Greg Touhill, DHS, USA on Cybersecurity: Exclusive Interview
An exclusive interview with Brigadier General Gregory Touhill, Deputy Assistant Secretary, Department of Homeland Security Office of Cybersecurity and Communications. What should we all be doing to be ‘responsible cyber citizens’?
Just before the Fourth of July in 2013, Brigadier General Greg Touhill retired. Behind him was a long career in the United States Air Force. He’d had command at squadron, group and wing levels and had earned a large number of medals. What would he do now?
In his later years of service, Brig Gen Touhill had been a Director in the United States Transportation Command (USTC). Crucially, he’d been responsible for what they call C4 systems: Command, Control, Communications and Computer systems.
He had also been Chief Information Officer, and so had been responsible for the investment strategy for all the information technology resources. On top of that he was Senior Cyberspace Operations Officer for the USTC.
Man With A Mission
With that background and experience, well-paid jobs beckoned in the private sector for the voluntarily retired Brigadier General. There was just one problem, as he explains:
‘There were opportunities in the commercial sector – however I still needed a mission.
‘The Department of Homeland Security’s mission was really appealing to me. I was recruited to join the team. I was eager to continue my service to the nation and to the international community and protect information, minimise risk and provide solutions that remain effective, efficient and secure.’
Threats And Targets
That role of protection, which he took on in April 2014, has a whole host of enemies ranged against it. These include terrorists, criminals involved in financial or business intelligence theft, foreign intelligence operations and, in his words, ‘frankly, ignorance’. Given the range of enemies, what does he see as the major target?
‘Our critical infrastructure. And if I take a look at the greatest threat to our critical infrastructure I would have to say vulnerabilities and weaknesses in our industrial control systems. That’s one of the things that has me very concerned and I am focusing a lot of the attention towards that.’
In the US, critical infrastructure is categorised in 16 main areas, such as energy, transportation, emergency services, water and so on. The industrial control systems are embedded into each of the critical infrastructures, and it is these control systems that are drawing most attention.
Getting Cybersecurity On The Agenda
Which raises several issues, two of them being that much of the infrastructure is not owned by the federal government but by private or public companies, and that systems are linked both nationally and internationally. For Brig Gen Touhill, this presents a series of challenges.
‘There is a host of different things that could go wrong but our critical infrastructure around the world, not just in the US, is heavily and increasingly reliant on automated systems. And systems that are not configured properly, systems that are not managed appropriately, and systems that have vulnerabilities that can be exploited, could all present problems for the critical infrastructures.
‘There is no one particular threat that is weighted heavier. We are trying to address all threats so that we can secure our critical infrastructure to maintain public safety. The critical infrastructure is largely in the hand of the private owners and operators and only together, in partnership, can we best defend our nation.
‘I think there is a varying level of maturity and awareness of cybersecurity threats and vulnerabilities across the private sector. That’s where we in the public space, as part of the government, are helping raise the awareness and the conversation. More and more senior executives in critical infrastructure have cybersecurity on their agenda.’
There Are Two Types Of Companies
Brig Gen Touhill knows from his own experience that this is very much a work in progress. While he was apparently having a rest period between retiring from the military and then joining the DHS, he somehow found time to write a book on cybersecurity for executives.
In it he recounts how, while still in uniform, he was having discussions with CEOs and other senior executives who were in theory teaching him best practice in cybersecurity. More often than not he found that his training meant that he ended up teaching them about how to better secure their own information.
In the book he quotes Mike Rogers, the Chairman of the House Intelligence Committee:
‘There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.’
Definition Of Terms
Brig Gen Touhill also provides a definition of cybersecurity. It seems to mean different things to different people, with some governments framing the debate as primarily one of counter-terrorism, while to some CEOs it’s an issue of industrial espionage and to many individuals it’s about having money stolen from their accounts. This definition then may prove helpful:
‘Cybersecurity is the deliberate synergy of technologies, processes, and practices to protect information and networks, computer systems and appliances, and programs used to collect, process, store, and transport that information from attack, damage, and unauthorised access.’
Know Thy Enemy
Although governments face a range of cyber threats, they have one thing in common as he says:
‘I think those who have a malicious intent are pretty smart. They are going to adapt their tactics, techniques and procedures to try to find vulnerabilities and leverage them.’
