Lute: 'We Cannot Run Cyber Like an Intelligence Program'

Homeland Security Deputy Secretary Jane Holl Lute

Homeland Security Deputy Secretary Jane Holl Lute European Union

On the eve of her departure, DHS Deputy Secretary Jane Holl Lute Reflects on an eventful tenure.

Today, the Department of Homeland Security loses one of its top voices as Deputy Secretary Jane Holl Lute departs the agency after four years. In addition to her experience in homeland security, Lute has a long history of public service in national security and diplomacy. I had the opportunity to sit down with her this week for a Q&A to discuss her time at DHS and what the agency’s future might hold.

JHF: What do you see as the three most significant accomplishments during your four years there?

I think the first and foremost accomplishment is answering the question of whether this country can protect itself. The answer is yes. We can pool our strengths and we can be successful in protecting ourselves. It is clear that the government cannot do all that needs doing here. State and local governments and even the public must be brought in to help reach the common goal.

We cannot be complacent. The deterioration of Al Qaeda has not ended the objectives of those who want to do harm to the United States and our citizens. We have made an investment in this country, in the state and local government partnerships, as well as with the private sector, to be able to respond rapidly and effectively. This is the most significant accomplishment.

A second accomplishment is that we put on the map the importance of cybersecurity to our national and economic security. There was not much of a national dialogue four years ago. It was not clear what role the federal government would play. We have learned that we must improve cybersecurity by working together with our partners across government and with the private sector to build the world's most secure cyber economy.  

A third significant accomplishment is what I would call the plumbing and wiring of the department. In less than 10 years, we achieved a qualified audit opinion. We have created administrative and operational systems more responsive and efficient than ever for dealing with all kinds of disasters. We continue to improve on individual preparedness, community resilience and the preparedness and capability of the entire homeland security enterprise.

JHF: One of the issues that has emerged as we get farther away from 9/11 is how do we balance the need for people to be aware of potential terrorism without having fear fatigue or getting them over complacent? 

I am a New Yorker. That’s a city with a grip on itself from a security standpoint, and it is exciting and vibrant as it ever has been.  Buses, subways, taxis -- everywhere are the signs: “If You See Something, Say Something.”  We have taken a page out of that book and rolled it out nationwide. We have said to the public:  If something looks suspicious, report it to the local authorities. We have taken the lessons of 9/11 and built a security framework where Americans take and understand that homeland security is a shared responsibility. America can protect itself and we must do it together.

JHF: Does the move away from Al Qaeda and organized terrorist groups to lone wolves change the dynamics?

State and local law enforcement has always known about the threat of lone wolves and the potential   harm they can inflict. We continue to build on what we know. Police departments are more prepared and capable of responding.  We have learned from past experiences and how to respond as effectively as possible. We also know it is unwise to generalize about a particular ethnicity or religious group based on the actions of a few. We will continue to work rapidly and responsively to recognize the signs of lone wolf actors. We also need to break barriers that isolate communities. And we must all stay vigilant.

JHF: One of the first things that the Department undertook under this Administration was the first ever Quadrennial Homeland Security Review. What were the lessons learned there? What do you think the agency should be focusing on as it turns to the next QHSR which is due out in the next year?

The first QHSR answered the questions: What is Homeland Security? What do we do?  The upcoming QHSR will answer the question: How will we do it?  How will we ensure Homeland Security while protecting civil rights, civil liberties and individual privacy?

JHF: Turning to cybersecurity- there is a lot of discussion on how do we talk about it.  Is it national security? Is it law enforcement? Is it preparedness?  Is it the private sector’s responsibility?

At the heart of cybersecurity is the reliability and integrity of your personal identity and your information -- are you who you say you are? How do we keep someone from profiting from your identity in cyberspace? The Internet is an extraordinary innovation for humanity in and of itself, and at its core cyberspace is a public space -- civilian space. It is growing organically and instantaneously. We must have norms in cyberspace. We need to understand what property means in cyberspace. What is the role of government?

