The Department of Homeland Security wants private-sector companies to get under the agency’s information-sharing umbrella in order to better manage and mitigate cyber risks to critical infrastructure.
Suzanne Spaulding, the Under Secretary of DHS’ National Protection and Programs Directorate, told audiences at Wednesday’s MetricStream GRC Summit that industry’s sharing of cyber threat information with DHS creates a “network of networks” that reduces the risk of another major data breach, like the 2013 Target breach that affected more than 40 million customers.
“Today the adversary can use either an IP address or a kind of malware, or other kinds of tactics and procedures for conducting malicious activity, and they can use it over and over and over, because we’re not sharing that information efficiently enough,” Spaulding said. “What we’re trying to create here is a system that as soon as any node on this network of networks detects malicious activity, that information goes in milliseconds to everybody in this network of networks. And so the adversary might be able to get away with some once, but only once, because as soon it’s spotted, everyone has it, and ideally, has the technology, which is available, to block it. And that would be a huge step forward.”
With cybersecurity threats on the rise, Spaulding said her team has broadened its purview on national security infrastructure threats to include more than just bridges, roads and buildings.
“It is all of those goods and services and functions that underlie our way of life, and have such an impact to our day-to-day lives. So of course it’s the electric grid and water, but it’s also financial services and emergency services. It’s nuclear facilities and chemical facilities, but it’s also critical manufacturing and commercial facilities. So it’s not just about protecting, it really is about ensuring the functionality that we’ve all come to depend upon,” she said. “It’s about our ability to take full advantage of the wonderful benefits that a networked world has to offer us. And it requires a fundamental level of security in order to do that,”
With the growing influence of cyber in the threat landscape, Spaulding said organizations need their chief executive officers to stay abreast of the issues, rather than just chief technology and information officers.
“It’s particularly important when you’re talking about cybersecurity, because it’s so easy to cede this to the technical folks and to put this in a stovepipe, that it’s only about IT systems and networks, when really it has to be part of that broader conversation about functionality within those critical infrastructure sectors,” Spaulding said.
Congress encouraged further public-private partnership on cybersecurity last year through passage of the Cybersecurity Act of 2015, which passed as part of the year-end budget budget deal. Spaulding said information sharing allows government and industry to move more swiftly to prevent or minimize cyber intrusions.
“We need to move with the speed that our adversaries moves, and that’s what our automated information sharing initiative was designed to do, and is now open for business,” she said. “The idea with the automated information sharing is that we’ll have this network of networks. It’s not a spoke-and-hub idea. We encourage companies to share information with us — the more data we get, the more we can add value through analysis, and we’re building stronger and stronger systems to detect bad things we’ve never seen before.”
Spaulding also touted the agency’s success with its Enhanced Cybersecurity Services (ECS) program, which provides guidance to industry’s sharing of cyber threat indicators with DHS’ National Cybersecurity and Communications Integration Center (NCCIC).
“At DHS NPPD we try to add value. Threat is one of the areas that I think the private sector most looks to the government for help. And so we try to provide context at sort of the strategic level,” Spaulding said.