The Department of Homeland Security has announced a new cyber “risk management” initiative — promoted heavily at DHS’s recent cybersecurity summit — and now, industry sources are watching to see whether this becomes a consequential policy step, a public relations exercise, or perhaps some of both.
“What problem are they trying to solve?” one cyber policy veteran asked skeptically, suggesting the effort to stand up a National Risk Management Center will amount to little more than glitzy paper wrapped around existing programs.
Homeland Security Secretary Kirstjen Nielsen announced the new risk center during the July 31 National Cybersecurity Summit in New York City, drawing support from industry but also questions.
Nielsen said the department is taking a systemic approach to identifying, analyzing and responding to cyber risk with an initial focus on the financial, energy and communications sectors — so-called lifeline industries where a cyber attack could have devastating impacts on the U.S. population and economy.
In an internal Aug. 3 memo, DHS Under Secretary Christopher Krebs explained of the reasoning behind the center: “Most importantly, we identified a clear need for tighter collaboration across industry and government, not just in cybersecurity efforts, but in generally understanding and addressing existing and emerging risks.”
The memo had limited circulation and many usually well-informed industry sources were still in the dark last week on aspects of the center, though it’s clear that it will fall under the DHS National Protection and Programs Directorate that Krebs oversees.
Industry insiders said they await information on exactly how the center is being put together, timelines and milestones, and how it will function with other government entities, among other questions.
“We’re being told that they are working on stuff and will engage us shortly,” said an industry source.
Vice President Mike Pence, who delivered the closing keynote at the summit, packaged this and other Trump administration moves as cleaning up a cyber “mess” left by the Obama administration and reflective of a reinvigorated, proactive approach to cybersecurity.
Obama era policy veterans strongly objected to that characterization and some industry sources said Pence’s critique went over the top.
At the same time, many sources said they saw more evolution than revolution in the DHS cyber initiatives.
The creation of a centralized analysis and decision-making entity is a logical step after spending the last few years building up the structures for absorbing and distributing cyber threat information, these sources commented privately.
A common criticism of the way government and private-sector entities currently share cyber threat information has been that the intelligence product lacks context and therefore isn’t actionable. Analysis, context and a clear path to action seem to be at the heart of what DHS is planning for the new risk management center.
According to Nielsen and Krebs, it will start out by looking at supply-chain risks — points of vulnerabilities among contractors and subcontractors — that pose a significant challenge to those lifeline industries.
“The summit was a helpful push to both industry and government,” said Ari Schwartz, director of cybersecurity issues on the National Security Council under President Obama.
But, he said, “the Risk Management Center still needs some fleshing out. In some ways supply chain is a great choice because it is a difficult issue and we need both government and the private sector to solve it. However, it is very complicated issue, so I’d like to see them aim for some small victories to demonstrate progress before we can expect a major breakthrough.”
He added, “We may well look back on this event as the day that the Center was started and see it as a success, but there is a lot of work to do to get there and there have been several other similar DHS programs that have fizzled out over time.”
DHS’s Krebs said in New York that over the next 90 days the department will work out the “concept of operation” for the new center and other details, and will begin with “confidence-building measures” aimed at delivering early “tangible outcomes.”
He explained further in the Aug. 3 memo: “Most importantly, we identified a clear need for tighter collaboration across industry and government, not just in cybersecurity efforts, but in generally understanding and addressing existing and emerging risks. So … we must also enhance efforts to understand holistic risk conditions across our nation’s infrastructure, whether cyber or physical — what’s essential, what’s a potential single point of failure, and what functions and services underpin our very society, government, and economy.”
Krebs said that sophisticated “understanding of risk, criticality, and how to increase resilience” has long been part of DHS’s mission, but “establishment of the Center represents the elevation of that mission and the operationalization of the Secretary’s authorities to lead and coordinate national critical infrastructure protection efforts alongside our government and industry partners.”
A DHS summit readout issued publicly on Aug. 1 said: “The National Risk Management Center will create a cross-cutting risk management approach across the federal government and our private sector partners through three lines of effort: identifying and prioritizing strategic risks to national critical functions; integrating government and industry activities on the development of risk management strategies; and synchronizing operational risk management activities across industry and government.”
There are plenty of lingering questions, including on privacy implications related to how the Center will handle and use personal data, how the center plans to use artificial intelligence and massive and complex data sets known as “Big Data,” and even whether DHS has the authority and know-how to make use of such tools and turn around meaningful information in a timely way.
Renaming the National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency — as called for in pending legislation strongly supported by the department — could enhance what DHS is trying to do under its risk management initiative. “We need the branding to get more people in the door,” Krebs told reporters in New York.
The risk management program could be a big step for DHS that puts the department in a results-oriented cybersecurity policy space.
But success will depend on continued buy-in from many stakeholders, starting in the Oval Office and running through Capitol Hill, the federal bureaucracy and critical partners in industry.
Now, industry, privacy and other government stakeholders await the details on how this will work.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
