On July 31, 2018 I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan. The building itself was constructed around 1902-1907 in order to collect tariffs. Teddy Roosevelt was President and tariffs were a subject of divisive national debate. Global issues were still in evidence at the Cybersecurity Summit, with the administration promoting new initiatives to protect US critical infrastructure and democratic processes. In attendance to support these new initiatives were: Vice President Pence, Energy Secretary Rick Perry, FBI Director Wray, General Paul Nakasone (NSA and US Cyber Command), Kirstjen Nielsen, Secretary of DHS, Chris Krebs, head of DHS’s NPPD (National Protection and Programs Directorate) as well as CEO’s from industry and leaders from academia. Audience members filled the 350-seat auditorium and spilled over into another viewing room down the hall.
So, what was new, if anything? Secretary Nielsen announced the new National Risk Management Center (NRMC), designated to be a focal point within government for private-public collaboration on cyber related risk issues. You can find the fact sheet on NRMC here. Interesting that the word “cybersecurity” is not in the name of this group. Two thoughts: maybe she is thinking the term will go out of favor. Also, many of the real risks to society and the economy are second and third order effects, not just the initial cyber-attack consequences. To start, the focus in NRMC will be on the financial sector, energy sector and ICT (Information and Communications Technology) sectors. A 90-day sprint will be initiated. The NRMC Director is yet to be named.
A second new direction was articulated by Vice President Pence, when he argued that the previous administration had been weak on cyber preparation and response; now the Trump administration is reversing that strategy with stronger action in both areas. Given that everything in DC must have a political component, this sounded like one positive step for better cyber security both within government and in the private sector.
The NRMC sounds promising; I am hoping it does not just focus on incident detection and response. Risk management includes the whole lifecycle, from identify, protect, detect, respond to recover. I would like DHS to share more proactive information regarding cyber-attacks. The 2015 Cybersecurity Information Sharing Act did call for the Federal government to share best defensive practices based on ongoing analysis of threat indicators. I call this “evidence-based security”. This is needed to develop cost effective defenses ahead of the next attack. Unfortunately, the supporting legislation in Congress, HR 5074, does seem to focus on attack detection and remediation. Another new private group, the Financial Systems Analysis & Resilience Center, is focusing on analysis of strategic cyber risks within and between member banks.
One more note from the Summit: the President’s NSTAC (National Security Telecommunications Advisory Committee), which has been working on a Cyber Moonshot study, will report out in the next couple of weeks. This could be the overall risk management and mitigation program that we need.