The Department of Homeland Security wants to overhaul a controversial Obama-era program focused on identifying industrial facilities where a cyber attack would have catastrophic consequences.
But industry is worried that the government will go about it the wrong way.
“Section 9” of former President Obama’s first cybersecurity executive order, issued in 2013, called for identifying specific entities where a cyber attack could lead to extensive death and injury or major economic turmoil.
The list has been a closely guarded secret since it was compiled five years ago, and the process for being designated a “Section 9-a” entity was initially controversial. Industry groups feared everything from specific new regulations to possibly being singled out for attack if adversaries got ahold of the list.
Those concerns have ebbed over the years, but industry sources, congressional aides and former Obama administration officials are calling for care and close collaboration in any effort to update Section 9, including the proposal in the report to create a specific new program office at DHS.
Such an office could help ensure Section 9 is an agile tool for critical infrastructure, or it could be yet another bureaucratic cul-de-sac.
“What we need is a seamless process for when a ‘Section 9-a’ entity comes under attack from nation-states, so elements of government can take defensive, or even offensive actions to help,” said one industry source who works frequently with DHS and other agencies on cyber issues. “A program office would be helpful, but we need to see more details.”
The DHS “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure: Support to Critical Infrastructure at Greatest Risk — Section 9 Report Summary,” released late last month, says DHS will “lead an interagency working group to focus on implementing the recommendations and engage with Section 9 entities to ensure understanding of the programs and resources available.”
“If DHS is going to have an interagency workgroup, the private sector should be a part of it, not just consulted with later,” another industry source said. “The jury is still out on this for me. I need to hear from DHS how they plan to implement this.”
A DHS official said the group is in the early stages.
“DHS, in coordination with Sector Specific Agencies, is in the initial stages of leading an interagency working group focused on implementing the recommendations of Presidential Executive Order (EO) 13800 to support to critical infrastructure at greatest risk, ‘Section 9 entities,’ ” the official said.
Functions vs. companies
The report suggested creating a Section 9 program office at DHS “to strengthen support to Section 9 entities and improve coordination of interagency support,” as well as “Revisiting the methodology to explore a more functions-based approach to identifying Section 9 entities.”
That means grouping facilities by function, rather than specific companies or facilities, which is causing concern among some.
It also called for steps such as enhanced access to classified information and better incident communication and coordination for Section 9 entities, which, presumably, should have the latest and best intelligence on potential threats.
“This looks like a good ‘next steps’ list to continue to ensure they are making the right determinations and helping Section 9 entities improve risk management,” said Ari Schwartz, who served as cyber policy director on Obama’s National Security Council.
Former DHS Undersecretary Suzanne Spaulding noted that “the functions approach has been discussed by [current DHS Assistant Secretary Jeanette] Manfra” with an eye toward mapping “interdependencies to determine where intervention would give you the most bang for your buck, or where disruption by an adversary could have the greatest impact.
“This builds on the approach I tried to instill while at DHS to think of critical infrastructure in terms of functionality rather than just assets or buildings or individual entities.”
Spaulding noted that “Section 9 originally asked DHS to identify individual entities where a successful cyber attack could have catastrophic consequences. Moving toward a more sophisticated analysis based on preserving key functions allows you to consider upstream and downstream consequences and potentially identify key nodes that affect multiple entities or system-wide functions.”
She added that it moves the effort to a “more holistic approach.”
“If you are focused on preserving functionality, like the ability to keep the power on or move money or provide safe public spaces, then you look at both cyber and physical ways those functions could be disrupted,” Spaulding said. “It also leads you to a greater emphasis on mitigating consequences.”
She explained that “protecting our election infrastructure from cyber incidents, for example, might lead to a focus on technical fixes aimed at network vulnerabilities. Protecting the election function — the ability for people to cast their vote and have confidence in the legitimacy of that process — is more likely to include non-technical solutions like paper ballots.”
However, a Democratic congressional source cited possible “unintended consequences” on switching to functions.
“On moving to a ‘functions-based’ versus ‘entity-based’ list, it seems to undermine the point of the list, which is to look at the specific companies that, if their services were interrupted due to a cyber attack, would pose wide-ranging risks to our economy, national security, or critical civilian services,” the source said. “By looking only at specific ‘functions,’ you could end up pulling in smaller companies that don’t really have a significant impact on national infrastructure.
“As an example, the current Section 9 list might determine that ‘Power Company X’ provides electricity to 35 million people, operates eight power plants, and services dozens of hospitals. Meanwhile, ‘Electric Co-Op Y’ only services a broad rural area with fewer than 200,000 residents, contracts for all of its electricity, and serves a few small hospitals,” the source said. “Should ‘Electric Co-Op Y’ be forced to comply with [Obama] Executive Order 13636? Does it have the resources to? By taking a ‘functions-based’ approach, you risk pulling in dozens — if not hundreds — of new entities that might not have the resources to comply. It also might make it dramatically harder for DHS to ensure compliance.”
Congressional committees of jurisdiction have yet to schedule any oversight hearings on the Section 9 report, but the proposed program update has attention in key circles both on Capitol Hill and in the business community.
