€™s the thing that keeps me up the most at night, but itâ€™s definitely an area that, we need to pay a lot of attention to, and itâ€™s really the home user. And, the reason I say that is because itâ€™s such a gigantic place, itâ€™s such a gigantic footprint, and making sure that the education is out there for the home user. Of course, the insider threat is very sexy, and itâ€™s important and people want to focus on it. And the state-sponsored attacker. Of course, those are kept in mind. But the home user is definitely making sure that they are educated and aware that their machines can have an impact on the infrastructure, and knowing just because youâ€™re on the Internet, these resources can be used for different things. I wanted to touch on the fact that there are two things that are very key. One is we need to make sure that there are new recruits needed, but, the federal government, our scholarship for service programs â€¦. I mean, our adversaries, like I said, are Ph.D. level experts â€“ and make sure that we get the folks supporting America, in government, and also within our companies, that are helping to fight the battle for us, is essential. Also, the fact that the cyber crime industry is absolutely a growth industry. Youâ€™ve seen the fact that our adversaries, organized crime, have gravitated toward the cyber arena. You look at the carding sites out there, you look at the â€œShadow Crewâ€ investigation that took place, where the Secret Service nailed this big online carding [gang], where they were trading not only information on credit cards, but anything imaginable. The criminals have figured out â€“ â€œhey, thereâ€™s a lot of money to be madeâ€ in the cyber arena, and they are definitely gravitating in that area.