Q&A: Cybersecurity and Infrastructure
Print Issue: October 2018
Jeanette Manfra serves as the U.S. Department of Homeland Security’s National Protection and Programs Directorate (NPPD) Assistant Secretary for the Office of Cybersecurity and Communications.
Q. What is NPPD's role in protecting the nation's cybersecurity infrastructure?
A. We see ourselves as the national risk manager. It's not that we own all the risk or have the ability to unilaterally take actions to reduce that risk, but we are the organization that sits in the center between the intelligence community, U.S. Department of Defense, and law enforcement, and the threat side—federal networks, critical infrastructure, and all of our partners in the private sector—to understand what risk looks like for them and for the nation. We identify what risk looks like in coordination with our partners and what actions we can take, whether that's government actions or industry actions or collective actions to reduce that risk. Though NPPD's role won't change, legislation has been introduced to change our name from NPPD to the Cybersecurity Infrastructure Security Agency. This change is designed to help people understand what we do.
Q. How does cybersecurty affect the physical infrastructure of the country?
A. The more dependent the delivery of those critical services becomes on technology and connectivity of networks, the more the attack surface increases. Risk can no longer be thought of as belonging to an individual organization. Previously, an organization could have a pretty full understanding of what its individual risk was and take steps to manage that risk. Now you're in a position where there's shared risk across the country. It's a different way we have to think about risk.
Q. What are some examples of cybersecurity threats you're seeing?
A. The things I am most concerned about revolve around critical services and functions. An adversary can disrupt those, whether by creating a situation where we're not able to trust the data, or by remotely manipulating something physical. Those are not theoretical threats. The department has spent the last several months raising awareness on what nation-states are attempting to do, but the good news is that the electric sector has a lot of resilience built into the industry to recover power quickly during an outage, and that can be applicable for a cyber situation—you don't always need a cyber solution for a cyber problem.
Q. What's in store for NPPD in the coming months?
A. We just announced the national risk management center, which will address all types of national risk and how we manage that risk collectively. Cybersecurity will be a big part of that. We're also very focused on workforce. By incorporating cybersecurity in curriculums and truly investing in teaching people about the security side of these technologies, we're not only raising a generation of individuals who understand how to be safer digital citizens, but we can recruit some of them to be professionals.