Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/31/2018
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

DHS Establishes Center For Defense of Critical Infrastructure

Center foundational to new government-led 'collective defense' strategy for sharing and responding to cyberthreats, DHS secretary says.

The US Department of Homeland Security has established a new National Risk Management Center to facilitate cross-sector information sharing and collaborative responses to cyber threats against critical infrastructure.

At a cybersecurity summit in New York City on Tuesday, DHS Secretary Kirstjen Nielsen described the center as the foundation of a new collective defense strategy led by the US government to respond more forcefully to threats against US interests in cyberspace. The center will bring together security experts from government — including those from intelligence and law enforcement agencies — and security experts from the private sector.

"We are facing an urgent, evolving crisis in cyberspace," Nielsen said in a keynote address to cybersecurity leaders from government, the private sector, and academia at the DHS-led summit. "Our adversaries capabilities are outpacing our stove-piped defenses," to the point where virtual threats now pose an even bigger threat to national security than physical threats, she said.

Nielsen, a senior Trump Administration official, used the event to warn foreign adversaries against continuing hostile activities against US interests noting that the country is fully prepared to take a range of deterrent actions to stop them. She pointedly called out Russia's cyberattacks on the US energy grid and its "brazen campaign" to interfere in the 2016 Presidential election as examples of hostile state-sponsored activity against the US.

"Our intelligence community had it right. It was the Russians," Nielsen said, referring to Russia's role in the US elections. "We know that. They know that. It was directed from the highest levels." Such attacks will not be tolerated going forward, she said.

The goal in establishing the new risk management center is to provide a focal point for information sharing between government and private industry as well as between organizations across different industry sectors.

Operators of critical infrastructure, most of who are in the private sector, often have a lot of the threat information that must be pieced together for a more complete understanding of cyber threats. But because the data is siloed, government and the private sector have hard a hard time putting cyber threats into proper context and understanding their full implications and effects, Nielsen said.

"The private sector can help us contextualize threats," she noted. "We will look to their expertise to help us understand how the pieces work together," in order to develop actionable responses to those threats.

Unlike previous attempts at fostering closer collaboration between government and the private sector, the new National Risk Management Center's mission is not just about enabling better information sharing. The center will also facilitate 90-day sprints, when organizations from different critical sectors will conduct joint tabletop exercises and other threat operations to identify common vulnerabilities.

Sprints for Security

The center will assemble a national risk registry that will identify and prioritize the most critical threats across industry so they can be remediated quickly. The first of the 90-day sprints will involve organizations from the energy, financial services, and communications sectors. Representatives attending the summit from these industries expressed support for the DHS plan.

"This was an obvious thing to do for a decade but it didn't happen," said John Donovan, CEO of AT&T Communications. Organizations that are in a defensive posture in cyberspace cannot rely on attacks and threats playing out exactly the way they might have prepared for them, he said.

In the future, "resilience is going to be a function of our ability to understand and share experiences," across sectors, he said. Each organization in critical infrastructure sectors has a piece of what it takes to solve a larger threat puzzle and true threat mitigation can happen only through collective information-sharing.

Tom Fanning, CEO of gas and electric utility Southern Company, said that previous tabletop exercises have shown big vulnerabilities exist at the points of intersection with other sectors. A collective approach to cybersecrity of the sort that is being enabled by the new risk center is vital because of the interdependencies between organizations in different sectors, he said.

"When we do our biggest tabletop exercises, one of the things we learn very quickly is that as resilient as we think we may be, we can always be better," he said.

A collective effort is also critical because attackers often are looking for the weakest link that provides a way to the strongest, said Ajay Banga, CEO of MasterCard. When an organization gets attacked, it does not always happen because the entity belongs to a specific industry, but because of the access they might provide to other organizations that are of interest to an attacker, Banga said.

But for truly collective defense to happen, government will need to change regulations to the point where organizations feel comfortable to say something if they see something without fear of legal repercussions, he said.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...