Critical Infrastructure, Security and Resilience Highlighted in November

National Critical Infrastructure Security and Resilience Month (CISRM) kicked off on Nov. 1. The month’s initiatives address risks such as extreme weather, aging infrastructure, cyber threats and acts of terrorism. Its timing is certainly appropriate, as the effects of recent hurricanes on infrastructures in southern states and Puerto Rico continue to be assessed, as well as Northern California’s devastating wildfires and the deadliest shooting massacre in modern U.S. history.

The month was created by the Obama administration and the Department of Homeland Security (DHS) hosts CISRM in an effort to promote education and awareness of the 16 critical infrastructure sectors that are vital to public safety and national security. Its page reads:

The evolving nature of the threat to critical infrastructure—as well as the maturation of our work and partnership with the private sector—has necessitated a shift from a focus on asset protection to an overarching system that builds resilience from all threats and hazards.

A CISRM toolkit provides companies with templates and drafts of newsletter articles, blogs, and other collateral material for use in outreach efforts. Activities geared toward business owners, public entities and private citizens focus on several key themes to enhance security and resilience, including:

  • Highlighting interdependencies between cyber and physical infrastructure
  • Pointing small and medium-sized businesses to the free tools and resources available to them to increase their security and resilience through Hometown Security and the four steps of “Connect, Plan, Train, and Report”
  • Promoting public-private partnerships
  • Fostering innovation and investments in infrastructure resilience

In his proclamation of CISRM earlier this week, President Trump further committed to helping businesses invest in “needed capital and research and development by reducing burdensome regulations and enacting comprehensive tax reform.” The proclamation states:

We will also renew our Nation’s focus on ensuring that the next generation has the education and training, particularly in science, technology, engineering, and math, required to meet the known and unknown threats of the future.

Overall the United States’ infrastructure is among the top 18 in the world, according to the 2017 FM Global Resilience Index, which aggregates data to help companies identify their key supply chain risks. The U.S. continued to hold high rankings among 130 countries based on drivers in three categories: economic, risk quality and supply chain factors. The U.S. is segmented into three regions to reflect disparate natural hazards exposure:

  • Region 1, encompasses much of the East Coast, is ranked #10 in the index (a one-spot upgrade from last year)
  • Region 2, primarily the Western U.S., is ranked #18 (a three-spot upgrade)
  • Region 3, which includes most of the central portion of the country, is ranked #9 (down three places)

Although the federal government is less focused on asset protection, business owners can still get involved by safeguarding workplaces. In its October 2017 edition, CLM magazine noted that another path toward resilience involves reducing property damage caused by extreme weather and natural disasters. Literally looking to the sky is one suggestion; business and property owners should pay particular attention to their roofs in order to prevent degradation and enable them to withstand high winds.

“Property owners need to have maintenance personnel adopt and implement preventative maintenance and roof inspection programs that alert them to potential and active degradation,” wrote the authors of the article, “Time For Resilience.” “Weak links such as roof detachment, corrosion, or other damage could tear off roofing during an enhanced wind event. Such risks need to be mitigated before an event occurs.”

Ready.gov provides resources on disaster planning and management, and also has this section on Business Continuity.

Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.