The Department of Homeland Security next week will release a set of “national critical functions” that if degraded through a cyber-attack, natural disaster or by some other means could have a debilitating effect on the nation, a department official said on Thursday.
Still in draft form, the forthcoming list stems from direction contained in last summer’s National Cyber Strategy that asked for the most important functions performed by the nation’s critical infrastructure sectors to “drive our strategic focus” in protecting the infrastructure from cyber and other threats, said Bob Kolasky, director the nine-month-old National Risk Management Center (NRMC).
The NRMC was established last July by former Homeland Security Secretary Kirstjen Nielsen to better understand the interdependencies across various infrastructure sectors such as energy, financial, telecommunications and transportation and to centralize collaboration of risk management efforts across the sectors toward the goal of better security.
The NRMC is part of the Cybersecurity and Infrastructure Security Agency at DHS and promotes the tag line, “defend today, secure tomorrow.” The center is “focused on securing tomorrow,” Mark Kneidinger, Kolasky’s deputy, said on Tuesday at a homeland security conference hosted by AFCEA.
The NRMC is “looking at increased sophistication of cyber threats,” Kneidinger said. “Sophistication regarding interdependencies across sectors and between government and the various industry sectors but also across industry sectors.”
The forthcoming set of national critical functions are “the things that are so important that the nation’s security, economic competitiveness, economic vitality, that if those functions are degraded through an attack, it’s a bad day,” Kolasky said at the Security Through Innovation Summit sponsored by the cyber security firm McAfee. The set of functions were identified in partnership with industry and government stakeholders, he said.
Kolasky said that the review of these functions has helped to break down silos around the nation’s critical infrastructure sectors.
It “has got us to start looking at cross-cutting things that maybe were hidden in the critical infrastructure sector structure that ultimately need to function for infrastructure to be able to function and should be a focus of cyber defense efforts because an attack at sort of a cross cutting level or an effort to degrade something at a cross cutting level could have cascading effects across different areas and it’s probably easer to mitigate some of the risks we’re concerned about in infrastructure sectors’ facilities and systems by looking at mitigating risk that’s associated with some of these cross-cutting things,” he said.
As it stands now, the set of national critical functions stands at 57, Kolasky told reporters following his address. He told attendees that some of the functions include position, navigation and timing services, operation of core networks, control systems, operation of safety controls, and protecting sensitive information.
“Our adversaries could be well going after those things to cause strategic effect,” he said. “We have to put our defensive effort and risk management effort against what is most important to us.”
The upcoming release of national critical functions will “set doctrine” and will be followed by a deeper analysis into the various functions to obtain a greater understanding of risks and uncover potential scenarios that could jeopardize national security, “and to study the scenarios and to try and change the nature of the scenarios,” Kolasky said.
Later, during the media gaggle, he said the set of national critical functions will also help inform collection activities by the intelligence community and planning for incident management. He also said the intelligence community has had input on the list of functions.