The DHS cyber summit this week will launch three major government-industry initiatives and conclude with a formal stamp of approval for the department's maturing cybersecurity role from Vice President Mike Pence.
“It took some time for DHS to establish its bona fides on cybersecurity,” observed Suzanne Spaulding, the former under secretary in charge of cyber programs at the Department of Homeland Security. “There's a growing understanding in Congress and elsewhere of how far DHS has come. I do see this as a significant event.”
Pence will deliver the closing keynote at Tuesday's “National Cybersecurity Summit” at the U.S. Custom House in Lower Manhattan, DHS announced Friday, after a full day of speeches and panels featuring top government officials and CEOs and cybersecurity leaders from critical-infrastructure companies.
The summit was the brainchild of DHS Secretary Kirstjen Nielsen, who will play a prominent role along with Secretary of Energy Rick Perry, FBI Director Christopher Wray, and U.S. Cyber Command and National Security Agency head Gen. Paul Nakasone. The telecom, financial services, energy, information technology, insurance, health and other industries will send CEOs and senior representatives.
The day's discussion will revolve around three initiatives being led by DHS: on supply-chain cybersecurity, risk management, and “national critical functions,” the latter being an industry-backed evolution of the department's “Section 9” program, created under former President Obama's first cyber executive order for securing entities where a cyber attack could have devastating consequences.
The program starts Tuesday morning with a closed-press CEO roundtable with Nielsen, and -- according to an agenda released Friday -- will include three closed breakout sessions throughout the day on information sharing, protecting critical national functions, and “emerging issues in cyber law and policy.”
A late-morning public session will include Nielsen, Nakasone, Wray and Perry, along with MasterCard's Ajay Banga, AT&T's John Donovan and Southern Company's Tom Fanning.
Next, DHS Under Secretary Christopher Krebs will moderate a supply-chain panel with Donovan and former Palo Alto Networks CEO Mark McLaughlin.
Other public afternoon sessions will address the cyber workforce, ICT solutions, and an open session on protecting critical national functions. DHS assistant secretary Robert Kolasky will moderate the public session on critical functions, with American Gas Association president Dave McCurdy, FedEx CISO Gene Sun and Department of Energy Under Secretary Mark Menezes.
Pence's speech is expected to wrap up the day.
The three initiatives
"We will launch at least three noteworthy new ideas and initiatives," with 90-day “sprints” to begin showing results, Krebs said last week on the CyberCast podcast hosted by Kiersten Todt and Roger Cressey. Todt and Cressey are cyber policy veterans; she ran Obama's Commission on Enhancing National Cybersecurity and both were closely involved in developing the federal framework of cybersecurity standards.
DHS' National Protection and Programs Directorate, headed by Krebs, will lead the supply-chain effort in coordination with the communications and information technology industries' coordinating councils.
“They're doing this right, they're not making decisions without industry,” said Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association. “From Day One we'll be discussing scoping, resources, milestones. This is all good management -- and this is all music to industry ears. It's clear leadership and clear partnership.”
And industry is promising a major commitment to the DHS-led efforts.
Mayer said the supply-chain initiative will be “a full-year effort, with action items to be determined in coordination with DHS and industry. It's a significant investment of resources, the biggest thing I've ever been involved in.”
Some of the same industry groups are heavily invested in the DHS-Commerce Department botnet initiative -- identified early on in the Trump administration as perhaps the premier cyber threat facing the nation -- and other federal cyber work that tracks with the supply-chain effort.
On risk management, Krebs has pledged to make this a hallmark of his tenure at DHS and he has said a risk-management approach should infuse all of the department's cybersecurity work. One source said the “core” of that effort will come from ongoing “tri-sector” work being done by the communications, IT and financial sectors.
Former DHS official Spaulding said a risk-management mindset has “taken hold at DHS” and is being adopted at other departments and agencies.
On national functions, Spaulding said the department “is going to adopt a functionality approach” that flows from the Section 9 work done in the previous administration.
When it was first released in 2013, the Section 9 plan of identifying particular entities stirred concerns in the private sector over a variety of issues, including the possibility of targeted regulation. But Spaulding said, “The Section 9 exercise helped illuminate the need for this kind of [functionality] approach. We talked about ensuring the functions that the public depends on.”
She added, “Section 9 led us to an analysis of key functions that if disrupted would have serious consequences.”
The White House factor
Meanwhile, Pence's participation signals an “imprimatur” of support from the White House, according to multiple industry sources, who privately suggested ongoing uncertainty about White House views and priorities since the elimination of the cybersecurity coordinator position this spring.
“We have no clue what's going on in the White House,” one industry source commented. “But Nielsen and her team are making sure there is no vacuum [on cyber policy]. The bright side is the White House is letting DHS lead.”
Overall, the summit is seen in the private sector as an opportunity to confirm the Trump administration's commitment to collaboration as opposed to compulsory cyber mandates, and industry's willingness -- indeed, eagerness -- to engage and lead.
“We are staying with the 'voluntary action vs. regulation' message,” said one source from the energy sector who will be participating at the summit.
“The message from all this,” said another industry source, “is there needs to be greater government-industry collaboration and it needs to be done in something other than a siloed manner. It's a good thing DHS wants to look at this in a systemic way.” -- Charlie Mitchell (cmitchell@iwpnews.com)