These last few months have given rise to a new wave of initiatives around the world dedicated to saving our critical networked cyber infrastructure – and possibly our way of life – from the horrific drama that may come from a major cyber-attack. This and other related cybersecurity stories from late July and August have taken headlines by force and beg our attention as we push to finish out 2018 and take precautions against the storm of attacks for 2019 and beyond.
In late July, the US Department of Homeland Security Secretary, Kirstjen Nielsen, spoke at the DHS Cybersecurity Summit in New York City, stating that,
We are in a crisis mode…a Cat-5 hurricane has been forecast, and we must prepare.”
Nielsen gave the summit attendees a sobering dose of urgent warnings about imminent risks the US faces unless it takes aggressive action to secure the communications, industrial, financial and healthcare networks that acquire, move and use information throughout the US, and interconnect globally. “It is only a matter of time before we get hit hard," she said.
We do have the data needed to disrupt and prevent cyberattacks, but we aren’t sharing fast enough and collaborating deeply enough to make it happen."
Nielsen caught attendees off guard by frankly stating that, “The next major attack on the US is more likely to come by computers than airplanes,” and that a “significant” cybersecurity incident may be on the horizon.
To that end, the DHS is setting up a new way for companies and other related critical infrastructure to share information about security gaps, in hopes to better prepare for a cyber-attack 'hurricane'. She announced initiatives to bring companies and government agencies closer together to share information, and also related that DHS is working with members of Congress to enact new laws to improve DHS's effectiveness and reach.
At-A-Glance: The National Risk Management Center
The new DHS-run National Risk Management Center (NRMC), formerly the Office of Cyber and Infrastructure Analysis (OCIA), and before that the Infrastructure Analysis and Strategy Division (IASD) within the Office of Infrastructure Protection (IP), was officially established on August 2, 2018 as a sub-component of the National Protection and Programs Directorate (NPPD). As the new website states, the NRMC’s mandate is to implement Presidential Policy Directive 21, which calls for integrated analysis of critical infrastructure, and Executive Order 13636, identifying critical infrastructure where cyber-incidents could have catastrophic impacts to public health and safety, the economy, and national security. The details of these efforts, including its vision, mission, goals and principals can be reviewed on its new fact sheet published here.
Housed at DHS headquarters in Washington, the NRMC will cross-pollinate and communicate together with critical infrastructure industry partners to provide a "single point of access to the full range of government activities to defend against cyber-threats," Nielsen said.
The initial NRMC focus will be on evaluating threats and defending US critical infrastructure against hacking. The center will concentrate on the energy, finance, and telecommunications sectors first, and DHS will conduct a number of what it calls 90-day “sprints” throughout 2018 to quickly grow the center’s processes and capabilities.
DHS and the NRMC will also introduce a new voluntary supply chain risk management initiative, meant to enlist cybersecurity experts from companies, in cooperation with government agencies, to help hunt down specific security weaknesses.
The NRMC is a continuation of proactive cyber-threat policy making by the current administration. At the same cybersecurity event, US Vice President Mike Pence said that "America's digital infrastructure is under constant cyber-attack."
Our cyber adversaries also seek to infiltrate our critical infrastructure, including our electrical grid, power stations, so that in some future conflict they might have the opportunity to shut down the nerve center of American energy and our national life."
Pence said that the administration had allocated an additional $1.2 billion for cyber-defense and requested another $15 billion for cybersecurity. The administration is also seeking to create a new agency within the Department of Homeland Security called the Cybersecurity and Infrastructure Security Agency.
New Cybersecurity Laws and Governments Getting On Board with HTTPS and HSTS
The same day as Nielsen’s remarks to the security summit attendees, US senators Maggie Hassan (D-New Hampshire) and Rob Portman (R-Ohio) announced a bill, titled the “DHS Cyber Incident Response Teams Act of 2018”, that seeks to establish permanent “cyber hunt” and “cyber incident response” teams within DHS. These groups would work on cybersecurity defense for federal agencies and private entities and help respond to incidents.
Adding to the cybersecurity legal news from the summer is the NIST Small Business Cybersecurity Act, which was signed into law by President Trump on August 14th and offers smaller companies a “consistent, relevant and universal set” of NIST-based guidance and resources for the protection of data against online threats. As stated:
This Act, in consultation with the heads of other appropriate Federal agencies, shall disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
Other security happenings from late summer includes reports that more government agencies are finally moving towards HTTPS-only for web services. The United States Department of Defense and the Canadian Government announced the implementation of HTTPS and HSTS (HTTP Strict Transport Security) for all public-facing websites by the end of the year. Apparently, numerous DoD and Canadian sites use certificates issued by an internal Certificate Authority, and do not have a sign of trust by regular browsers, and that visiting them would result in certificate errors being displayed.
This slow-coming but positive move will also see them adopt certificates signed by widely-trusted CAs, such as GlobalSign.
In summary, as hurricane season heats up this fall, we should also be mindful of the cyber-hurricane threats we live with on a daily basis, and take precautions. Below are just a few of the checklist items shared previously, and we recommend using them as a way of seeking shelter from these future security storms.
- Cyber-Insurance - make sure your company is insured against ransomware with a “cyber-liability” policy. (the link is merely an example, not an endorsement).
- Security Audits – internal and external.
- Incident Response Plan - prepare an Incident Response Plan (IRP) as soon as possible, either drafted by your CISO or through a company and legal committee – collectively known as the Incident Response Team (IRT).
- Whitepaper: Secure Critical Infrastructure Networks Against Cyber-Attacks.
- US National Institute of Standards and Technology guidelines.