Lute: 'We Cannot Run Cyber Like an Intelligence Program'

Today, the Department of Homeland Security loses one of its top voices as Deputy Secretary Jane Holl Lute departs the agency after four years. In addition to her experience in homeland security, Lute has a long history of public service in national security and diplomacy. I had the opportunity to sit down with her this week for a Q&A to discuss her time at DHS and what the agency’s future might hold.

JHF: What do you see as the three most significant accomplishments during your four years there?

I think the first and foremost accomplishment is answering the question of whether this country can protect itself. The answer is yes. We can pool our strengths and we can be successful in protecting ourselves. It is clear that the government cannot do all that needs doing here. State and local governments and even the public must be brought in to help reach the common goal.

We cannot be complacent. The deterioration of Al Qaeda has not ended the objectives of those who want to do harm to the United States and our citizens. We have made an investment in this country, in the state and local government partnerships, as well as with the private sector, to be able to respond rapidly and effectively. This is the most significant accomplishment.

A second accomplishment is that we put on the map the importance of cybersecurity to our national and economic security. There was not much of a national dialogue four years ago. It was not clear what role the federal government would play. We have learned that we must improve cybersecurity by working together with our partners across government and with the private sector to build the world's most secure cyber economy.  

A third significant accomplishment is what I would call the plumbing and wiring of the department. In less than 10 years, we achieved a qualified audit opinion. We have created administrative and operational systems more responsive and efficient than ever for dealing with all kinds of disasters. We continue to improve on individual preparedness, community resilience and the preparedness and capability of the entire homeland security enterprise.

JHF: One of the issues that has emerged as we get farther away from 9/11 is how do we balance the need for people to be aware of potential terrorism without having fear fatigue or getting them over complacent? 

I am a New Yorker. That’s a city with a grip on itself from a security standpoint, and it is exciting and vibrant as it ever has been.  Buses, subways, taxis -- everywhere are the signs: “If You See Something, Say Something.”  We have taken a page out of that book and rolled it out nationwide. We have said to the public:  If something looks suspicious, report it to the local authorities. We have taken the lessons of 9/11 and built a security framework where Americans take and understand that homeland security is a shared responsibility. America can protect itself and we must do it together.

JHF: Does the move away from Al Qaeda and organized terrorist groups to lone wolves change the dynamics?

State and local law enforcement has always known about the threat of lone wolves and the potential   harm they can inflict. We continue to build on what we know. Police departments are more prepared and capable of responding.  We have learned from past experiences and how to respond as effectively as possible. We also know it is unwise to generalize about a particular ethnicity or religious group based on the actions of a few. We will continue to work rapidly and responsively to recognize the signs of lone wolf actors. We also need to break barriers that isolate communities. And we must all stay vigilant.

JHF: One of the first things that the Department undertook under this Administration was the first ever Quadrennial Homeland Security Review. What were the lessons learned there? What do you think the agency should be focusing on as it turns to the next QHSR which is due out in the next year?

The first QHSR answered the questions: What is Homeland Security? What do we do?  The upcoming QHSR will answer the question: How will we do it?  How will we ensure Homeland Security while protecting civil rights, civil liberties and individual privacy?

JHF: Turning to cybersecurity- there is a lot of discussion on how do we talk about it.  Is it national security? Is it law enforcement? Is it preparedness?  Is it the private sector’s responsibility?

At the heart of cybersecurity is the reliability and integrity of your personal identity and your information -- are you who you say you are? How do we keep someone from profiting from your identity in cyberspace? The Internet is an extraordinary innovation for humanity in and of itself, and at its core cyberspace is a public space -- civilian space. It is growing organically and instantaneously. We must have norms in cyberspace. We need to understand what property means in cyberspace. What is the role of government?

It is interesting to me that generally speaking, security is an assignment that society gives to government. We expect government runs the police and makes law; government runs the military and makes treaties. Cybersecurity, however, has not been given to the government as a primary responsibility. It is still open, accessible, and what security exists is largely maintained by the public and the private sector. Again, the key to securing cyberspace is securing people’s identities and information and that will mean identifying roles and responsibilities for individual hardware manufacturers, software developers, internet service providers, governments, international partners, and others.

We will not be able to run the cybersecurity of the nation exclusively like an intelligence program. Is there a role for the intelligence community? Yes, but it is not the leading role. Is there a role for law enforcement? Yes, in that law enforcement must bring law to bear when crimes happen in cyberspace. We must manage cybersecurity as a civilian responsibility -- one that recognizes the need to bring reliability and integrity to identity and information protection.

JHF: So, comparing it the physical world, do we bring brick and mortar norms and laws into cyberspace? Or do we need a new way of dealing with the issue?

The Administration has made it a priority to narrate what we believe are fundamental norms in cyberspace -- freedom of access, privacy, an open Internet, reliability, trustworthiness, and safety. Globally, we have norms against criminal behavior that the majority of societies can agree with. We need to enforce those laws in cyberspace.

JHF: So what do you see as the biggest threat to us in cyberspace? 

Existing unpatched vulnerabilities.

JHF: Do you feel that cybersecurity is more of a priority for non-critical infrastructure and tech companies, e.g. the rest of the Fortune 500, than it has been in the past?

Yes, cybersecurity so interesting in that we all have responsibility for it. We all have to be attentive and collaborative on security so that we are all more secure. All critical infrastructure owners and operators, Fortune 500 CEOs, and even owners of small companies and individuals must -- and are --paying attention to cyberspace. Every business connects to cyberspace. They manage business systems, employee communications, customer records and more. So every business has a responsibility to safeguard systems and prevent unauthorized use.

JHF: As more commercial sites are getting hacked- beyond critical infrastructures- has DHS seen its role change at all?

When we did the first QHSR four years ago, we listed five missions that are critical to our homeland security:  preventing terrorism, securing our borders, administering and enforcing our immigration laws, building national resilience, and we called out the need to ensure the nation’s cybersecurity as an important part of the value proposition we call homeland security. Cybersecurity is a national mission and is part of the federal government’s responsibility, because, in many ways, cyberspace is the endoskeleton of modern life.

The government doesn’t have all the expertise or information to do it alone. We must make use of the information and tools we have.  We must work to help educate the public, engage the private sector and partner in the larger international community in all the issues that fall under the word cybersecurity.

 JHF: As part of the President’s Executive Order, the Department has put together Working Groups to deal with various cybersecurity issues. At the same time, NIST has issued RFIs and is holding workshops to gather information. How are the two processes working together?

They are interacting at many levels. DHS is charged with supporting NIST in the development of cybersecurity standards and private sector outreach. And in this respect, the Administration has taken a pragmatic approach to cybersecurity. It is not a theoretical question or simply a paper exercise.  The standards will reflect what we -- at every level -- will have to do to enhance our nation’s cybersecurity and protect our critical infrastructure.

JHF: Any additional thoughts on the path forward for homeland security and DHS?

I get asked questions about the relative youthfulness of the Department and its status as a new agency. Enough with the new. DHS is 10 years old. It has learned and matured an enormous amount in the last 10 years. I’m also often asked to compare national and homeland security. As someone who spent a career in national security, I can say it is different.

National security is strategic, centralized, top-driven. Homeland security is transactional, decentralized and bottom-driven -- driven by the needs of the public and of state and local municipalities.

So when you think of the Internet and of cybersecurity, it is not strategic, centralized or top-driven. It is transactional, decentralized and driven by the billions of transactions that happen in cyberspace every day. It is a lot like Homeland Security. For me, it has been an extraordinary learning experience and a privilege to serve at DHS.