But to Brig Gen Touhill, this is where government has an edge.
‘When it comes to such things as the stereotypical 20 year-old who is probing networks, that’s really where we have to make sure that we stay on our toes to detect those who have malicious intent; to heighten awareness at the tactical level. But I look at cybersecurity from the construct where you have strategic, operational and tactical levels. Government is extremely good at strategy, and operational employment is our asset. That’s really where our strength is.
‘To be effective at the strategic, operational, and tactical levels we believe a team approach is best. That’s why we are so keen to leverage public and private cybersecurity partnerships.’
Public and Private Collaboration
But before there is operational deployment there must be consensus. So how did the Americans gain that consensus? It started in February 2013, when President Obama issued an Executive Order. It directed the US National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.
A year later the first version was published of the Framework for Improving Critical Infrastructure Cybersecurity. The Framework is the result of an unusual collaboration, as Brig Gen Touhill relates.
‘The NIST used an outstanding technique of industry-driven crowd-sourcing. We, as the US federal government, went out to the American people and industry with a series of face-to-face engagements as well as web-based engagements. We asked everybody – “Hey, what do you think would be best practices? What do you think the standards should be that we should be employing?”’
The Framework Core
The Framework has a Core, consisting of five concurrent and continuous functions: Identify. Protect. Detect. Respond. Recover.
The Framework Core also contains industry standards, guidelines and practices. The NIST has made all the material contained in the Framework available. It can be downloaded from the NIST as a FileMaker runtime database solution. The NIST Cybersecurity Framework Reference Tool can be downloaded here.
This Framework is just one of the tools used by the Americans to help fuel and influence the debate on cybersecurity. Brig Gen Touhill explains how he sees their role.
‘One of our roles is to be the leaders of the “Cyber Neighbourhood Watch” where we educate, inform and share information across all parts of the critical infrastructure and the public, so that everybody can be responsible cyber citizens.’
Everyone in the cybersecurity debate acknowledges that this is a global issue that can only be tackled globally. The ‘Cyber Neighbourhood Watch’ needs to cover the planet, and the Americans are working on that basis, as Brig Gen Touhill explains.
‘We maintain positive relationships with numerous countries of all different sizes and capabilities. Our view is that we want to share information as much as possible because when we raise the bar for everybody then we provide better security for our interests all around the world. Our partnerships are very strong and our collaboration is, we believe, very effective.
‘We collaborate internally but then we also maintain bilateral and multilateral relationships, addressing cybersecurity issues of mutual concern. Just in the last couple of months that I’ve been in my post we’ve hosted representatives from virtually every continent here in our facilities outside of Washington. There is a whole host of different engagements that we have and we find that communication and co-ordination across the global community helps build trust and co-operation.’
Framework For Discussion
This could be such a wide-ranging topic that it would be easy for international discussions to range around without necessarily moving forward. In this regard, the Framework has proven to be a useful map to follow. As mentioned above, the Framework Core has five elements, and these form the basis of much discussion, as Brig Gen Touhill explains.
‘The five key attributes: identify what you have; protect it; be able to detect when you are under a threat; respond appropriately and be able to recover well. From those five key areas there is best practice; they are representative of different lessons learned from industry and from academia around the world. It is a valued construct and allows us to speak the common language of the Framework.
‘When we talk with folks across the 16 critical infrastructures, that cybersecurity Framework is the starting point. It is something that everybody understands and it puts the conversation into a positive construct.
‘Certainly, when we talk with our international partners that framework resonates extremely well with them. We have had our partners from the international community indicate to us that they want to adopt a similar Framework in their countries.’
To Brig Gen Touhill, it’s all about managing risk. To that end, he’s optimistic about the progress made, in that he sees awareness of cybersecurity issues increasing in the boardrooms along with the budgets allocated to the task. He sees that ‘those private owners and operators of critical infrastructure have better situation awareness and can better manage the risk.’
However, he is far from complacent when viewing the future.
‘We have to remain on our toes. We need to continue to include cybersecurity in the conversation and take cybersecurity out of the server room and make it a conversation piece on every agenda and in every boardroom.’