The Homeland Security Department is standing up a new one-stop shop aimed at protecting and sharing cyber threat information with major industries, including banks, electric companies and telecommunications companies.
DHS Secretary Kirstjen Nielsen, speaking Tuesday at an agency cybersecurity summit in New York, said the National Risk Management Center would help break down some of the communication barriers that exist between the government and sectors.
“We are facing an urgent, evolving crisis in cyberspace. Our adversaries’ capabilities are simply outpacing our stovepiped defenses,” Nielsen said, adding cyber threats as a whole now exceed the threat of physical attacks against the U.S.
In recent years, DHS has worked with individual private-sector companies in sharing cyber threat data to reduce the threat of future attacks.
However, the National Risk Management Center, she said, would lead to more collaboration across government and across industries.
“Our goal is to simplify the process, to provide a single point of focus for the single point of access to the full range of government activities to defend against cyber threats,” Nielsen said. “I occasionally still hear of companies and state and local [governments] who call 911 when they believe they’ve been under a cyber attack. The best thing to do would be to call this center — this will provide that focal point.”
Rick Perry, secretary of the Energy Department, said the center would streamline the way the government talks to companies about cyber threats, and vice versa.
“Because the vast majority of this infrastructure is privately owned, then we have to have partners. In order for us to be successful, we’ve got to have partners in the private sector that understand they can trust their information flowing back to us. They can trust the decisions, that they’re equal partners,” Perry said. “This public-partnership that’s being created here, I think, not only is a model, but it has to be that way.”
The center will work in 90-day sprints, and will begin working with the finance, telecoms and energy sectors. Nielsen said its partners in those industries would host a major cross-sector exercise later this fall.
Citing a rise in cyber threats from nation-state actors and a significant increase in the number of internet-connected devices, Nielsen said the center will help DHS adopt a more strategic approach to risk management.
“These days, cyber threat data is a bit like a puzzle piece,” Nielsen said. “Having the private sector with us will enable us to take a piece of threat data to determine what puzzle it belongs to, and then to determine how to fit it into the puzzle — so we can see the trend, we can see the thread, we can see the purpose, perhaps, of the attack, but certainly the implications and effects.
This year, Perry said the Energy Department plans to double the number of energy utilities enrolled in Cybersecurity Risk Information Sharing Program (CRISP), an energy sector-specific partnership funded by both the agency and the Electricity Information Sharing and Analysis Center (E-ISAC).
Perry said his decision to stand up an Office of Cybersecurity, Energy Security, and Emergency Response (CESER) was the “most important step at DOE in the last 12 months” to improve its cyber defenses.
The Trump administration picked Karen Evans, a former White House IT official under the George W. Bush administration, to lead Energy’s new cyber office.
Chris Krebs, the undersecretary for DHS’ National Protection and Programs Directorate (NPPD), also announced the agency is launching an Information Communications Technology Supply Chain Task Force.
Nielsen said the task force will look to “identify single points of failure, concentrated dependencies and inter-dependencies that can cause ripple effects across sectors.”
In February, Jeanette Manfra, the assistant secretary for the Office of Cybersecurity and Communications at the National Protection and Programs Directorate (NPPD), announced that DHS had already created a task force looking at supply chain risks.
The House passed a bill in May 2017 that renamed NPPD as the Cybersecurity and Infrastructure Security Agency, and would create a new director-level position that reports directly to the DHS secretary
Nielsen said the reorganization would recast NPPD “into an ambitious operational agency, capable of better confronting digital threats.”
Rob Joyce, a senior adviser for cybersecurity strategy to the director of the National Security Agency, and the former White House cybersecurity coordinator, said the NSA remains worried about “a number of different avenues” when it comes to supply chain risk.
“It’s not just what’s in the hardware itself. It’s the way the hardware is maintained and controlled,” Joyce said. “If you get a manufacturer who produces something, and they have maintenance access, or they have the ability to insert themselves into that supply chain and maintain it, that poses a risk.”
Joyce added that cybersecurity officials have tracked a “significant new emphasis” where hackers have sought to compromise software used by agencies, often without the aid of the manufacturer.