Ambitious. That’s the adjective Homeland Security Secretary Kirstjen Nielsen slipped into her description of what she wants a piece of DHS to become. Specifically, the reorganization she outlined at a conference in New York will change the National Protection and Programs Directorate. Into what?
Into “an ambitious, operational agency capable of better confronting digital threats,” that’s what.
I wasn’t in New York. But I have read her fervent speech. The many published reports don’t quite capture the intensity. I understand what Nielsen meant.
The DHS conference occurred roughly on the one-year anniversary of a particularly bad cybersecurity breach. Equifax, through either stupidity or malfeasance, lost the financial records of nearly 150 million people to hackers. When you add up the unending string of such breaches from manufacturers, defense contractors, retailers, financial institutions and federal agencies, you couldn’t conclude other than that the U.S. is a sitting duck.
Equally concerning to DHS and presumably everyone else is the potential for hacks to cross into the physical infrastructure domain. It hasn’t happened on a big scale yet, but we know it can happen. The Stuxnet virus, ironically launched by the West, demonstrated that when it set back Iran’s nuclear program in 2010.
Maybe the threat is not merely potential. Earlier this month, Jonathan Homer, the chief of industrial control system analysis at DHS, told the Wall Street Journal that Russian hackers had gained potential control of utility systems in the U.S. — systems not connected to the Internet. They could have caused blackouts, Homer said.
The words “ambitious” and “operational” signal DHS wants to be more active in response and perhaps counter-response. It also sounds as if they don’t want to wait for industry — or the government itself — to get around in front of the threats it faces. She said DHS is “reorganizing ourselves for a new fight.”
Ever since it stood up its government-industry information sharing regime, the take-up by industry has been tepid. Companies worry about proprietary data. They worry whether breach information shared with federal entities will end up as an action by the Federal Trade Commission. They worry about the effect on their stock prices, sales and shareholder action.
The reporting and sharing process must be complicated, further discouraging companies. Nielsen implied that when she stated the goal of the new Risk Management Center. Namely, “to provide a single point of focus for the single point of access to the full range of government activities to defend against cyber threats.” Her challenge is actually to simplify things. The NPPD is already a fairly Byzantine set-up, with a vague name to boot. Adding another allied center could make things even more complicated.
Congress seems willing to help. A bipartisan Senate bill would have DHS establish cyber hunt and incident response teams that would cover both industry and government.
Nielsen claimed to have heard of companies calling 911 when they have a cyber emergency. In New York she said “the best thing to do would be to call” the new National Risk Management Center. It’ll matter a lot what happens when they do.