Roll Call: Latest News on Capitol Hill, Congress, Politics and Elections
September 2, 2015

Five Questions With Rob Zitz of Leidos, on Cybersecurity

Rob Zitz has worked on national security for 35 years, 32 of them in the intelligence community, and now is a senior vice president at Leidos, the company that split last year with SAIC. It’s a top contractor for the Defense Department with nearly $6 billion in annual revenue.

Zitz spoke with Five By Five in an interview Friday about cybersecurity and the Department of Homeland Security. (Leidos has a number of prime contracts with DHS, some of which are related to cybersecurity, and Zitz is a former DHS official himself.) Here are some highlights:

Do the cybersecurity information sharing bills in the House and Senate go far enough?

I think the recent legislation in both the House and Senate are positive steps forward. I think they both recognize we need to modernize our national cybersecurity programs. I think it’s important that they both emphasize public and private partnerships and public and private information sharing. I’m optimistic from reading in the reporting that’s coming out this week about recent meetings between the leadership of DHS and FBI and NSA that indicate there’s even greater understanding for the need for partnerships on the government side. I think the bills indicate that on the legislative side, everybody understands that the stake are high, that progress is going to take a “whole of nation” approach. It used to be trite to say “whole of government.” This isn’t just government.  It’s the government and private sector working together. HPSCI [House Permanent Select Committee on Intelligence] and SSCI [Senate Select Committee on Intelligence] leadership both expressed optimism about the capability to bring together their two bills on information sharing, although the Senate legislation has yet to be formally introduced.  I think that what they’re talking about doing is a major step forward.

If you pivot off that question, and ask it differently, what’s been changing inside DHS regarding information sharing, there has been quite a bit of work of late over the last few years, really remarkable progress in that arena.

Looking at what’s happening inside DHS the last couple years, there’s a lot of progress in terms of how they are addressing the threat. I can give you examples. When I think about DHS and their role, I tend to think of it not just from a technical side. I look at it from the standpoint of prevention, protection, mitigation, response and recovery. DHS has got a central role in terms of coordination. When I think about what DHS is doing, they have the NCCIC [National Cybersecurity and Communication Integration Center]. The NCCIC has U.S. CERT [Computer Emergency Readiness Team], which is working the operations side. I think about things like Einstein, systems that are monitoring and looking for intrusion and doing protection, doing that work. It’s not in a vacuum. There are hundreds of stakeholders working with the department, including international. A little known one is ICS, the industrial control systems CERT. The ICS CERT is working with all 16 sectors of critical infrastructure in the U.S., out there training, helping with response to cyber attacks, onsite evaluations. It’s heavily involved in working closely with the sector specific agencies that make up those 16 critical sectors for critical infrastructure protection. An interesting example lately is when you think about a medical device, including those implanted in a patient, that has wireless capability. It’s a threat, a vulnerability, somebody could hack into that and disrupt that. The DHS ICS CERT worked with the national health information ISAC [Information Sharing and Analysis Center], NHISAC. They worked with them to bolster medical devices protection.

Culturally, I think that DHS is propagating the idea from a cultural standpoint that you’ve got to educate and train to understand the problem. As an organization, they’re very good at helping the government and private sector to see that organizationally cyber cannot be something that is jut the IT department’s responsibility.

DHS has understood for years now and helped other people understand this is about defense in depth, or layered defense. It’s about building blocks that start with basic hygiene, firewalls in place, patches in place. Solid defense don’t stop there. They understood to go beyond that they have to move to continuous diagnostics and mitigation. They have been really helping to lead the way in that regard.

If you look beyond that, where is DHS going now, they’re very much interested in the idea of being able to go beyond signatures. What’s understood now is people are starting to much more understand this: Cybersecurity signatures are very much like driving a car while you’re looking in the rear view mirror. It’s based on past events, past intrusion and past viruses. It’s absolutely critical to understand, characterize and build effective defenses against those, but that only defends against that exact signature and attack.

