DHS Stands Up New Cyber Risk Center to Protect High-Value Targets

NEW YORK – The Homeland Security Department is launching a national risk management center to tackle key cybersecurity priorities, including creating a registry of the nation’s digital “crown jewels,” Sec. Kirstjen Nielsen said Tuesday during a government cyber summit in New York.

The center will initially focus on the energy, telecom, health care and financial services sectors and will organize much of its work in a series of “90-day sprints” focused on particular national cyber priorities, Nielsen said.

That early sprint focused on cataloging the nation’s most vital digital assets mirrors work Homeland Security has been doing internally to focus greater efforts on protecting the most important government systems rather than protecting all systems equally.

Another key focus for the center will be helping protect industry supply chains from cyber threats, said Jeanette Manfra, a top Homeland Security cyber official.

The risk center will have a broader and longer-range focus than Homeland Security’s National Cybersecurity Communications and Integration Center, or NCCIC, which is the current point agency for cyber information sharing between government and industry, Manfra said.

By focusing on longer-range projects, such as the cyber risk registry and supply chain threats, the risk center will free up the NCCIC to focus on operational issues, such as alerting industry about new digital vulnerabilities and responding to breaches, Manfra said.

In some cases that may mean a company will have one representative at the NCCIC, working with Homeland Security on urgent operational issues, and another at the risk center, focused on big-picture goals, she said.

As a general framework, the center will focus first on figuring out if government agencies and the private sector agree about the cyber risks facing a particular sector and, second, on reaching agreement about how to counter those risks, she said.

The center will be initially comprised of staff pulled from elsewhere at Homeland Security and managed with existing funding, Manfra said.

Officials may seek more resources for the center during future budget cycles, she said, adding that Homeland Security didn’t want to wait on the congressional budget cycle before standing the center up.

Another key goal for the risk management center will be to make a stronger case to industry about the value of cooperating with government on combating cyber threats, said Chris Krebs, who leads Homeland Security’s cyber and infrastructure protection division.

The private sector owns the vast majority of U.S. computer networks and other digital equipment but has been hesitant to share what it’s seeing with the U.S. government.

Congress passed legislation in 2015 that gave companies legal protection from being sued if they share that data into a Homeland Security-run automated system, but, nearly three years, later only six organizations have signed up to share their data automatically.

About 200 private-sector organizations are receiving government threat indicators, which is far below lawmakers’ hopes for the program.

“We’ve struggled to identify the value proposition that would incentivize someone to share back in,” Krebs said. “What we’re trying to do through the center is identify those use cases where it would make sense for a company to contribute into the [automated indicator sharing] program.”

Nielsen spent much of her keynote at the cyber summit stressing the magnitude of the cyber dangers facing industry.

The next major 9/11-scale attack against the U.S. is more likely to be a digital attack than a physical one, she said. Much like before the Sept. 11, 2001 attacks, the government is hampered by “walls” and “stovepipes” that make it difficult to share key threat information quickly enough, Nielsen added.

“What’s more, our growing digital dependence means that vulnerabilities can have widespread, unpredictable, and cascading consequences when they are exploited,” she said.

Nielsen frequently paused to urge industry members in the audience to contribute to the risk center and, after the event’s first panel discussion polled the audience about who would chip in. When about half the audience members raised their hands, she said she’d keep checking back throughout the day.