Trump Administration Plans National Cyber Risk Management Initiative

The Trump administration is developing a national risk management initiative aimed at tightening communication lines between government and industry about major cyber vulnerabilities, a top Homeland Security Department official said Friday.

The effort will link Homeland Security and the Energy and Treasury departments with companies in their sectors as well as smaller agencies that regulate or interact with specific sectors that face cyber threats, said Chris Krebs, undersecretary of Homeland Security’s cybersecurity and infrastructure protection division.

“It’s not just about government working together, it’s about industry and government working together,” Krebs said during a cyber event hosted by The Washington Post. “We have to have integrated, cross-sector government-industry collaboration in the cybersecurity space and in the critical infrastructure protection space and that’s where we’re going.”

A Homeland Security spokesman declined to provide additional details about the initiative or a timeline.

Homeland Security has increasingly framed its approach to cybersecurity as a “risk management” effort in recent years. That roughly translates to figuring out which computer systems are most vulnerable to hacking or most attractive to nation-state and criminal hacking groups and concentrating mitigation efforts on those systems rather than protecting all systems equally.

States Should Be More Specific

Krebs also responded during the Post event to a Thursday vote in which House Republicans voted down Democratic efforts to double the $380 million the federal government already allocated to improving state and local election security.

Krebs acknowledged some states may need additional money—especially states that need to replace a large number of vulnerable electronic voting machines—but faulted states for not being specific enough about how much money they need and how they will use it.

“What I think we need to do in the very near future is, rather than just say ‘we need money, give us money’ is: ‘We need X amount of money to address X threat and buy down X amount of risk.’ We have to be much more precise,” he said.

The Name Change Again

Krebs also stumped Friday for a stalled bill that would rename the agency he leads from the National Protection and Programs Directorate, or NPPD, to the Cybersecurity and Infrastructure Security Agency, or CISA.

The agency’s current clunky acronym has made it difficult for Krebs to reach out effectively to the private sector and impeded some of his early work with state and local election officials because people outside government can’t easily understand what the agency does, he said.

“NPPD, it sounds a Soviet-era intelligence agency,” Krebs said. “It doesn’t tell anybody what we do.”