DHS: We won cyber turf wars under Obama

Einstein became a symbol in some ways of DHS’s struggle to assert its authority over the security of federal networks — a fight DHS has won, Schneck said.
Phyllis Schneck speaks at the 2016 Security Through Innovation Summit.

This is the second article in a three-part series on President Barack Obama’s record on cybersecurity issues. Click here for part one, an interview with the Department of Defense’s Aaron Hughes.

The government shut down two weeks after Phyllis Schneck started as the Department of Homeland Security’s deputy undersecretary for National Protection and Programs in September 2013. So she had a lot of time to read and think about one of the big questions that faced her right away — the future of one of DHS’s marquee cybersecurity efforts, the network monitoring program called Einstein.

“The first question that was asked of me … out of the White House and out of our management directorate at DHS was, ‘Do we put a fork in it?’” said Schneck, a computer scientist who joined the department from computer security pioneer McAfee.

Many believed Einstein was done and DHS’s responsibility for federal government cybersecurity was in question. But despite concluding that the technology underlying Einstein was 25 years old — and not 10, as she had been warned — Schneck decided to work with the system, which is a kind of filter over federal government internet traffic.


“It could be a platform [for DHS] to build on,” said Schneck, in a wide-ranging exit interview with CyberScoop.

The biggest challenge was to leverage the situational awareness that Einstein provided beyond the signature-based defense it offered — even though those signatures included classified ones — the NSA’s much-vaunted “secret sauce.”

Agencies needed to learn that “Einstein is not all you’re supposed to have on your perimeter,” she said.

Einstein became a symbol in some ways of DHS’s struggle to assert its authority over the security of federal networks — a fight DHS has won, Schneck said.

The NCCIC dashboard


Einstein and DHS’s continuous diagnostics and monitoring or CDM program, which offers agencies private-sector cybersecurity tools from a pre-selected menu paid for by the department, will eventually provide the department’s National Communications and Cybersecurity Integration Center with a “dashboard” integrating data from across the federal government to show “what’s broken, what’s not,” she added.

As of the end of 2016, CDM phase one was deployed, or being deployed, through all 23 Cabinet-level civilian departments and agencies, and covered 97 percent of the federal civilian workforce, according to DHS figures.

Meantime, the latest version of Einstein, dubbed E3A, is providing coverage to a total of 199 civilian departments and federal agencies, representing more than 92 percent of the civilian workforce of the executive branch.

“We will collect everyone’s data” across the federal government, Schneck said, noting that the information can, by law, only be used for cybersecurity purposes.

That governmentwide operational dashboard is internally codenamed Weathermap, she said. It has already helped federal investigators link the original Office of Personnel Management breach to an intrusion into a data center run by the Department of the Interior — which in turn led to the discovery of the second and much larger OPM breach.


“We do it incredibly well, but we could it faster,” she said of such forensic work.

Weathermap gives DHS visibility into the day-to-day functioning of federal networks. But the government “is not where it needs to be” on the broader, strategic questions of IT governance — who buys, runs and maintains software, hardware and services throughout the federal government, Schneck said.

In any case, those broader missions don’t even belong at DHS, she said.

“We’re firemen, not policemen,” she explained, acknowledging that governance “is something that OMB needs to look at … centralization is the wrong word, but how do we get the resources to cybersecurity.”

Among the department’s cybersecurity achievements with the private sector, Schneck lists automated indicator sharing, or AIS — the system that shares technical clues to hacker activity at machine speed.


More than 70 companies and other partners like state and local governments or information sharing organizations are connected to the DHS AIS system, Schneck said — meaning hundreds of organizations are receiving threat indicators in real time, despite the complexity of the system, which requires anyone who wants to connect to negotiate a boutique agreement with the department.

“It’s not plug-and-play,” she said of AIS.

Change our name!

Schneck’s most important piece of advice for her successors at the National Protection and Programs Directorate: “Change our name!”

“The name is very important right now, so people know where they work,” she said, referring to the Obama administration’s plan to re-organize NPPD — currently a DHS headquarters element housing the department’s critical infrastructure protection and resilience-building efforts — as a national cyber-operations agency.


The new role is derided by some critics as “cyber cops,” but retired Marine Gen. John Kelly, the man tapped by President-elect Donald Trump to head DHS, told his confirmation hearing last week that the long-slated reorganization would be a “top priority.”

The leadership of Undersecretary Suzanne Spaulding and Homeland Security Secretary Jeh Johnson had brought about “a big change, a big cultural change” at the department, Schneck said.

“That team has done a lot. They made a lot happen. They made me want to be here,” she said.

One important change: creating management tracks for people who wanted to remain technical experts.

“You shouldn’t have to decide at a certain point, ‘Do I want to be a manager or do I want to do science?’” she said.


As for the incoming administration, she hopes it will recognize her office’s talent.

“Understand you have an elite group,” she said, “and take good care of them.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts