Protecting federal civilian government networks and critical infrastructure against cyberthreats requires an aggressive and proactive approach, but privacy and legal concerns also have to be addressed. And that is being done, according to Brendan Goode, U.S. Department of Homeland Security (DHS) director of Network Security Deployment (NSD). He spoke at the American Bar Association Standing Committee on Law & National Security breakfast in Washington, D.C. today.
The NSD is responsible for the National Cybersecurity Protection System (NCPS), which deploys technologies to guard against cyberattacks for “dot gov” Internet domains as well as critical infrastructure networks. Goode emphasized four key areas that NCPS focuses on in order to effectively carry out its role: Detection, analysis, information-sharing, and intrusion prevention. He says that when it comes to the information-sharing aspect, privacy and legal issues are a “sizable” concern for the program.
“[A] key challenge that we’ve been facing is really what is the appropriate relationship of how to do information-sharing, still recognizing that we are sharing classified and sensitive data,” said Goode. And beyond sensitive government data, NCPS has to work with critical infrastructure partners who have “their own special handling requirements for how they treat their own privacy civil liberties and security of their data.”
Last year, NPD released a privacy impact assessment that addressed the program’s approaches to information sharing, including its handling of personally identifiable information. “We’ve made our best effort in terms of finally telling a full story of what NCPS is and what we’re trying to do to secure the government, not just [saying], here’s an individual application that we’re putting online,” Goode noted. He also pointed out that the NSD consistently engages with the DHS Data Privacy and Integrity Advisory Committee, which advises the head of the DHS on privacy matters.
Goode said the fact that they addressed privacy and legal concerns up front was important, “as opposed to considering it a distraction" or something that they would address downstream "and then have to figure out where you’d have to readjust the systems that we’re trying to move forward,” he explained.
NSD was able to predict what privacy and legal issues might arise in day-to-day operations through a pilot program with the Department of Energy in 2012 in which they tested several cybersecurity measures, as well as the existing resiliency of the nation’s electrical grid. “To be able to test out these concepts before we did a full-scale deployment across an entire enterprise” created a tremendous opportunity for learning, said Goode.
“I consider privacy one of those factors [that is] just a part of the conversation of how we scope what we can and can’t do in the technology services we offer out there,” said Goode, “understanding that there are going to be considerations and boundaries of what we can do, and then just providing the capabilities within those boundaries.”
Flickr photo by marsmet526