The Department of Homeland Security unveiled a new National Risk Management Center to help critical infrastructure organizations such as banks and electric companies deal with cyberattacks.
The National Risk Management Center will act as the single focal point for industry and government to share threat information, manage risk, and develop ways to mitigate risk, DHS secretary Kirstjen Nielsen said at a summit in New York City. The center will initially focus on energy, telecommunications, healthcare, and financial services sectors. To kick off the new hub, DHS established a new elections task force to help secretaries of state across the country evaluate their security risk in advance of November's midterm elections.
"The DHS was founded 15 years ago to prevent another 9/11. I believe the next major attack is more likely to reach us online than on an airplane," Nielsen said in her keynote at the summit.
With cyberattacks becoming more sophisticated, coordination between the private sector and the government is increasingly necessary. Through this new center, DHS will be able to help private companies protect their networks, and in exchange, receive information about ongoing attacks. That information can then be used to help other companies that may be targeted. Currently, the security expertise is trapped in different silos across different agencies and key threat information are being held by different organizations, making information-sharing slow and cumbersome.
Nielsen said DHS would be able to provide a "crowd-sourced" response to attacks by tapping into experts from both public and private sector.
"An attack on a single tech company can rapidly spiral into a crisis affecting the financial sector, energy systems and health care," Nielsen said.
Public-private information sharing initiatives aren't new, but past efforts have been stymied by fears of federal overreach. Companies have complained that the government was slow with releasing actionable threat information, and that most of the data was stale or already well-known. Companies operating in multiple countries risked backlash in other countries because of the perception that they were sharing information with the United States government. There have also been fears that sharing information could lead to regulatory action for various reasons such as mishandling proprietary information or suffering a beach.
This [the National Risk Management Center] was an obvious thing to do for a decade, but it didn't happen," John Donovan, CEO of AT&T Communications, said during a panel discussion at the summit. "The ability to move at speed across organizations is really vital to effective defense.
NextGov recently reported that only six companies are sharing information with federal agencies under the Cybsecurity Information Sharing Act (CISA). Congress passed CISA in 2015 giving companies legal protection from being sued if they share information with DHS. A mere 190 companies and 60 federal departments and agencies receive threat data from the automated indicator sharing program run by the DHS.
"It’s important that we share information and create a comprehensive network of information sharing," Thomas Fanning, president and CEO of energy company Southern Company, said on the panel.
The DHS wants to see more integration between the public and private sector, similar to the model followed by other countries. In the United Kingdom, for example, the government plays a large role in protecting private systems. The risk management center will try to make a stronger case to the industry about the value of cooperating with the government.
FBI director Christopher Wray said that private and public sector entities have different strengths that can be combined for better defense overall. The FBI is "threat-focused," as its officials are busy identifying and attributing the threat. "But to disrupt the threat, we’re going to have to figure out ways to be more creative as a public-private community, and there are all kinds of things that the private sector can do far more effectively than we could,” Wray said. “The idea is to combine strength with strength.”
Energy Secretary Rick Perry said the Department of Energy is trying to double the number of utilities taking part in its information sharing program. The program was instrumental in helping to detect the Russian hacking campaign against the energy sector that began in 2016 because private companies had a lot of forensics data to share, Perry said.
Large organizations have strong defense programs, but it's the links with smaller, less prepared companies that are vulnerable, said Ajay Banga, president and CEO of Mastercard. Compromising these smaller companies lead to breaches at bigger companies, due to the way critical infrastructure systems are interconnected. Banga called for "joint exercises" between telecommunications, energy, and financial services to prepare for attacks. MasterCard has established good working partnership with the FBI so that its team knows "whom to call for what, when," and how to respond.
Work at the center will be broken out in a series of "90-day sprints," with the first one focused on developing a "risk registry," a list of the nation's digital "crown jewels" that need to be protected. The goal is to catalog the nation's most vital digital assets and to figure out what needs to be protected first.
"Not all risks are created equal," Gen. Paul Nakasone, director of the National Security Agency and commander of the U.S. Cyber Command, said on the panel. Adversaries know what they are focusing on, and defenders need to start thinking that way.
The new risk management center will coexist with the existing DHS information sharing program, the National Cybersecurity Communications and Integration Center. The new center will focus on long-range projects such as the risk registry and supply chain threats, freeing up the NCCIC to focus on incident response, vulnerability disclosure, and other operational issues that require a speedy response.
DHS may be tasked with the responsibility of protecting critical infrastructure, but that is difficult to do when most of the country's critical infrastructure is owned by the private sector. It also doesn't help that the definition of critical infrastructure is continually expanding. DHS currently has identified 16 industry sectors—the list includes energy, dams, communications, and voting systems—as critical infrastructure.
Public-private partnerships give the US “asymmetric advantage in cyberspace,” since the majority of the critical infrastructure belongs to the private sector, Gen. Nakasone said. "Partnerships are what makes us really, really powerful."
The new risk management center will coexist with the existing DHS information sharing program, the National Cybersecurity Communications and Integration Center. The new center will focus on long-range projects such as the risk registry and supply chain threats, freeing up the NCCIC to focus on incident response, vulnerability disclosure, and other operational issues that require a speedy response.
At the same event, Nielsen unveiled another DHS initiative, a voluntary supply chain cyber risk management program to let public and private sector experts work together to "hunt down" specific security weaknesses.
What we want to communicate today is that government is here to help you," said Christopher Krebs, the undersecretary of DHS's National Protection and Programs Directorate. "We are inextricably linked. Your risk is our risk.