With elections over, CISA focus shifts to risk management center

Secretary of Homeland Security Kirstjen Nielsen signaled that her newly minted cybersecurity agency would shift its focus to a number of longer term initiatives, such as mapping out national critical functions across different critical infrastructure sectors and changing culture and practices in global supply chain operations and procurement.

Speaking at a Nov. 16 U.S. Chamber of Commerce event just hours after President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act, Nielsen outlined four major shifts in the threat landscape that will require government and industry to rethink risk management practices: the deliberate targeting of critical infrastructure by nation states; the ability of cyberattacks like NotPetya to affect and disrupt different sectors and cause cascading damage, a tendency to view risk management through the lens of assets and organizations instead of critical functions and a recognition that resilience, not preventing an attack or breach, should guide organizational decision-making.

Nation states are "playing the long game to degrade our critical infrastructure and we need to respond strategically," Nielsen said.

Much of that long-term strategic vision will come through the agency's new National Center for Risk Management. The first big task entails working with industry partners to map out a list of critical infrastructure functions. Bob Kolasky, the center's director, told reporters that a true accounting would take years, but the agency hopes to have a working list developed to feed more analysis and other initiatives.

Chris Krebs, now Director of CISA, said that list should be ready by year's end. Once that's complete, the center wants to engage with researchers and stakeholders across different sectors to analyze and rank those functions to prioritize further action. Sectors with more mature risk profiles will likely take precedence, and the center has already established a tri-sector council to focus on the telecommunications, financial and energy industries.

A day earlier, DHS announced membership for its new 60-member supply chain task force. On the government side, representatives from DHS, the Departments of Defense, Treasury, Commerce, Justice, the General Services Administration, the Office of the Director of National Intelligence and the Social Security Administration will sit on the executive committee.

On the industry side, 26 major tech and communications companies and industry associations will also have a seat on the executive committee, including AT&T, Verizon, Intel, Microsoft, the Cybersecurity Coalition, threat intel firm FireEye and the Information Technology Information Sharing and Analysis Center.

Nielsen also pressed members of industry to sign up for existing DHS information sharing programs such as Automated Indicator Sharing, calling them "a great way to crowdsource against our adversaries who are crowdsourcing against us."

AIS has struggled to enroll private sector companies willing to share their own data with the federal government. The agency has also received complaints that large chunks of the data DHS shares is either not useful or lacks actionable guidance. Nielsen indicated she wants to change that.

"Tell us what you need from us and when it comes to intelligence, tell us how to make it more actionable so you can work to put it good use," said Nielsen.