Yet there is skepticism from some on the Hill and in the business community about how big a role DHS should play, and we’ve seen legislation that would’ve expanded the role of DHS watered down in the past. Why is that, and what can be done about it?

DHS’s cybersecurity mission and capability has not been around that long. It’s really been about 10 years now. During that period of time there was a maturation process that took place. Overall there was a question about the threat, how significant was the threat and then once that threat was understood, how many resources were needed within DHS to start to address the problem. As the resources started to mature and grow, the individuals and level of expertise to work the problem matured and matured significantly inside DHS. The processes and relationships, the trust that takes time to build — those have matured over that time span, the last couple years. Like anything, it takes a little time to build from the crawl/walk/run stage. I can tell you that we see a much more advanced and much more mature thinking, much more advanced processes, a much more advanced set of technical capabilities that are about to be procured at DHS.

What are the biggest threats to U.S. cyber-infrastructure?

What keeps me up awake at night are catastrophic attacks on energy, transportation, finance. if we look at the SCADA — the control systems of those industries — if a nefarious actor were to penetrate those they could cause damage that goes far beyond temporary damage or temporary denial of service. The effects could be catastrophic. I think about not being able to be cool in the hottest time in the summer or to be able to heated in the coldest of the winter. This is not about an inconvenience, this is about loss of life.

What can be done to address the shortage of cybersecurity professionals, either in Congress, in the executive branch or in industry?

There was a bill last year to address the need to be able to hire and provide compensation of cybersecurity professionals at the department that I think is a step forward. I know that DHS has been aggressively recruiting and hiring. Clearly people with the appropriate skills are in high demand. There will probably be some discussion about the standards that are required — for example, often times in the government in order to fill a certain position level there is a requirement to have had a college degree. On cyber now, more and more in industry and government, that is being reviewed, and it’s really more about not so much, “Do you have the college degree?” but, “Do you have the current knowledge of the systems and the software and the current experience that’s applicable?” That will also help some with hiring.

What are some trends you’re seeing in the cybersecurity sector of business?

I think that you’re going to see, with where the industry is going, the trends are enabling protection in an encrypted environment. More and more stakeholders are using encryption for data at rest and data in motion — the development of an environment where legitimate and malicious traffic are being co-mingled. With advanced persistent threats, one of the things everyone is concerned about, we may have to operate in an environment where there are malicious actors in the network in the data, and a way to be able to operate in that environment is to have your most sensitive and most important data be encrypted. So you have have both encrypted and unencrypted in the open co-mingle.

Another example is real-time machine-to-machine interactions. We see examples of that machine-to-machine now. The trend of the future is that will be the norm. People will refer to that as autonomous.

There will be more focus on protecting the data itself in addition to protecting the networks, tagging sensitive data at the stakeholder level, monitoring and alerting outside its protected location. I’m working on a project where information that makes up that project is tagged, and if that project showed up somewhere it should not be, unexpectedly, you know it immediately, you protect on that, you alert on that and you prohibit any further manipulation of that data.

Another example: policy levels for being able to integrate open, unclassified information with classified information to have multilevel domain software and systems so you can bring together myriad sources of information that are classified and unclassified to be able to have that real time common operating system. There are experiments that are going on now, including at Leidos, on the use of automated behavioral analysis. It’s still in the lab. The approach is born from the clinical psychology world. Psychologists have known that in order to break a disruptive behavior of an individual, it’s based on antecedents. If you find the antecedent and stop it from occurring, you stop the behavior and prevent the consequence. Understanding the antecedents to know that this is a malicious attack lets us know in real time whether the level of expertise and deception embodied in that data packet is such that we should alert analysts and be able to take immediate action in response to that packet.

(This interview transcript was edited for length.)

Comments (17)

Leave a Comment

Your email address will not be published.

author email

  1. The Savage Hombre

    June 30, 2014
    6:03 a.m.

    If we examine the contrast between liberty and servitude, we discover that the “negative” sense of liberty does not reduce its desirability.

  2. Anonymous

    July 7, 2015
    11:58 a.m.

