Larry Zelvin has been at the forefront of the U.S. response to numerous large-scale disasters over the last 13 years. He was high up in the Joint Chief of Staff’s Homeland Security Division during the Sept. 11, 2001, terrorist attacks. When Hurricane Katrina struck New Orleans in 2005, Zelvin was a principal director for the defense secretary’s office.
Five years later, as a senior crisis manager with the White House National Security Staff, Zelvin had a hand in the country’s response to the 2010 Haitian earthquake, the 2010 Deepwater Horizon oil spill in the Gulf of Mexico and the 2011 Japanese earthquake, which severely compromised Japan’s nuclear reactors.
From man-made catastrophes — terrorism — to natural catastrophes — hurricanes, oil spills — Zelvin has now moved on to preparation for cyber catastrophes. As the head of the Department of Homeland Security’s National Cyber and Communications Integration Center, or NCCIC, Zelvin helps push the government toward continuous monitoring, increased cybersecurity analysis and reporting and enhanced information sharing across agencies.
“The good news is that our [cybersecurity] conversations — and I was intimate on 9/11 and Hurricane Katrina — are happening now before those type of major events,” Zelvin said. “We really are focusing on cybersecurity.”
FedScoop recently caught up with Zelvin to discuss how DHS is trying to get ahead of looming cyberattacks, and how Zelvin’s experience working with cybersecurity differs from his experience planning for, and responding to, terrorist attacks and natural disasters. [Ed. note: Conversation has been edited for clarity and length]
FedScoop: Tell me about some of the technical barriers, not the logistical barriers, but the technical barriers of coordinating between departments within DHS, which is so sprawled out.
Larry Zelvin: The first challenge is, “What is the information we’re sharing?” The challenge on the dot-gov [domain] is far easier than it is on the dot-com [domain], because it’s a finite grouping. There are 30 large federal departments and agencies and their subcomponents — and so on and so forth — but there’s one governance structure around the dot-gov.
FS: Is there any concern that when the Internet Corporation for Assigned Names and Numbers opens up more domain names, dot-gov will be less protected?
LZ: We have trusted Internet connections and we have the Einstein system in DHS and the federal government can self-regulate, so while you have a lot of domain names and that’s a challenge, at least it’s a finite grouping. Same thing with the dot-mil. There’s an old adage, if you try to defend everything, you defend nothing. You try to lower that which you defend.
FS: That’s the problem with cyber, right? You’re trying to defend everything.
LZ: Correct. But as you look at it, the military domain is small, the federal government domain is small to medium and the dot-com is just infinite. If you try and do it even broader, it becomes more challenging there.
FS: How would you quantify dot-gov? How would you describe how big it is?
LZ: It really depends on how you define big. If you’re looking at all the URLs, you can continue to spin it out. But there is a large effort to limit government Web page access. You can’t just go, “I want to create a new URL,” and off you go. There’s an approval process. And actually we’re trying to limit that, the number of sites we have out there. Some of that is security and some of that is just good governance.
I was at the Deputy CIO of the Army [Mike Krieger], and I want to say he said there are 2 million people on his networks on a given day. But they know because they use their cards [Zelvin pointed to his own ID badge, with an embedded microchip] to log in and he knows how many people have these tokens. But that’s just the Army. If you look at the Navy, Air Force and Marines Corps, it gets bigger. We, on the civilian side, have not gotten to that fidelity because not everybody is required to use these token cards. Again, we are at DHS, but we’re still getting there as a federal government.
So, we should be able to quantify it, but on your personal computer, it’s not a requirement. It really depends on how you want to measure it and what the measure is useful for.
FS: With those changing security measures across agencies, what kind of logistical challenges does that create?
LZ: You have independent acquisition systems, you have independent governance systems, but as you try and bring it all together … which is why I think the Defense Department has a far easier job — the secretary of defense can go “thou shalt do this, thou shalt do that.” On the civilian side, you have the cabinet departments and agencies, so the secretaries of the various departments and agencies can govern as they see fit. But even looking within DHS, you have TSA, you have the Coast Guard, you have CDP [Center for Domestic Preparedness], ISO [Immigration Services Officer] and so forth. So, we have not necessarily unified.
