Digital transformation is top of mind for many CIOs, along with security and innovation. All of these areas are highlighted in the 2018 State of the CIO survey results. CIOs are honing in on these key issues for all the right reasons- securing brand value, ensuring data integrity and protecting their company assets.
But as each CIO works to secure his or her own company’s digital fortress, it is important to keep in mind that the boundaries of cyber security are more collective than they are company-specific. Each vendor along the digital supply chain is a potential front door to adversaries, and even the critical systems that support a connected world—such as electricity and communications—play an important role in corporate digital resilience.
Over the past decade, the threat environment has become increasingly complex. Cyber and physical infrastructure are more intertwined and interdependent, and the nature of attacks has evolved from individual hackers to organized and well-funded nation state aggression on our most critical infrastructure. As the world grows more networked and more reliant on cyber infrastructure, and as hard boundaries all but disappear, our approach to security and resilience must adapt.
In this environment, individual companies cannot take on cybersecurity alone, nor can the government. We are living in a world where success over adversaries requires that we team together and unite our collective strengths, knowledge, and resources to address the threats we face.
We’ve steadily strengthened our collective defense through years of partnership building with critical infrastructure industry partners, through organized sector councils that facilitate joint planning, and various mechanisms for sharing cyber threat indicators between the public and private sectors.
Increasingly, a widespread consensus has grown that we need to deepen this information sharing partnership to focus on cross-sector collaboration as well as embrace a risk management approach that moves beyond simply looking at assets and organizations and instead look at cross-cutting functions and the dependencies between them.
The Department of Homeland Security is working to meet this industry need through the National Risk Management Center (NRMC). Under its new focus, the NRMC will engage industry in collaborative efforts to tackle some of the most pressing issues related to critical infrastructure resilience. The Center will bring together government and industry long-term planning and risk assessment capabilities to better secure the Nation’s critical infrastructure from physical and cyber threats that present strategic risks.
" It is important to keep in mind that the boundaries of cyber security are more collective than they are company-specific"
Its focus on risk management efforts will support prevention and protection efforts for the future, complementing and drawing from the day-to-day information sharing, technical analysis, and operational incident management and support missions of DHS’s 24/7 watch centers including the National Cybersecurity and Communications Integration Center (NCCIC).
One of the key initiatives that the Center will undertake in the near future is to identify National Critical Functions across all sectors.
National Critical Functions are the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating impact on security, national economic security, national public health or safety, or any combination. Identifying these functions is important because critical infrastructure protection efforts have often been focused on assets and organizations while missing some of the underlying services and functions. This approach can create a blind spot or cause organizations to underestimate the importance of sector-wide and cross-sector risks and dependencies.
The Center will draw on the critical infrastructure Sector Coordinating Councils and their Sector Specific Agencies to help populate an initial list of functions. SCCs are single-sector, self-organized groups representing key stakeholders in each of the nation’s 16 critical infrastructure sectors identified in the National Infrastructure Protection Plan.
A workshop later this year will help validate these functions in a “sleeves rolled up environment” to better understand dependencies across sectors. The Center will provide analytical support for prioritization and consequence modeling to marry these validated functions with our understanding of the threat landscape to create a risk register.
This risk register will guide collaborative risk management efforts going forward to help ensure that any blind spots we’ve identified within and across sectors can be effectively mitigated with joint action.
These and other efforts conducted by the Center are designed to add context to the threats we are facing, so industry and government can start to be more strategic in how it approaches these threats. A single-sector or single-company approach provides a narrow view of a threat, but by drawing on the collective knowledge and experience of multiple industries and various levels of government, we can all being to see the bigger picture and begin to understand how our individual actions impact the whole –for better or worse.
We have only to look at 2016 Russian intrusions into the U.S. elections infrastructure to see how the mere threat of loss of integrity can disrupt your customers’ trust in your product or service. In that instance, DHS led the federal government’s asset response activities, in coordination with the intelligence community, law enforcement, and impacted private sector entities to construct a comprehensive picture of what had occurred. And over the last two years, we have worked with state and local officials and industry to reduce risk to election infrastructure. By using the same team approach in our risk management engagement across all sectors, we will be best positioned to protect our critical infrastructure from rapidly evolving threats.