New DHS Cyber Hub to Test Private-Public Reluctance to Collaborate
The Department of Homeland Security’s new National Risk Management Center (see 1808070032) will test the willingness of industry and the federal government to collaborate on cybersecurity defense, experts said this week. The U.S. government is hesitant to share classified information with national security implications, and the private sector is reticent for fear of reputational damage or increased scrutiny from regulators, they said.
Public Knowledge Cybersecurity Policy Director Megan Stifel, former DOJ National Security Division Cyber Policy director, said industry’s frustration stems from a sense that companies “give, give and give and get nothing back.” Lawmakers recently blamed industry for failing to provide information on Spectre and Meltdown vulnerabilities (see 1807110059). Intel on Tuesday revealed details about three more potential computer processor vulnerabilities. Spectre and Meltdown are examples of risks the new DHS hub could help the government better manage, Stifel said.
When unveiling the new center, Secretary Kirstjen Nielsen urged the private sector to collaborate with the government by sharing data in real time. CyberCecurity Information Technology Director Mitch Tanenbaum said information sharing is lacking on the federal government’s end. He urged officials to provide simple, direct guidance on how industry can protect business. For example, he said the National Institute of Standards and Technology’s Cybersecurity Framework (see 1805090046) is “too complex” to benefit small- to medium-sized businesses, though it’s a great resource for major companies. DHS didn’t comment.
CyberScout founder Adam Levin noted both government and business accused the other of not providing enough information on the cyber front. Establishing the center is DHS’ attempt to take a stronger leadership role and institutionalize a culture of collaboration between government and industry, he said. It’s designed to soften industry’s notion it can handle cyber vulnerabilities on its own, which is an issue Senate Commerce Committee members raised when discussing Spectre and Meltdown. “We’ve been living in a world of patch and pray,” Levin said.
The center’s mission is to “provide a simple and single point of access to the full range of government activities to mitigate a range of risks, including cybersecurity, across sectors,” DHS said. Open Technology Institute is glad to see the agency elevating public-private collaboration. It was “troubled” by the administration’s decision to abolish the cybersecurity coordinator position (see 1708030009), creating the appearance the White House doesn’t recognize the severity of cybersecurity threats, said Surveillance and Cybersecurity Policy Director Sharon Bradford Franklin.
Eliminating the cyber coordinator office wasn't “constructive,” Stifel said, claiming the creation of DHS’ new office was a direct result of the removal. The agency’s recent National Cybersecurity Summit, where Nielsen announced the center’s unveiling, however, was a “good reminder” to domestic and foreign audiences that the U.S. takes cybersecurity seriously. Information that could be useful to industry, she said, is data on weaker routers used inside Americans homes, which indirectly pose a threat to critical infrastructure, such as via a botnet attack, she said. Communicating that home device vulnerabilities are potentially a threat to critical infrastructure can let industry see challenges lurking below the surface, she said.
BSA|The Software Alliance Senior Director-Policy Tommy Ross said the risk management conversation has to include discussion about software, which underpins cyber defenses and systems that make critical infrastructure entities work. To this point, he said software has not been fully integrated into the conversation.