U.S. Cybersecurity Hinges on Better Partnership Between DHS, Private Sector
Not enough is being done to secure America from cyberthreats to its critical infrastructure and economy, current and former Department of Homeland Security officials and lawmakers said Wednesday at a House Homeland Cybersecurity Subcommittee hearing. “Maintaining the status quo will not be enough to keep America secure,” said Ranking Member Yvette Clarke, D-N.Y. “In our rush to network everything, few stopped to consider the security ramifications of this new world we are creating, and so we find ourselves in an extremely dangerous situation,” she said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The most dangerous kind of cyber attack could debilitate both the U.S. financial sector and the electrical power grid, witnesses said. “Those are sectors where you notice adverse effects in milliseconds,” said Phillip Reitinger, deputy under secretary at the National Protection and Programs Directorate at DHS. The vulnerability of nonfederal information systems raises the risk of a “potentially devastating” blow to U.S. homeland security, said Gregory Wilshusen, director of information security issues at the Government Accountability Office. “Preparation is key,” he said. “The DHS can provide clear actionable alert and threat information and share it with the private sector.”
The need for better cooperation between government agencies and business was a major theme of the hearing. Despite increased federal resources and cybersecurity capabilities, there’s still a communication gap. Although DHS’s role in the cybersecurity realm is critical, all involved need to cooperate to combat this threat, Reitinger said. “We need to have a broad dialogue across public and private sectors about how we close the gap.”
Building relationships with those who pull the purse strings in the corporate realm is an important step in closing the communication gap, witnesses said. In business, “there are a lot of entities that get it and a lot that don’t,” said Reitinger. Company financial officers are often the first to realize the value and importance of securing corporate IT systems, he said. So DHS has made of practice of getting in touch with those at businesses with the power to make a difference, said Reitinger. “We want to talk to chief financial officers, chief operational officers, the people who cut the checks and say how this will affect your bottom line,” he said.
Often it’s more important for agencies to speak with executives and financial officers than with IT security professionals, said Phyllis Schneck, vice president and chief technical officer of McAfee. “The CEOs, the ones that drive the vision and the well-being of the company, and the CFOs that control all the money, those are the people that understand the need to mitigate the risk and the need to invest dollars forward so that you end up spending less later on repairing damage,” Schneck told us after the hearing.
Subcommittee Chairman Dan Lungren, R-Calif., asked whether DHS can balance its business outreach with privacy interests. “You have members of the public that are naturally suspicious of the federal government working with the private sector,” said Lungren. “While on the other hand we want companies to come forward about intrusions. How do we strike that balance?” The nonprofit sector could provide a solution to this problem, said Mischel Kwon, former director of the U.S. Computer Emergency Readiness Team at DHS. Some success can be achieved “if we take the government out of the sector and create a nonprofit where the private sector can share information,” she said. Government could take part in information-sharing in the context of neutral governance of the stakeholders, Kwon said.
The subcommittee expects a national cybersecurity strategy to emerge from the White House “very soon,” Clarke said, and DHS is finishing work on its National Cyber Incident Response Plan. Wednesday’s hearing was the first of several cybersecurity hearings to be held this session, Clarke said.