Now more than ever it’s necessary for the Homeland Security Department to work with the private sector to protect critical infrastructure and the American people against terrorism and cyber threats.
That was the message delivered June 21 by DHS leaders during the 2016 Homeland Security Conference in Washington.
Caitlin Durkovich, assistant secretary for infrastructure protection at DHS, told the audience of industry members that events like 9-11, or last week’s mass shooting in an Orlando nightclub, show that “the battlefield is here at home.”
“At the end of the day, the majority of our nation’s critical infrastructure is not owned or operated by the federal government, but is in fact in private hands,” Durkovich said. “It is important not only for national security and homeland security, but for the economic prosperity of this great country, and it’s equally important we have the infrastructure to function for the resilience of our communities.”
It’s no longer an authority figure sitting in a cave in Afghanistan, giving orders to attack through grainy video, Durkovich said. It’s loan offenders or violent extremists who have access to a computer and a Home Depot, or gun shop.
And that’s in the physical world.
“What we are seeing in cyberspace, I will tell you is chaotic and dynamic as the physical environment,” Durkovich said. “Cyberspace has also given rise to its own cast of characters.”
This ranges from vandals to thieves to thugs and saboteurs, she said, but whether it’s a physical location or wireless network, it’s necessary for industry and the public sector to work together to share information and mitigate attacks.
“We are hard at work figuring out how do a better job of sharing information quickly,” Durkovich said. “Part of this is hampered by the fact we live in an environment where much of this is classified. As a government we are working very hard to move beyond the classification challenge, and realize at the end of the day, what you need to do your jobs is really those tactics and techniques, not the sources and methods. So increasingly both on the physical side and cyber side, we are able to create tearlines to push out information to owners and operators at the unclass level.”
Other ways in which DHS is addressing threats to critical infrastructure and cyber is by reviewing preparedness for lower probably but higher impact events, like hurricanes or other natural disasters, as well as backups for critical infrastructure like GPS and aging utility systems.
Durkovich said her department is also working closely with the tech industry to get a handle on “appropriate use of the internet, appropriate use of social media.”
Durkovich said sometimes it’s necessary to share information at a secret or top secret level, and so DHS has been building a list — now roughly 2,400 members long — of cleared partners across a variety of sectors, that can get information from DHS about a threat or vulnerability and in turn go out and take action.
But that’s not necessarily a sustainable model, Durkovich said, which is why one of the department’s priorities is “pushing out information at an unclass level.”
Durkovich said her office is also working to “put our resources out at the pointy tip of the sword,” since not everyone is located within the Beltway.
“We have protective security advisers who are security experts, we have cybersecurity advisers who are cyber ninjas, who interact directly with owners and operators and really bring the department’s and quite frankly the federal government’s resources to bear, in helping owners and operators manage risk.”
This is done through vulnerability assessments of facilities, which give operators a sense of just how secure things are.
Durkovich said she is focused on reaching out to small and medium-sized businesses — the smaller music venues, shopping malls and public gathering spots —not the large corporations or professional sports leagues that already have a handle on security.
“The most important thing that we’ve learned is making sure you’ve built that relationship with local enforcement before an incident happens,” Durkovich said. “Make sure you have local law enforcement involved in all aspects of your organization.”
Durkovich said it’s also important for businesses to update their security measures for modern threats, so whether that’s a new type of screening measure or use of closed-circuit television, think about “what’s appropriate for the business that I run.”
Also consider a communication plan, how you will get information quickly to customers and employees.
“No good plan survives contact,” Durkovich said. “Pick a scenario, exercise it. I guarantee that plan that you build, you’re going to find a lot of gaps. But that’s the point of doing exercises, is to identify those gaps to improve those plans.”
“We are always looking for ways to encourage owners and operators to think more holistically,” she said.
A cyber attack on civilians
That holistic approach was echoed by Eric Goldstein, senior counselor to the assistant secretary for cybersecurity and communications at DHS.
Goldstein, who spoke during a panel on a post-OPM cyber hack world, said the December 2015 cyber attack on Ukraine’s power grid really made DHS sit up and reflect on the fact that “cyber risk management and physical risk management are now truly converged.”
“This was a really big deal,” Goldstein said. “This was the first time that we have seen a cyber attack cause physical impacts on civilian infrastructure.”
“We need a way to ensure our physical services remain resilient, remain recoverable, remain in place even after a compromise, and we know that our critical information, data services, internet-enabled functions, of course rely on physical infrastructure,” Goldstein said. “Because of this convergence, we are now looking like never before at how do we make sure the message is indoctrinated in the way we approach our mission and how do we make sure that the private sector, including sectors like the banking sector, the electric sector, the water sector, that rely both on physical infrastructure and cyber enabled services, are really converging how they think of risk management in a more holistic sense.”