When the Homeland Security Department launched the National Risk Management Center last summer, the agency announced it would strengthen its cybersecurity information sharing partnerships with private industry, starting with three sectors: Finance, telecommunications and energy.
While DHS aims to broaden those partnerships out to 16 industry sectors, Chris Krebs, the undersecretary of the National Protection and Programs Directorate (NPPD), said Wednesday that his agency sees more value in understanding the role each industry plays in the nation’s critical infrastructure,
“The concept here is to start looking at the 16 critical infrastructure sectors, less about the companies that make them up, but more the services and functions that are delivered by those sectors,” Krebs said Wednesday at a Unisys forum in Washington.
With financial services, for instance, Krebs said DHS plans to look at functions like wholesale payments and pricing, not necessarily the unique concerns of any one bank.
“It’s what is the service, who makes up delivering that functionality, what are the things that we’re worried about, and we get away from the strategic and move into the tactical, we transition the actual risk management activities and the execution of the strategies out to the industry, out to Treasury,” Kreb said. “That will involve all 16 sectors more broadly.”
DHS has yet to provide any clues on which industries they’ll work with next.
“In terms of where we look at the next expansion of the tri-sector group remains to be seen,” Krebs said. “I’m looking for small indicators of success that we can build bigger things on. One of the mottos is: ‘We’re going to do big things here, but we’re going to build on small things to get to those big things.'”
Krebs described the National Risk Management Center as one half of a two-pronged approach to cybersecurity: “defending today and securing tomorrow.”
One prong, the National Cybersecurity & Communications Integration Center (NCCIC), handles more of the day-to-day cybersecurity tasks, like information sharing and securing agency networks through programs like EINSTEIN and Continuous Diagnostics and Mitigation (CDM).
The National Risk Management Center, on the other hand, focuses more on a long-term vision.
“It’s how do we think about the problems strategically — get all the stakeholders together and chart out that path for the next 18 months, five years, 10 years,” Krebs said.
NPPD aims to build public confidence in election cybersecurity
According to 2018 Unisys Security Index, which the company released Wednesday, one in five adults reported that they wouldn’t vote or expressed “a high likelihood they would not vote in the next election” due to cybersecurity concerns.
Krebs, having recently gone through a gauntlet of media appearances to outline DHS’ efforts to protect the upcoming midterm election from outside interference said the report’s findings make sense.
“It doesn’t necessarily surprise me, because it’s relatively new,” he said. “We’ve talked about bank cybersecurity for a decade-plus. Election security just kind of hit the public awareness in the last two years.”
Krebs added that reports about Russian interference made the 2016 presidential election a “tipping moment” for public awareness about cybersecurity.
“Cybersecurity was no longer an intellectual property theft piece, it was no longer a cybercrime, it was actually a destabilizing threat sector to our system of government, our democracy,” he said. “And so we need to better engage on the psychosocial, or the confidence side of cybersecurity.”
While NPPD addresses “hard infrastructure challenges,” Krebs said the agency seeks to delve deeper into the public’s confidence in the government’s ability to shore up cybersecurity.
“We tend to be focused more on what are the actual technical issues across infrastructure, the systems themselves,” he said.
Krebs said DHS has made a significant amount of progress over the last two years, but based on his ongoing conversations with states’ secretaries of state, as a “race without a finish line.”
“Security tends to be thought of a binary,” he said. “You’re either secure or you’re not secure. Now election security is about resilience in the system and auditability and understanding where your last good point is, so that you can validate the results.”