It is interesting to me that generally speaking, security is an assignment that society gives to government. We expect government runs the police and makes law; government runs the military and makes treaties. Cybersecurity, however, has not been given to the government as a primary responsibility. It is still open, accessible, and what security exists is largely maintained by the public and the private sector. Again, the key to securing cyberspace is securing people’s identities and information and that will mean identifying roles and responsibilities for individual hardware manufacturers, software developers, internet service providers, governments, international partners, and others.

We will not be able to run the cybersecurity of the nation exclusively like an intelligence program. Is there a role for the intelligence community? Yes, but it is not the leading role. Is there a role for law enforcement? Yes, in that law enforcement must bring law to bear when crimes happen in cyberspace. We must manage cybersecurity as a civilian responsibility -- one that recognizes the need to bring reliability and integrity to identity and information protection.

JHF: So, comparing it the physical world, do we bring brick and mortar norms and laws into cyberspace? Or do we need a new way of dealing with the issue?

The Administration has made it a priority to narrate what we believe are fundamental norms in cyberspace -- freedom of access, privacy, an open Internet, reliability, trustworthiness, and safety. Globally, we have norms against criminal behavior that the majority of societies can agree with. We need to enforce those laws in cyberspace.

JHF: So what do you see as the biggest threat to us in cyberspace? 

Existing unpatched vulnerabilities.

JHF: Do you feel that cybersecurity is more of a priority for non-critical infrastructure and tech companies, e.g. the rest of the Fortune 500, than it has been in the past?

Yes, cybersecurity so interesting in that we all have responsibility for it. We all have to be attentive and collaborative on security so that we are all more secure. All critical infrastructure owners and operators, Fortune 500 CEOs, and even owners of small companies and individuals must -- and are --paying attention to cyberspace. Every business connects to cyberspace. They manage business systems, employee communications, customer records and more. So every business has a responsibility to safeguard systems and prevent unauthorized use.

JHF: As more commercial sites are getting hacked- beyond critical infrastructures- has DHS seen its role change at all?

When we did the first QHSR four years ago, we listed five missions that are critical to our homeland security:  preventing terrorism, securing our borders, administering and enforcing our immigration laws, building national resilience, and we called out the need to ensure the nation’s cybersecurity as an important part of the value proposition we call homeland security. Cybersecurity is a national mission and is part of the federal government’s responsibility, because, in many ways, cyberspace is the endoskeleton of modern life.

The government doesn’t have all the expertise or information to do it alone. We must make use of the information and tools we have.  We must work to help educate the public, engage the private sector and partner in the larger international community in all the issues that fall under the word cybersecurity.

 JHF: As part of the President’s Executive Order, the Department has put together Working Groups to deal with various cybersecurity issues. At the same time, NIST has issued RFIs and is holding workshops to gather information. How are the two processes working together?

They are interacting at many levels. DHS is charged with supporting NIST in the development of cybersecurity standards and private sector outreach. And in this respect, the Administration has taken a pragmatic approach to cybersecurity. It is not a theoretical question or simply a paper exercise.  The standards will reflect what we -- at every level -- will have to do to enhance our nation’s cybersecurity and protect our critical infrastructure.

JHF: Any additional thoughts on the path forward for homeland security and DHS?

I get asked questions about the relative youthfulness of the Department and its status as a new agency. Enough with the new. DHS is 10 years old. It has learned and matured an enormous amount in the last 10 years. I’m also often asked to compare national and homeland security. As someone who spent a career in national security, I can say it is different.

National security is strategic, centralized, top-driven. Homeland security is transactional, decentralized and bottom-driven -- driven by the needs of the public and of state and local municipalities.

So when you think of the Internet and of cybersecurity, it is not strategic, centralized or top-driven. It is transactional, decentralized and driven by the billions of transactions that happen in cyberspace every day. It is a lot like Homeland Security. For me, it has been an extraordinary learning experience and a privilege to serve at DHS.

  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.