In late July 2018, the Department of Homeland Security (DHS) announced the creation of the National Risk Management Center, a new organization dedicated to threat evaluation particularly as they pertain to potential hacking against the U.S. critical infrastructure. According to news reports, the center will initially commence with narrowing its focus on the energy, finance, and telecommunications sectors. This new initiative is designed to improve risk assessment across the critical infrastructures and serve as the primary “one-stop shop” to help private companies manage their cyber security risks.
Coinciding with this announcement is the Congress-lead “DHS Cyber Incident Response Teams Act of 2018” that seeks to create permanent incident response and threat hunting teams in the DHS. Such a bill further empowers DHS to help improve cyber security via trained professionals to mitigate and remediate cyber incidents against Federal entities and critical infrastructure entities. The bill passed the House of Representatives on March 19, 2018 and goes to the Senate for its consideration.
These developments come on the heels of the Government Accounting Office’s (GAO) April 2018 report that found that DHS needed to enhance its efforts to improve and promote the security of federal and private sector networks. DHS has received substantial support from the government for its centralized role in public and private sector cyber security. Indeed, DHS has several cyber initiatives in the hopper, all of which is going to require the necessary fiscal, material, and personnel resource to be successful. Several financing bills advocate increased funding for DHS’ diverse cyber efforts. While money is good, a plan in place is better and that is where the National Risk Management Center and Congressional support provide a very promising start. It can be argued that the United States hasn’t lacked cyber security strategies as much as the execution of those strategies.
The National Risk Management Center’s goals are indeed lofty and represent a nearly Sisyphean uphill struggle due to the size of the critical infrastructure space. Per its official website, DHS has identified 16 critical infrastructures that include the following sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation; and Water and Waste Water.
Even taking them in batches, the dynamic aspect of cyber space and information technology innovation is going to require constant monitoring of each sector and adjusting risk management accordingly. That means the job cannot be approached with a “one and done” mentality and will demand an improved information flow of threat information from all shareholders. This has been a constant thorn in the side of cyber security efforts between the public and private sectors. To combat stingy information-sharing, some have called for a DHS-lead incentivization program to improve information sharing, which seems ridiculous given what is known about what happens when cyber security is not taken seriously. If the private sector needs such an incentive to engage in relationships that improve their cyber security postures, then it’s evident that their bottom lines and not secure environments remains their focus.
Any effort to improve cyber security – on any level, but especially with critical infrastructures – is a positive development. Acknowledging that there’s a problem is one thing; but actually implementing a solution is another. The National Risk Management Center is a step toward implementing such a solution. But it’s only a step. Many organizations have been stood up in order to address the vacuum. There are currently 20 sector-specific Information Sharing and Analysis Centers (ISAC), entities formed to help critical infrastructure owners and operators protect their facilities, personnel, and customers from cyber and physical security threats and other hazards.
It is unclear if the National Risk Management Center will work with these entities or supersede them. According to one source, two years after the DHS-established Automated Indicator Sharing program, only six non-federal organizations were using it to share threat indicators with the government. This begs the question, if the private sector isn’t currently sharing information, what will compel critical infrastructure entities to do so with the National Risk Management Center? Trust is the cornerstone of any information-sharing arrangement, and if only six private sector organizations are currently sharing threat information with DHS, there appears to be a lack of trust or a lack of utility of the threat information that is shared.
There are many positive developments to take away from the Center and the bill that appears positioned to come into a law. But that’s when the real work begins. Getting stakeholders on board and having them become active participants in the cyber security process is the real goal. Unfortunately, it’s been the one goal that has eluded public-private cooperation. Whether that continues once the National Risk Management Center gets off the ground, remains to be seen.
This is a guest post by Emilio Iasiello