Homeland Security Secretary Kirstjen Nielsen on Tuesday warned that the U.S. continues to face an immediate, complex and growing array of cyber threats that are outpacing the nation’s ability to defend itself and said overall cyber threats are a greater threat to the country than physical ones.
“In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us,” she said at a cyber security event hosted by her department in New York City. “This is a major sea change for my department and for our country’s security.”
In response to a more complex threat environment and demand from industry for more complete support from the federal government, the Department of Homeland Security is establishing a new joint center to centralize collaborative risk management efforts aimed at better protecting the nation’s critical infrastructures.
DHS announced the National Risk Management Center in conjunction with its first ever National Cybersecurity Summit, which brought together government and industry leaders to discuss ways to improve and strengthen public-private partnerships around cyber security.
Nielsen, in a speech at the outset of the summit said, “Today we are coming together, government leaders, CEOs, academics, and cyber experts, to send a message to these online threat actors. Game over.”
Nielsen said that U.S. cyber defenses remain “stove-piped” and are being outpaced by adversaries while the attack surface in cyberspace continues to grow.
“I wish I could that we’ve rounded a corner, but last year was the worst in terms of cyber-attack volume,” Nielsen said. “The headlines seemed never ending, and not to be the ‘Debbie Downer’ but I think we’ll continue to see that this year.”
Nielsen outlined Russia’s attacks on U.S. democracy, and several cyber intrusions and attacks in the past year that have hit raised concerns about the growing cyber threat, including North Korea’s WannaCry ransomware launched worldwide, Russia probing the U.S. energy grid, and the breach of Equifax [EFX] that exposed sensitive information of nearly half of U.S. citizens.
“These incidents are only the beginning,” she said. “Rogue regimes and hostile groups are probing critical systems worldwide every moment as we speak. And without aggressive action to secure our networks, it is only a matter of time before we get hit hard in the homeland.”
The National Risk Management Center officially begins operations on Aug. 1, and Nielsen said it will be a “single focal point” for the public and private sector to work side-by-side to assess cyber threats and address risks.
The center is focused integrating risk management across all critical infrastructures and will “engage daily to develop actionable solutions to defend our critical infrastructure,” Nielsen said, adding later that she hoped for action items by the end of the summit on Tuesday.
90-Day Sprints
The National Risk Management Center, which is part of the DHS National Protection and Programs Directorate, which basically is the department’s operational arm for cyber and physical infrastructure security, will hit the ground running with a 90-day sprint to establish priorities and “conduct joint risk assessments,” Nielsen said. The first sprint will include the financial services, telecommunications and energy sectors, and incorporate a “major cross-sector exercise this fall,” she said.
The sprints will let industry help the government influence “assessments, plans and playbooks” before taking action, Nielsen said.
Nielsen, who moderated a panel discussion following her speech, was joined on the dais by a half-dozen high-ranking government officials and CEOs.
John Donovan, the CEO of AT&T’s [T] global telecommunications business, said the new center is long overdue because it will bring to together government and industry partners from different critical infrastructures at a working level.
“And so the ability to move at speed across organizations is really vital to effective defense and I think today has been a step forward in several dimensions that gets a lot of the philosophy and the strategic stuff a little bit out of the way so that we can get down to the roll up the sleeves work of trying to make our companies, our transactions, and this nation safer,” Donovan said.
DHS officials this year have telegraphed that the department is putting an even keener focus than before on working more closely and collaboratively with industry around the sharing of information about cyber security threats and the need to better understand risks to national critical functions. Jeanette Manfra, the department’s assistant secretary for Cybersecurity and Communications, has referred to this stronger working relationship as a “collective defense model,” and Nielsen called it a “collective defense posture.”
“Your risk is now my risk and my risk is your risk,” Nielsen said, pointing out that government and industry are both “on the front lines of the digital battlefield, so we must work together to protect ourselves.”
Collective defense includes government and industry being on the same page in knowing everyone’s roles and responsibilities in preparing for and responding to all events, cyber and physical, Manfra told Defense Daily in a recent interview.
DHS already works with other government agencies and the private sector in a variety of ways to share information about cyber threats, including the formation several years ago of an automated portal to enable near-real time sharing of threat indicators. The new center is aimed at furthering that collaboration but also to help government and industry better understand what risks to national critical functions are, which Manfra in June said might include things like a stable financial system, clean water supply, and resilient communications infrastructure.
A fact sheet released by DHS on the National Risk Management Center gaps said some national critical functions may be outside of traditional categories, hence the need for a cross-sector approach to risk management and understanding interdependencies. The center will develop risk registries for the critical functions and “conduct dependency analyses with a focus on lifeline functions.”
Tom Fanning, chairman, president and CEO of the energy company Southern Company [SO], the nation’s second largest utility, said the company does major tabletop exercises that always demonstrate “the points of vulnerability are always our points of intersection” with other lifeline sectors such as finance and telecommunications.
If the “digital grid” goes down, electric utilities can disconnect from it and provide their services to customers manually, Fanning said.
“But I can’t do it if I can’t talk to my folks in the field,” he said. “That’s our weak link.”