FS: With cyber at DHS, is that disparate nature the biggest challenge?
LZ: I think it is a challenge. Ultimately, [DHS Secretary Janet Napolitano] gets to decide, and she has the ultimate authority. Cyber is more about access and less about security. Security is a concern, but people want to have the ability to get the information and do it the speed they can do it on the dot-com. So, you have to understand, it’s the balance of security and the balance of prevention vis-a-vis the desire and need to present information so people can have access.
FS: I’m sure you’re following the [National Institute of Standards and Technology] cybersecurity framework being developed. What kind of involvement do you, and your cyber team within DHS, have during these weekly team meetings between DHS and NIST?
LZ: If you look at the executive order, DHS has a preeminent role in all this. Determining critical infrastructure and what is critical with industry. DHS is that conduit with industry. We have longstanding relationships with industry across the 16 critical infrastructures developed after 9/11 with the Homeland Security Act of 2002. That’s one of those areas where DHS has been very helpful. We don’t have to recreate relationships; we already have them. It’s just a matter of driving the conversation and getting the results that we seek to achieve.
FS: As a result of the executive order’s directive, how do you think DHS’ definition of what is critical infrastructure will change? Or will it not change?
LZ: I think DHS is taking a bigger look at it, in that after 9/11 [critical infrastructure] was more about the physical. After Katrina, it really became looking at the man-made and looking more at natural disasters. I think we’re now at the point we’re looking at cyber as well. You’ve had a progression of an understanding of security frameworks from terrorism to natural disasters to now cybersecurity. And the good news is, we’re doing it before we have a major event like 9/11 or a Katrina.
FS: That’s the last thing I wanted to hit on. I know you’ve spent a lot of time preparing for natural disasters and terrorist attacks. What’s the difference preparing for a theoretical cyber disaster as opposed to a natural disaster?
LZ: In my mind, it’s focus. After 9/11, people really understood the dangers of terrorism and the sense of urgency because we thought we could be attacked at any moment. After Hurricane Katrina, seeing people on the buildings looking for help, and with things happening at the Superdome and also the [Ernest Morial] Convention Center, there was a huge sense of urgency that the nation cannot allow this to happen again to its citizens. We haven’t had that in cyber.
The good news is that our conversations — and I was intimate on 9/11 and Hurricane Katrina — are happening now before those types of major events. We really are focusing on cybersecurity.
But I would say — and I grew up in New York — if you were talking to my family about hurricanes before Sandy, they’d go, “Meh, it’s not a big problem, that’s not a big deal, hurricanes are Florida.” You have their attention now. So, I worry on a major cyber event that the good work we’re doing — while impressive — I worry about the speed at which we’re doing it and the focus with which we’re doing it.
You look at the debates on the Hill — I’m apolitical, I’m a career civil servant, but I really hope we can get legislation that will help us. The biggest thing for me is to articulate that which private sector can share with government. I think there’s a lot of desire to share with government so we can get [the information] out to the 16 critical infrastructure, so we can get it out to the state and local level, so we can get it out to our 200 international partners, so that we can get it out even within the federal departments and agencies. But companies are not sure if they can share that information. [Current legislation] doesn’t say they can, it doesn’t say they can’t. So, they err on the side of safety. We need clarify.
They’re worried about breaking laws like the Wiretap Act [see: The Electronic Communications Privacy Act], they’re worried about regulatory compliance and then they’re worried about corporate reputation. It would be good to have clarity in terms of, “Hey, I can share IP addresses, I can share date-time stamps, I can share [autonomous system numbers].”
We have to be respectful of law and respectful of privacy, but if you want to share and you volunteer to share, what is it you can share and have a good understanding of, “This is OK and that’s not.”