Back in early March of this year, I was honored to speak with Jeanette Manfra after the National Cyber Security Alliance’s annual luncheon at the RSA Conference in San Francisco.
Manfra is the assistant director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). During the luncheon, which highlighted DHS activities, she described CISA’s current actions and future vision in a “fireside chat” with NCSA Executive Director Kelvin Coleman.
This was the second time I’ve heard Manfra speak, and on both occasions she was clear, articulate, and spoke with passion, expertise and personal stories that reminded me of similar conversations with former DHS cyber leaders like Phyllis Schneck and Mark Weatherford.
When we talked after that event, Manfra (and her team) agreed to be interviewed “on the record” for my blog on a wide-ranging list of cybertopics. I am pleased to offer you that interview here.
Before we start the interview, you can get a sense of Jeanette Manfra’s speaking style by watching this Washington Post video excerpt from an interview in 2017.
At DHS, Manfra has held multiple positions in the Cybersecurity Division, including advisor to the assistant secretary for Cybersecurity and Communications and deputy director of the Office of Emergency Communications, during which time she led the department’s efforts in establishing the Nationwide Public Safety Broadband Network. You can see her professional biography here.
Exclusive Interview Between Jeanette Manfra and Dan Lohrmann
Dan Lohrmann (DL): What are the greatest cyberthreats facing our nation in 2019?
Jeanette Manfra (JM): Cyberthreats to federal networks and critical infrastructure are one of our most pressing national security challenges. We have seen advanced persistent threat actors, including cybercriminals, nation states and their proxies, increase the frequency and sophistication of malicious cyberactivity. They are developing and using advanced cybercapabilities in attempts to undermine critical infrastructure, target our livelihoods and innovation, steal our national security secrets and threaten our democracy.
Over the last few years, we have issued several alerts to help network defenders and system administrators protect their systems from various threats and adversaries, to include state sponsored actors from China, Russia and North Korea. In addition to the interagency, we routinely collaborate with our international partners.
The United Kingdom’s National Cyber Security Centre joined us in an alert about Russian global exploitation of network infrastructure devices. With Australia, Canada, New Zealand and the United Kingdom, we published a joint product that highlighted publicly available tools that have been used for malicious purposes in recent cyberincidents.
DL: The new CISA agency has been in place for several months now. How have activities evolved?
JM: Under the leadership of former-DHS Secretary Kirstjen Nielsen and CISA Director Chris Krebs, we hit the ground running. We are working closely with Congress to ensure they are aware of our plans as we position ourselves as the nation’s risk adviser.
Restructuring and alignment is well underway to streamline our organization over the course of the next two years. For example, we are integrating some of the Cybersecurity Division capabilities with the National Risk Management Center and the Infrastructure Security Division.
We are working to successfully align communication and coordination across our agency. We have several hundred employees out in the field, from coast to coast, working to safeguard our critical infrastructure. We are one CISA and we are working to change and break down the culture of internal silos.
Assistant Director Manfra viewing information with policy analyst Maryam Ali at the National Cybersecurity and Communications Integration Center in Arlington, Va., on April 25, 2019. Brent Logan, CISA photographer
DL: What are CISA’s top priorities for 2019-2020?
JM: For cybersecurity, our priorities are industrial control systems, federal civilian networks, election security and China/supply chain, to include 5G.
We are taking a renewed focus on industrial control systems (ICS), the processes that provide vital services in critical infrastructure, such as electricity, transportation, water/wastewater, manufacturing, communications, etc. The convergence of information technology (IT) systems with operational technology (OT) puts devices increasingly at risk in a hyper-connected world. We want to assess how we — collectively with owners and operators, law enforcement, intelligence and international partners — can reduce risk in a converging cyberphysical landscape.
In protecting the federal civilian executive branch networks, or “.gov”, I want us to lean forward in using our authorities as well as assessing and improving our tools, resources and capabilities, such as Continuous Diagnostic Mitigation (CDM) and the National Cybersecurity Protection System (NCPS), which includes “EINSTEIN.” Since 2015, we have issued several binding operational directives (BOD) for departments and agencies (D/A) to take specific actions to improve network protection and resilience. In response to the global threat to the domain name system (DNS), we issued our first emergency directive that mandated D/As assess and strengthen the protection of their DNSs. We make these directives publicly available at https://cyber.dhs.gov so our private-sector, state/local government and international partners can see what we’re doing to better protect the federal domain — part of our collective defense effort. Another important effort in this area is working with the Commerce Department and Census Bureau to protect Census 2020, which includes the integrity and security of their data and mission.
For election security, we are building on the positive outcomes and relationships from the 2018 mid-term elections. These critical relationships with state and local election officials, voting machine vendors and interagency partners will be leveraged to the fullest extent to protect the 2020 elections.
We are actively leading supply chain risk managements in both government and industry. There are many benefits to the upcoming deployment of 5G technologies, however it also increases access points that could be used by our adversaries to get into our networks. We know that China is a persistent cyberespionage threat to the U.S. government, corporations and allies. Our top priority is stopping China from tampering with the U.S. supply chain, including 5G networks.
We view our priorities as the priorities of the American people, federal civilian government and critical infrastructure owners and operators.
DL: Can you elaborate on a few specific projects you are working on within DHS?
