With Corporate Outreach, DHS Hones Focus on Critical Infrastructure Cybersecurity
DHS official Christopher C. Krebs explained federal efforts and successes in protecting critical infrastructure companies against cyberthreats at the cyberSecure conference.
December 06, 2017 at 10:00 AM
5 minute read
In the wake of recent breaches, organizations have become ever more conscious of their susceptibility to cyberthreats. Not all cybersecurity awareness, however, is created equal. “Traditionally on the IT side, we have been focused on security, and this goes back to 2003,” said Christopher C. Krebs, a senior official performing the duties of undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security (DHS).
Back then, he noted, the operating system Microsoft XP came out with serious security flaws, creating awareness at the tech company and among its corporate users about the need for IT security. But while that planted the seed of modern cybersecurity practices, it took over a decade for other companies to become aware of what Krebs called “operational security” (OT), or the security of physical hardware and critical infrastructure.
It wasn't until a slew of attacks on critical infrastructure—from the 2013 BlackEnergy malware affecting the energy industry in Ukraine to the “Dragonfly” hacking group targeting energy infrastructure in the U.S. and Europe years later—that OT became a widespread concern.
And it is here where Krebs' National Protection and Programs Directorate (NPPD) comes into play. “We're responsible for two main things: for DHS cybersecurity and critical infrastructure security,” he said, adding that the team looks to serve the 16 defined critical infrastructure sectors in the economy.
Yet, the NPPD isn't like other government agencies. For one thing, it doesn't have any regulatory authority. “I have no mandatory powers, it's all voluntarily,” Krebs said, explaining that the group offers cybersecurity services to critical infrastructure companies if they chose to use them.
Krebs breaks these services down into three parts: “One, is information sharing; two, is sharing and developing best practices and support; and three, is incident response [assistance].”
Of the three, information sharing is the team's most active task. “With 200 entities involved, in a little less than 18 months we've shared about 1.3 million unique indicators,” Krebs said. But he added, “It's not a lot; it needs to be more.”
Through the use of “automated information sharing (AIS) programs,” however, the NPPD is looking to grow the amount of information it shares and become more efficient in declassifying and disseminating actionable data, he added.
As an example of the benefit of such information sharing, Krebs noted that his team shared “a number of bulletin alerts and updates to state and local officials during the past election, and we continue to do that now.”
But it was the summer before the 2016 election that Krebs most clearly saw the success of the NPPD's information sharing come to fruition. During the early hours of the worldwide WannaCry ransomware attack, the team “was able to determine something was happening just about the same time everyone else was figuring it out,” he noted.
The NPPD “reached out to a number of security researchers and other experts we had on speed dial and immediately started sharing information on what we were seeing,” he added.
The efforts led to companies and government officials being able to understand and act on the threat quickly, mitigating its growth and protecting other networks from being compromised.
But for Krebs, this was not the only success against WannaCry. “If you ask me, the real success story was not what happened the day WannaCry was detected; it was all the work the businesses did in the months prior” to insulate their IT infrastructure from attack.
To be sure, federal efforts to protect critical infrastructure goes far beyond just the NPPD. Krebs, for instance, credits Executive Order 13800, issued in 2017 by President Donald Trump, with tasking the federal government with protecting federal networks and critical infrastructure sectors.
He also credits progressive cybersecurity work of past administrations, such as Executive Order 13636, issued by then-President Barack Obama, which helped identify what constitutes critical infrastructure in the U.S. and provide cybersecurity assets to the companies that manage such infrastructure.
In addition, there was also the foundation laid by former President George W. Bush's Comprehensive National Cybersecurity Initiative (CNCI) and former President Bill Clinton's Presidential Decision Directive 63 (PPD-63).
Yet despite the government support, Krebs believes securing critical infrastructure will only get more difficult given the growth of mobile devices and internet-of-things (IoT) connections.
In addition to federal aid, what Krebs believes is needed now more than ever is scalable cybersecurity solutions that can that help mitigate the cybersecurity threats of a company with multiple and ever-growing openings.
And he is cautiously optimistic such solutions can come into effect, especially those which “leverage machine learning,” he said. “Bringing machines into the defensive side, that is where we need to be going.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1As 'Red Hot' 2024 for Legal Industry Comes to Close, Leaders Reflect and Share Expectations for Next Year
- 2Call for Nominations: Elite Trial Lawyers 2025
- 3Senate Judiciary Dems Release Report on Supreme Court Ethics
- 4Senate Confirms Last 2 of Biden's California Judicial Nominees
- 5Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250