The U.S. Department of Homeland Security on Tuesday announced the National Risk Management Center, part of a new effort to combat cyber threats to the nation.
The new agency’s mission will be to defend the U.S.’ critical infrastructure through greater cooperation between the public and private sectors.
The center will bring together government experts and industry partners to work out ways that the government can support the partners. The idea is to create a single point of access to all government resources that can be used to defend against cyberthreats.
“I occasionally still hear of companies and state and locals that call 911 when they believe they’ve been under a cyberattack,” said DHS Secretary Kirstjen M. Nielsen at a National Cybersecurity Summit held in New York City on Tuesday.
“The best thing to do will be to call this center,” she continued. The center will provide organizations under cyberattack with what they need to repel, mitigate and root out adversaries from their systems.
The center also will be a place for forging strategies against threats.
“Having the private sector with us will enable us to take a piece of threat data to determine what puzzle it belongs to and then to determine how to fit it into the puzzle,” Nielsen said.
Through that approach, “we can see the trend, we can see the thread, we can see the purpose, perhaps, of the attack, but certainly the implications and effects,” she explained.
“The private sector also knows its operational environment better than we will ever know in government,” added Nielsen, “so we will look to their expertise to help us to understand how the pieces fit together.”
The power of information sharing already has been seen in initiatives like the Cybersecurity Risk Information Sharing Program in the U.S. Department of Energy, Secretary Rick Perry noted in a panel discussion at the summit.
It was due to that close collaboration that the department was able to identify a very dramatic event last year about Russian intrusions into our energy systems, he observed.
“Had we not had this close working relationship with our private sector partners, it would most likely gone unfounded,” he said.
Underpinning the creation of the National Risk Management Center is the recognition that cybersecurity defense is a team sport, observed Brad Medairy, a senior vice president at Booz Allen Hamilton, an international technology consulting company headquartered in McLean, Virginia.
“It requires a partnership of the whole of government and the whole of industry to address it,” he told TechNewsWorld.
The new center is an extension of capabilities the DHS has been developing to protect the nation’s critical infrastructure, noted James Barnett, head of the cybersecurity practice at Venable, a law firm in Washington, D.C.
“Secretary Nielsen would certainly want to announce this now with the recent revelation of Russian hackers into the controls of several American companies that make up the energy grid,” Barnett, a former Navy Rear Admiral, told TechNewsWorld.
The federal government already has an information-sharing center in place — the National Cybersecurity and Communications Integration Center — but the new center appears to be a different kind of animal.
“NCCIC has been more of a coordinating and information sharing effort — the government will collate and provide you with information to help yourself,” Barnett explained. “It sounds like NRMC is one step closer to a cyber firehouse, where DHS will actually provide direct assistance.”
One frequent complaint from the private sector is that the quality of information from the government is poor. The new center could change that.
“As conceived, NRMC will focus and organize the federal government’s efforts to provide the private sector operating critical infrastructure with actionable threat data,” Barnett said. “This would be more than just a malware warning or patch. It sounds like DHS is willing to provide deeper information on threats, to include supply chain threats.”
For validating the supply chain and procurement process, the center is an essential step forward, said Ray DeMeo, chief operating officer of Virsec, an applications security company in San Jose, California.
“This initiative wisely prioritizes actionable threat data, a critical gap in today’s Industrial Control System threat environment,” he told TechNewsWorld. Z,pz. “Threat actors have a significant lead time ahead of responders — often weeks or months,” DeMeo pointed out. “With more actionable threat data, our human intervention can focus beyond immediate triage to higher-order efforts. Who are the attackers? What is their methodology?”
Public-private cybersecurity partnerships are nothing new, but the private sector may be coming to this latest vehicle with a different attitude.
“It’s recognizing that the threats are getting more sophisticated and more complex,” said Matt Olsen, president of IronNet Cybersecurity, a Fulton, Maryland, maker of a suite of cyber security technologies.
“There’s also a fundamental recognition that companies can’t go it alone against the most sophisticated threat actors out there, particularly nation-states like Russia and China,” Olsen, a former director of the National Counterterrorism Center, told TechNewsWorld.
In order for partnerships to work, the partners must trust each other. That’s proven to be a challenge in the cybersecurity arena in the past, and it could be a barrier to the new center gaining momentum.
“Will the center bring government and industry together to provide solutions, or is this going to be another layer of bureaucratic influence on industry?” wondered Emily Miller, director of national security and critical infrastructure programs at Mocana, a Sunnyvale, California-based company that focuses on embedded system security for industrial control systems and the Internet of Things.
“Is it going to come up with unfunded mandates? Is it going to create baselines that industry has to comply with that do not provide actual security? Those are the questions the industry is going to have in mind when they think about what is the goal of the National Risk Management Center,” Miller told TechNewsWorld.
Show Me the Money
Achieving private sector trust will be a challenge, acknowledged Venable’s Barnett.
Howver, “DHS has positioned itself in the cyberworld as a resource and facilitator, not a regulator. Establishing NRMC is a positive step in organizing the government’s assistance, if it is well resourced,” he noted.
“The success of the new effort will depend on whether the government is able to provide NRMC with the money, expertise and capacity to meet its objectives, and how well it is accepted by the critical infrastructure private sector,” Barnett said.
Everyone needs to be talking less and doing more to reduce cyber-risk, suggested Ed Cabrera, chief cyber security officer at Trend Micro, a Tokyo-based maker of enterprise cyber security solutions.
“We have been espousing the need for better public-private partnerships for the better part of 15 years, but we have failed to execute,” he told Tech News World.
“The blame cannot be solely laid at the feet of government,” Cabrera said. “We in industry have our role and responsibility to work hand-in-hand with government and each other to eliminate cyber threats, and reduce technical and systemic vulnerabilities.”