JM: One project is the Information and Communication Technologies Supply Chain Risk Management Task Force, with members from government and the IT and Communications Sectors. It is examining and developing consensus recommendations to identify and manage risk to the global technology supply chain. The Task Force participants include 40 of the largest companies in the IT and communications sectors as well as 20 federal partners.
Another project is the Tri-Sector Executive Working Group with senior representatives from the financial services sector, communications sector, and electricity sub-sector, and Treasury and Energy. The objectives of this group is to help direct intelligence collection requirements, build cross-sector risk management playbooks, and better understand system risk.
The Pipeline Cybersecurity Initiative is a partnership with the Transportation Security Administration. With TSA expertise, we are working with asset owners and operators on in-depth review and evaluation of the control system’s network design, configuration and interdependencies.
DL: What is being done at CISA regarding election security for 2020?
JM: First, we recognize that America’s election processes are governed and administered by state and local election officials in thousands of jurisdictions across the country. When DHS designated elections as critical infrastructure, we had to reach out to a community that didn’t know us and a community that is somewhat political. I think now we’re pretty good at understanding elections, reaching out, listening, and engaging vendors and election officials in all 50 states and more than 1,400 local jurisdictions.
For 2020, we are doubling down on our information sharing, assistance and increasing our outreach to local officials to #Protect2020. Working with the self-organized and self-governed councils for election infrastructure, a few of our goals are to achieve 100 percent auditability by 2020, improve audits and incentivize patching of election systems.
We will continue to build and strengthen the partnership between federal, state and local government and private-sector entities, such as voting machine vendors. There is no silver bullet for securing election infrastructure.
Assistant Director Manfra meeting members of the Executive Women’s Forum at the EWF Cybersecurity Women on Capitol Hill Public Private Symposium at the U.S. Capitol on May 9, 2018. Credit: Antonio Soliz, CISA public affairs specialist
DL: How is CISA working with state and local governments regarding cybersecurity and infrastructure?
JM: We partner with state, local, tribal and territorial (SLTT) and major organizations on strategic initiatives focused on reducing cyber-risk across the SLTT enterprise. These partnerships that act as force multipliers and promote DHS services include: National Association of Counties (NACo), National Association of State Chief Information Officers (NASCIO); National League of Cities (NLC); National Conference of State Legislatures (NCSL); and National Governors Association (NGA). One example is our partnership with NASCIO that led to the development of a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.
Primarily supported by us (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC) provides access to analysis services and intrusion detection for SLTT governments. We work closely with MS-ISAC and consider it to be a principal conduit for sharing cybersecurity information.
Our work with SLTT was in place before the designation of elections as a critical infrastructure, but it was more toward the chief information officers. We understand that local governments have some unique challenges when facing cyber-risks like ransomware. So we offer free access to training, assessments, information sharing and incident response. CDM tools are available to state and local governments on GSA IT Schedule 70 through the cooperative purchasing agreement. And we have cybersecurity and physical security advisers regionally based and, upon request, available to provide onsite consultation.
DL: Are there resources available to help security professionals at the front line with their missions?
JM: In nearly all our alerts about malicious activity, we recommend the application of cyberhygiene and best practices. These are not new ideas, but they are critical because we know that malicious cyberactors routinely seize on government and industry that have weak security practices.
For security professionals, our website, www.us-cert.gov//ccubedvp, offers preparedness support, assessments, training of employees, best practices advice and cyberhygiene resources.
Automated Indicator Sharing (AIS) is a great tool for bi-directional sharing of cyberthreat indicators in real time through a confidential and secure format. Threat indicators are pieces of information like malicious IP addresses or the sender’s address of a phishing email. AIS is designed for volume and velocity; it does not provide much context, but we are working to improve this. To sign up for this service, go to www.us-cert.gov/ais.
We offer vulnerability scanning of Internet-accessible systems for known vulnerabilities on a continual basis as a no-cost service. We have more than 1,100 customers participating in this service from the private sector, SLTT and federal government. When we detect a concern, we notify the customer so they may proactively mitigate risks to their systems prior to exploitation.
For those working in industrial control systems, we offer online and classroom training from the beginner level to the advanced network defender.
DL: You have focused a lot of energy on attracting and retaining talent. How is DHS, and specifically CISA, dealing with this issue now?
JM: For several years, we have using every tool available to recruit and retain talent with laser focus on building a talent bench of cyberprofessionals, and incentivizing talent to start and grow a career with CISA. Our challenges aren’t unique, but are felt throughout the industry.
In the president’s budget proposal, we are asking for funding to launch the Cyber Talent Management System that we think will be a more agile and innovative personnel system. A few positive things we think will occur are a speedier hiring process, larger talent pool to draw from and, depending on aptitude, allowance for rapid acceleration in careers.
The hiring process for cybertalent is the same as for traditional government skills and we want to change it. We are in the final stages of developing this program and plan to make our first hires later this year.
DL: Is there anything else that you would like to add?
JM: It is an exciting time as we enter in our next chapter at DHS in the newly created CISA. The CISA director and I know that ahead of us lie great challenges, but even greater opportunities.
If we continue to strengthen our collective defense, I think we can create an environment where the advantage is with the defender.
I want to thank Assistant Director Manfra for her time and for answering important questions regarding CISA’s vital mission and future plans.
I encourage state and local governments as well as private-sector partners to engage with CISA on these projects to strengthen our cyberdefenses. Also, visit the hyperlinks in this interview for more details on these cutting-edge DHS projects.