Rosemary Wenchel is a veteran of the Defense Department, where she held a long series of jobs, including chief scientist for the Navy's cryptography community and DoD director of information operations in cyber and strategic studies. ()
Though sometimes not as high-profile as Cyber Command, the Department of Homeland Security plays perhaps the key role in cybersecurity in the federal government.
Rosemary Wenchel is a veteran of the Defense Department, where she held a long series of jobs, including chief scientist for the Navy’s cryptography community and DoD director of information operations in cyber and strategic studies.
Wenchel recently joined DHS to bring the two agencies together in the cyber realm. C4ISR Journal Editor Aram Roston interviewed her on how that can happen, why she doesn’t use the term “cyber Pearl Harbor” and how she hopes to make cyber attackers pay.
You cut your teeth in cryptology?
Right, except I’m really a computer science person. In those days, we didn’t have networks. We pulled wire from mainframes to a desktop, and that’s how people computed.
Now your job is coordination?
Yes. I took a lot of calculus to be a social worker. [Laughs] My job here is to bring DHS and DoD together in a seamless way. You know, every day, I say, “Eyes on the prize: What are we trying to do here?” We’re trying to defend the nation against cyber threats, right? So lay aside parochial interests. Lay it aside and focus on what we are trying to do here.
I have a long history with DoD. I came here to represent DHS in essence back to DoD. I know a lot of people at [the National Security Agency] and DoD and [the Office of the Secretary of Defense] — places like that.
You know, it’s trying to get people to work seamlessly together for the good of the nation. I know it sounds schmaltzy, but it’s actually true.
No, it doesn’t sound schmaltzy, it sounds difficult. There is that functional problem — they are DoD and you are civilian. DHS is supposed to have the mission and can only task the DoD in certain cases, right?
Right. Each person has a mission set that you need to prepare for and do well, and obviously DHS has a domestic set of missions and DoD looks overseas, and they protect their own dot-mil [domain]. In this day and age, the network is not some auxiliary staff function, but it is core to operations.
At DHS, we protect the dot-gov and we have all sorts of programs. We work with the dot-com with a principal focus on the critical infrastructure. And then we have the NCCIC — the National Cybersecurity and Communications Integration Center — which is like a watch floor. It does cybersecurity for all these things. It shares information with the private sector. It’s a big clearinghouse for cybersecurity information.
The coordination job as initially scoped was really about DHS and DoD. Much of the nation’s capacity is in these two organizations.
So, it’s almost impossible to say “Cyber outside these borders, one agency has a responsibility to look at,” or, “inside the United States, the DoD cannot look at this.”
International law is written that way, using sovereignty. But what’s the essence of sovereignty in cyberspace? What’s a hostile act in cyberspace?
Dirt doesn’t have a lot of meaning in the network. The whole idea of nation-state borders is not easily understood in a network environment, so this has to be a two-way street between the two departments.
What are the different agency roles?
Typically, if you have a cyber incident, State Department’s initial reaction, because of what they are and what their culture is, is “Well, let’s démarche,” right? Well, DoD’s first reaction isn’t “Let’s démarche,” it’s “Let’s do something!” There are cultural components to the departmental matchmaking that I’ve been trying to work.
So the State Department, their preference is to demarche? Do they do that frequently?
I’m sure that they want to.
The most recent spate of attacks was the denial of service attacks against financial institutions. What happened, and what did you do?
So if we hear about it, in general, our NCCIC calls a UCG — a unified coordination group — that brings together all the different parts of government, and people from the financial sector, to share information.
If you hear about it?
So there are plenty of incidents you don’t learn about?
Right. You don’t know what you don’t know.
Sometimes it’s the FBI that learns of an incident?
Anything in the law enforcement realm goes right to the Department of Justice and it goes right to the FBI.
For companies, there is no law that says they have to report it, right?
Right. There is no law that says they have to. A private company will make judgment about what they want public or not. DHS is seen as a kind of neutral space. Companies are not hesitant to talk to us per se.
But there is no requirement. Should there be one?
I don’t know. I think maintaining security on the net has to be a team sport, but you know the whole discussion about legislation has to do with regulation: Should there be regulation or not? It’s undetermined at this point what the right solution is there.
Without regulation, there’s a probability that you won’t know about every significant attack, right? I guess that’s what I’m trying to get to.
I think that’s probably a true statement.
Critical infrastructure attacks: If it’s not reported, you don’t know about it?
No, we are not going poking around into private servers.
It’s voluntary — that’s one of the issues?
It is voluntary. As you are probably aware, this is a big political issue. I’m not going to comment on a political issue.
Not the politics but whether this can all work if the companies aren’t required to report anything.
I guess what I would like to see, in an ideal world, is a model where the companies understand this is a mutual place if we can build a foundation of trust between government and private sector. The CEO has got to understand, and they are coming to understand that this is about core business. This isn’t an IT function; this is their bottom line. I think that is the case and that should be compelling enough for them to understand their equities are best met by working with the government.
Defense Secretary Leon Panetta used the term “cyber Pearl Harbor.” Do you use that term?
I actually don’t. It doesn’t mean that I wouldn’t. I would hope that, as a nation, we don’t get the point of having to wait for a cyber Pearl Harbor. I would love to see some legislation passed at some point just to codify some of this. Certainly there is a chance for a cyber Pearl Harbor, but don’t underestimate that there is a substrate of the activity going on all the time. And that is more characteristic of what the threat is at the moment: It’s not the cyber Pearl Harbor, it’s the constant spying and malware. It’s a steady-state condition.
I saw you quoted as saying there need to be “costs” imposed on the attacker?
I think you should impose costs on the adversary, whoever that may be. I think that is much more of a deterrent. You know, the first level of defense — people create thicker walls and deeper moats — but I think it is much more important to impose costs on whoever is perpetrating the threat. I think that’s a better response.
How? What? That’s the tough part.
So, cyber incursions are not normally just techie on techie. They have a motivation. Often the motivation is economic or political. That’s the issue. So this goes back to my information operations days. You have to understand these things in context. When you do something, it’s not about putting bits someplace in the net. It’s about having a net effect on a decision-maker. I understand it that way, even though I’m really a techie at heart.
The threats to our net are not just about a threat to our net, they are about a threat to our well-being, our competitiveness, to our nation, our international standing. There’s a greater philosophical sort of objective, rather then just taking a down a server or denying a website. So that’s the strategic communications part.
But how does one even get to the point of imposing costs? And when you say imposing costs, you mean making an attacker pay?
Right, or making it not worth their while to try to attack you, rather than just thwarting the attack. This is just my personal opinion. I’m not speaking for DHS. I think that philosophically it’s more effective to impose costs than to just thwart. But this is not a discussion I’ve had with my leadership here.(This article appears in the January-February issue of C4ISR Journal.)