Principal at the Chertoff Group
Information-sharing and workforce development
August 8, 2013—The CyberWire interviewed Mark Weatherford, Principal at the Chertoff Group, in New York City during SINET's 2013 Innovation Summit. He shared his views prospects of public-private cyber information-sharing, and on how to build an effective national cyber workforce.
The CyberWire: How would you rate the ongoing effort to improve public-private information sharing?
Weatherford: I think the "effort" to improve information sharing has been heartfelt, but "success" has been harder to substantiate. One reason is that there are so many organizations playing in the sandbox, the private sector oftentimes doesn't know who the right organization they should be sharing with. Thinking narrowly about cyber security threat information sharing, you have US-CERT at DHS, the US Secret Service, the FBI, DOD, state fusion centers, local law enforcement, sector specific Information Sharing and Analysis Centers (ISACs) and even many private sector organizations. It can be very confusing. I think the government has made a lot of progress in the past year or so, mostly in response to some of the cyber-related activity focused on the United States, but it's still a challenge and there's still some wariness on the part of the private sector. The President's recent Executive Order, and specifically the recently announced "incentives" initiative, could have a very positive impact on public-private cyber security information sharing.
The CyberWire: What obstacles do you think remain, and what ongoing efforts would you like to make people aware of?
Weatherford: TRUST. Trust continues to be the biggest obstacle. I read a blog by retired General Stanley McChrystal the other day where he talked about trust. In it he said to invest early and often in relationships and trust will follow. That is a profound truism. The government needs to continue investing in relationships with the private sector, and not just from a "check the box, we talked to them" perspective but real, sincere relationships where the goal is to improve everyone's enterprise knowledge about cyber security risks. I think the ISACs are another area where the government could make some real, tangible improvements. The ISAC's were a result of Presidential Decision Directive 63 in 1998, which called for action within critical infrastructure companies. Unfortunately, there has never been much support from the government to create a consistent and repeatable model for what an ISAC looks like and how it operates. A privately operated non-profit ISAC organization funded (at least partially) by the government for each of the 16 critical infrastructure sectors would be hugely beneficial to the Nation and could serve as an aggregation point for critical cyber security information sharing.
The CyberWire: Building a "cutting-edge" cyber workforce is generally recognized as a challenge. What measures would you recommend we take, as an industry, to meet it?
Weatherford: Make the development of cyber security talent a National priority. It gets great lip service but most government organizations and private companies do very little to actually invest in growing talent, finding it easier to poach people from each other. So while I think a certain amount of workforce transition is healthy, too much exacerbates the problem because it means we are losing valuable institutional knowledge. It's short-sighted and doesn't prepare us for the future, which will eventually have serious economic consequences for the Nation. Companies should obviously be funding internal training for current staff, but more importantly they should be supporting external programs like the US Cyber Challenge, the Air Force Association's CyberPatriot Program, and others to help grow the next generation of cyber security professionals. I also think it makes sense to begin thinking about adding a cyber component to the national STEM program - the situation is becoming that dire. There are dozens of answers for how industry can help address this problem but it requires a laser focus and the time is now.
The CyberWire: Thank you, Mr. Weatherford.