By James E. Brooks, George C. Marshall Center Public Affairs DirectorDecember 15, 2015
GARMISCH-PARTENKIRCHEN, Germany - The captain of the United States neighborhood cybersecurity watch team shared his thoughts on cyber security to an international group of military and civilian cyber professionals at the George C. Marshall European Center's Program for Cyber Security Studies Dec. 15.
U.S Department of Homeland Security Deputy Assistant Secretary for Cybersecurity and Communications Gregory Touhill stressed the importance of managing risk in today's cyber world.
"At the end of the day cybersecurity is not about technology, it's about managing risk. One of the things I've learned in my professional career and my academic career is that you have to look at a strategy. You can buy down your risk by 80 percent by implementing best practices," Touhill said.
According to Touhill, reducing risk by implementing best practices in creating a strong cyber network is called "cyber hygiene," and it's something you do every day like brushing your teeth, as part of a daily routine.
Despite recent headlines of cyber intruders getting access to personal security information of millions of federal workers, there is another cyber issue that keeps him awake at night.
"What keeps me awake at night is the protection of our industrial control systems. We find that a lot of those industrial control systems, the computers, the human interfaces that control critical infrastructure, are not adequately controlled. They are connected to the internet without adequate protections in some cases. When they were invented and installed, cybersecurity wasn't a concern. They are old. They were bolted on. And we need a better job protecting them," said Touhill.
Managing risk is not only possible through the use of best practices, but also by sharing information and having a plan in place to prepare and respond to cyber-attacks and intrusions. Touhill added that you will never get to a zero risk solution.
"In the international stage is to better share information about threats and vulnerabilities. By better understanding the threats that are out there as well as the vulnerabilities inherent in the systems, software, personnel practices, we are in a better position to discuss and manage risk," he said.
Touhill spoke to PCSS participants during the final days of their two-week resident program here. Following his presentation, he had the opportunity to sit down and observe several seminars where cyber security issues and strategies are discussed in great detail. Seminars are an integral part of the curriculum in order reach a common understanding of cyber terminology and begin to understand the importance relationships formed in the course which will lead to future information sharing.
"I continue to find on a daily basis that relationships matter and when you get into a situation where cyber risk is introduced ultimately you are going to have to ask other people for help. A cyber risk to one is a cyber risk to all. The best part of this course is building those relationships on an international scale and what is unique about this course at the Marshall Center is the breadth and scale of the international relationships nurtured and developed here," Touhill said.
The final day of class for PCSS students is two days away. They will no doubt be taking a great deal of insight back with them. Touhill hopes they take something back from his remarks.
"I'd like to see the students go back to their countries and have that conversation about risk management and putting it on the appropriate agenda so that risk is managed at the appropriate level using the appropriate processes and procedures," he said. "I hope they also take home the student rosters and stay in touch. Relationships don't end when you graduate. They are just beginning."
There was one other cyber security thought Touhill hoped the international students would keep in mind.
"We are all part of a greater cyber neighborhood watch. We have to take care of our own enterprise but we have to take care of our neighbors and sharing info about best practices, threats, vulnerabilities, and how to deal with them are critically important. We need to be a good cyber neighborhood watch," he said.