DHS Cybersecurity Official Says Industry Falling Behind Attackers


The security industry needs to create innovative new ways to address antiquated security systems that are being constantly attacked and defeated by cybercriminals, according to an official at the Department of Homeland Security overseeing cybersecurity.

Speaking to hundreds of security professionals at the Cloud Security Alliance Summit, Mark Weatherford, who is Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD), said the nation faces serious consequences if outdated systems aren't addressed. The NPPD oversees physical and cybersecurity of federal agencies and coordination of critical infrastructure protection.

Weatherford said the private and public sectors are relying far too much on outdated security mechanisms including antiquated patch management processes, authentication and antivirus, he said.

[Related: The 9 Most Dangerous Cloud Security Threats]

"Why is it that a simple user ID and password is still the most common method to log into a system or application?" Weatherford asked a packed conference hall Monday morning. "People are still putting private information on public-facing websites for other people to come and scrub it off. ... We have to get better about innovating to solve these kinds of things."

The Cloud Security Alliance Summit at RSA Conference is a half day of sessions centered on tackling cloud security issues as well as risks posed by mobile devices and tablets. The CSA issued a slew of announcements, including the establishment of online resources to help companies address the legal issues related to cloud computing and a threat report detailing the nine most dangerous cloud security threats.

Weatherford said he believes the cloud can contribute to addressing serious threats. He said he hopes the nation is at the "precipice of an innovation moment," addressing security threats in more efficient ways. Systems are becoming powerful enough to collect attack data and apply analytics for deeper insight into the threat landscape.

"We're beginning the next great innovation of technology that will make the past obsolete," Weatherford said. "I think that the cloud has stimulated our ability to take advantage of the incredible value of big data in ways we couldn't have imagined 10 years ago."

Weatherford was chief security officer of the North American Electric Reliability Corporation (NERC) before being appointed in 2011 to oversee cybersecurity at the DHS. The agency, he said, is helping coordinate President Obama's executive order to establish an up-to-date framework linking cybersecurity with physical security of critical infrastructure and work with the National Institute of Standards and Technology (NIST) to create a voluntary set of standards for the protection of critical infrastructure.

Weatherford said he has been working to streamline operations to make the division more agile to respond to security threats by disseminating threat information and coordinating response activities. The agency, he said, is striving to be the "cyber911 for the nation."

"We want to be that first phone call you make," Weatherford said. "If we can't deal with it, we get you to the right people you need to talk to."

Weatherford also said the agency hopes to address a skills gap in the security industry by attracting young people to become talented security professionals. He urged those in attendance to get their organizations to invest in after school programs focused on hacking and computer programming.

"The government needs to figure out how to make security be a little cooler so people gravitate to it," he said.

PUBLISHED FEB. 25, 2013