    I visited a lot of website but I believe this one contains something special in it in it

    http://www.sdorttuiiplmnr.com/

  3. Anonymous

    July 9, 2015
    6:17 a.m.

    Hiya, I am really glad I’ve found this information. Today bloggers publish only about gossips and net and this is really annoying. A good website with exciting content, this is what I need. Thank you for keeping this site, I will be visiting it. Do you do newsletters? Can’t find it.

    https://bitly.com/u/infoasistencia

  4. Anonymous

    July 18, 2015
    4:14 a.m.

  5. Anonymous

    July 21, 2015
    1:14 a.m.

    You made certain nice points there. I did a search on the subject and found the majority of persons will consent with your blog.

    http://lowcostautoquotes.com

  6. Anonymous

    July 24, 2015
    6:02 a.m.

    Some genuinely great information, Gladiola I found this.

    http://split.us

  7. Anonymous

    July 24, 2015
    5:48 p.m.

    Hi there! I could have sworn I’ve been to this blog before but after checking through some of the post I realized it’s new to me. Anyways, I’m definitely delighted I found it and I’ll be book-marking and checking back frequently!

    https://bestplumbers.com

  8. Anonymous

    July 25, 2015
    5:50 p.m.

    Thank you, I’ve just been looking for info approximately this topic for ages and yours is the best I’ve discovered till now. However, what in regards to the conclusion? Are you positive concerning the supply?

    https://musicbrainz.org/user/bomber76jam

  9. Anonymous

    July 28, 2015
    7:54 a.m.

    I dugg some of you post as I thought they were extremely helpful handy

    http://www.sdorttuiiplmnr.com/

  10. Anonymous

    July 30, 2015
    8:09 p.m.

    I loved as much as you’ll obtain carried out right here. The cartoon is attractive, your authored material stylish. nonetheless, you command get got an shakiness over that you wish be handing over the following. sick definitely come further previously again since precisely the similar just about a lot regularly within case you defend this increase.

    http://fandaily.info

  11. Anonymous

    July 31, 2015
    3:18 p.m.

    You are a very clever person!

    http://przedszkole-roza.pl/

  12. Anonymous

    Aug. 2, 2015
    12:32 p.m.

    I¦ve been exploring for a bit for any high quality articles or weblog posts on this kind of house . Exploring in Yahoo I at last stumbled upon this site. Studying this info So i¦m satisfied to convey that I have a very excellent uncanny feeling I found out just what I needed. I such a lot certainly will make sure to do not disregard this site and provides it a look on a constant basis.

    http://www.consultdustry.com/vacancies/

  13. Google

    Aug. 5, 2015
    6:20 p.m.

    Just beneath, are various totally not related web sites to ours, nonetheless, they may be certainly worth going over.

  14. Anonymous

    Aug. 6, 2015
    4:43 a.m.

    Wow, incredible blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is fantastic, as well as the content!

    http://quotesautoinsurance.org

  15. Anonymous

    Aug. 7, 2015
    4:57 a.m.

    Excellent items from you, man. I’ve consider your stuff previous to and you’re just too magnificent. I actually like what you have obtained here, certainly like what you are saying and the best way wherein you assert it. You make it entertaining and you continue to take care of to keep it smart. I can’t wait to read far more from you. This is really a great web site.

    http://quotesautoinsurance.org

  16. Anonymous

    Aug. 9, 2015
    8:01 p.m.

    Wow, awesome blog format! How long have you ever been running a blog for? you make blogging look easy. The full glance of your web site is fantastic, let alone the content material!

    http://brookereviews.com/product/ehealthinsurance-review-why-ehealthinsurance-plan-is-one-of-the-top-health-insurance-plans-in-2015/

  17. Anonymous

    Aug. 12, 2015
    6:01 p.m.

    Yay google is my king helped me to find this outstanding website ! .

    http://topcheapinsurance.com/companies-insurance-united-states.html

Sign In

Forgot password?

Or

Subscribe

Receive daily coverage of the people, politics and personality of Capitol Hill.

Subscription | Free Trial

Logging you in. One moment, please...