Cyber framework has DHS assessing its priorities, said Phyllis Schneck during a Senate hearing. (Rob Curtis/Staff / Staff)
It’s been six weeks since the National Institute of Standards and Technology released the final version of its cybersecurity framework, and officials at the Homeland Security Department are focused on their role in what happens next.
DHS’ core role in post-framework federal cybersecurity efforts centers on engaging partnerships, ensuring collaboration between the public and private sectors – including to forge a cybersecurity market – and to drive awareness in smaller business sectors that may be unaware of cybersecurity risks, according to Phyllis Schneck, the department’s deputy undersecretary for cybersecurity. DHS also is expected to offer incentives in the near future for participation in the framework, and is working to address shortages in cyber expertise.
That dearth of talent in the cyber workforce is one of DHS’ biggest issues, Schneck told a Senate panel on March 26.
“There’s a spectrum of skill sets. We need cyber experts, analytics people, policy people – that combination of talent, of people that work with us,” Schneck told the Senate Homeland Security and Government Affairs Committee. “We need to look at a holistic view of what we can do with partnerships and…where we can go next.”
Schneck told lawmakers that DHS needs assistance from Congress in order to better address the workforce shortage. Specifically: Making the hiring and onboarding process easier, and providing DHS with more money and more hiring authorities. Schneck admitted that government cannot compete head-to-head with private-sector pay, but she was confident that “the mission” can at least partially make up for that.
“From what I’m told, the hiring process is very, very difficult,” Schneck said. “There’s fine talent out there, and I know with our mission, we could actually use our mission and outdo some of those salaries they’re offered [by industry]. We have to have the flexibility and some additional competitiveness to bring them inside and see what we do and get them on board. That’s our future.”
Some of the panel members assured Schneck and others testifying at the hearing that they are working to improve cybersecurity staffing.
“We are going to get you the capability to hire the people you need,” said Sen. Tom Coburn (R-Okla.), the panel’s ranking member. He noted a bill that could be considered in the panel’s next markup would relax the existing limits on hiring.
Senate panel members repeatedly asked Schneck about the potential for DHS to offer liability protections to companies willing to share cyber threat information – a contentious issue tangled with legal barriers and intellectual property and privacy concerns. In the smaller companies far from the Beltway, including those such as critical power utilities, it remains unclear what the government is doing, she said, resulting in a certain level of mistrust.
“We need to know what utilities see, we need to know what they know and they need to see what we see – so how do we make them comfortable?” Schneck said. “There’s a lack of understanding as to what happens in Washington. We have to get the general counsels to be comfortable with information, not intellectual property, but information and awareness of cyber events…with that transfer of information.”
She suggested some support for “limited” liability protections, but focused more on voluntary information-sharing, as well as machine-to-machine data-sharing that does not involve human interaction and works at the speed of technology.
“There are pockets in private sector that can do this; that’s why I’m confident that real-time analysis can be pushed out with data,” Schneck said. “We have the ability to correlate information and get a global view of what traffic might be OK and what might not be, and literally pass that at machine speed.”