As the threat of cyberattacks on the United States launched by foreign adversaries grows, the federal government has been slow to respond. But changes announced Tuesday at the Department of Homeland Security, along with a new bipartisan bill aimed at shoring up DHS cybersecurity initiatives, could give newfound purpose to defenses against critical infrastructure hacking.
At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.
“We are reorganizing ourselves for a new fight,” Nielsen said on Tuesday, who described the new center as a “focal point” for cybersecurity within the federal government. Nielsen also noted that DHS is working with members of Congress on organizational changes that can be mandated by law to improve DHS’s effectiveness and reach.
Also on Tuesday, senators Maggie Hassan (D-New Hampshire) and Rob Portman (R-Ohio) announced a bill to that effect. The so-called DHS Cyber Incident Response Teams Act of 2018 seeks to establish permanent “cyber hunt” and “cyber incident response” teams within DHS. These groups would work on cybersecurity defense for federal agencies and private entities and help respond to incidents.
“By encouraging private sector collaboration with the cyber response teams, this bill will help leverage the expertise of both the public and private sectors to help prevent cyberattacks from happening in the first place and mitigate the impacts when they occur,” said Hassan in announcing the bill; the House of Representatives already passed its version several months ago.
“This is really providing some legislative framework around teams that have existed for a while,” says J. Michael Daniel, cybersecurity coordinator under President Barack Obama and head of the nonprofit Cyber Threat Alliance, of the House version of the bill. Daniel sees the legislation as potentially beneficial, but both he and Nielsen are hopeful for even more expansive legislation down the road. “Cybersecurity is an operational element of what DHS does, and we should treat it that way, and be able to resource it and staff it,” Daniel says.
“I’m working with Congress to pass legislation to establish a cybersecurity and infrastructure security agency within DHS,” Secretary Nielsen said on Tuesday. “This would recast what is now the National Protection and Programs Directorate, our cybersecurity arm, into an officious, operational agency capable of better confronting digital threats. But we all know that waiting for Congress to act is like waiting for a new Game of Thrones book to come out.”
In the meantime, the National Risk Management Center should offer support to potential targets of foreign interference. It will run simulations, tests, and cross-sector exercises as part of its efforts to evaluate US critical infrastructure weaknesses and threats. Nielsen envisions the Center as a sort of 911 resource for local, state, federal, and private organizations in cybersecurity crisis. DHS is also moving forward with other projects, like a new election security task force, and a voluntary supply chain risk management program.
Along with the splashy announcements, Nielsen spoke with increasing urgency about the risks the US faces. “Without aggressive action to secure our networks it is only a matter of time before we get hit hard,” she said. “We do have the data needed to disrupt and prevent cyberattacks, but we aren’t sharing fast enough and collaborating deeply enough to make it happen.”
Any effort to expand government focus on cybersecurity defense, particularly if it comes with funding, is constructive, especially after the White House eliminated the critical cybersecurity coordinator position in May. At the same time, though, DHS and other government agencies already have a number of bodies that oversee and coordinate cybersecurity defense plans and incident response. Adding more and more similar organizations could create its own problems and confusion, particularly given the dearth of top federal cybersecurity leadership in the Trump administration.
Though a panel of top intelligence officials and CEOs at the Cybersecurity Summit in New York made the case for the importance of the National Risk Management Center, AT&T CEO John Donovan also fleetingly acknowledged that in some ways the US government is still playing catch-up. “This was an obvious thing to do for a decade,” Donovan said. “But it didn’t happen.”