What infrastructure qualifies as critical? What functionalities do citizens most depend on? Does a cyberattack by a foreign power that doesn’t damage critical infrastructure or kill anyone count as an attack? These are some of the heavy questions the National Risk Management Center, the Homeland Security Department’s new one-stop shop aimed at protecting and sharing cyber threat information with major industries, is weighing as it begins to examine how adversaries could disrupt day-to-day life in the U.S.
“That’s really the first effort of this National Risk Management Center, is to identify what those critical functions are in coordination with industry. And then what we need to do is assess the risk to those functions, and who those stakeholders are that are involved in those functions,” Jeanette Manfra, National Protection and Programs Directorate assistant secretary for the Office of Cybersecurity and Communications at DHS, said during a panel at an Oct. 10 RealClearPolitics event, Securing Cyberspace: Forging a Collective Defense.
She compared the approach to businesses who plan to maintain continuity during cyber attacks and similar events. The difference, she said, is that NRMC isn’t approaching it from a strictly cyber point of view. Instead, it’s looking at what the country depends on to function overall. So it’s considering geopolitical dimensions, foreign policy, diplomacy and similar dimensions.
For example, she said, the country needs energy, communications and a stable financial system. These are just three of the 16 sectors DHS considers critical infrastructure. But the country also needs free and fair elections. That doesn’t fall under any one sector. Does that mean it’s not critical to the functioning of the country?
Manfra said that inspired the current approach, where NRMC is breaking down stovepipes. It’s trying to get a more holistic picture. Rather than have the financial sector in one lane and communications in another, it’s looking to bring a mix of stakeholders together. That will include service providers that manage systems for banks, and vendors that provide control systems for utilities.
She said the Sony hack of 2014 is an interesting use case that can inform that kind of thinking.
“I was on the national security council at the time when that happened, so we were having a lot of conversations about exactly that,” Manfra said. “I realized we were getting ourselves too much in the rut of ‘is this in a sector that’s defined as critical infrastructure per the national infrastructure protection plan,’ which I’m fully supportive of all of those, but those are constructs. To me, it goes back to functionality and broader geopolitical issues.”
At its core, that hack was another country trying to force a lack of free speech. Nobody died, and there was no interruption in anything critical to the functioning of the country. But it still had a destructive impact; it was a foreign actor attempting to influence values. That’s the appropriate construct through which to view this, she said.
“The government needs to always have some flexibility to react based off of the full scope of everything, not just the cyber part of it,” Manfra said. “Often times cyber people get focused on the cyber part of it.”
Bill Evanina, director of the National Counterintelligence and Security Center, said during the panel that the response to that hack wasn’t strong enough. The sanctions imposed were not effective, and the U.S. government would respond to that hack differently were it to happen today. And the private sector wants the government to do more, he said.
“We are the best in the world at any of these things,” Evanina said. “We don’t get caught as much as our adversaries do. But when the time comes that we have to do defensive cyber operations or offensive things, we are the best in the world.”