Industry leaders say ‘serious’ policy talks led way to DHS cyber summit

July 19, 2018

Department of Homeland Security officials have engaged in extensive policy discussions with the private sector leading up to the July 31 cybersecurity summit in New York City, according to industry leaders, who expect the event to underscore DHS’ commitment to cyber risk-management and collaboration.

Internet Security Alliance president Larry Clinton characterized the recent engagement as part of a renewed DHS commitment to partnership with the private sector, founded on risk management principles. “That provides the basis for a much more productive partnership,” Clinton said in an interview with Inside Cybersecurity.
DHS on Wednesday formally announced the upcoming summit to be held at the U.S. Custom House in Lower Manhattan. The departments of Defense, Treasury and Energy will participate, along with the FBI and NSA, and the event will feature leaders from “sectors including telecom, financial, and energy to lay out a vision for a collective defense model to protect our nation’s critical infrastructure,” according to a DHS statement.

Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association, said Wednesday that DHS is “making a tremendous effort to make sure the event is successful” and called it “an impressive undertaking to bring together multiple agencies, sectors and CEOs to have an important conversation on cross-sector interdependencies.”

He noted that the telecom sector is already engaging with the electricity and financial sectors on cyber initiatives and pointed to USTelecom’s work with the information technology sector through the Council to Secure the Digital Economy.

“This is not going to be a one-shot wonder, it’ll set forth a journey of cooperation that’s essential to addressing rapidly evolving systemic risk,” Mayer said of the summit.

ISA’s Clinton said that, “leading up to the summit, there have been serious, productive conversations with industry on partnerships, cybersecurity spending, incentives, law enforcement and other issues. There have been ongoing weekly meetings, sometimes twice weekly.”

“The policy work has been far more intensive and serious than I’ve experienced before with DHS,” Clinton said. “The policy leadership has been much more in-depth. I chalk it up to the leadership” of DHS Under Secretary Christopher Krebs and Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra, under the overall leadership of Secretary Kirstjen Nielsen.

The New York summit was Nielsen’s brainchild and is seen internally at DHS as a way to showcase the department’s strength on cyber policy and a platform for illustrating its vision and goals.

Nielsen and her senior deputies have made clear that collaboration and industry leadership are key components to the department’s strategy and will be a focus of the summit.

“Manfra has a wealth of experience and contacts,” Clinton said, “and has always been eager to engage with the private sector. Krebs and I were on the [Information Technology Coordinating Council] together when he was at Microsoft and he has a lot of background and contacts.”

The DHS leaders “have done a good job of listening, and industry has come forward and been even more assertive on what needs to be done.”

Part of that, Clinton said, is related to the evolution of the cyber threat and part is due to an evolution in government thinking.

“Previously, some people were looking for quick fixes, but we need a comprehensive approach, we need proper incentives. This is more of a maturation process, we’re evolving away from the ‘blame-the-victim’ model. That took a long time.”

Clinton, in years past, praised the Obama administration for collaborative initiatives such as developing the framework of cybersecurity standards, but complained that the previous administration’s work often neglected the economic side of cybersecurity — an assertion that the Obama team was always quick to dispute.
Now, DHS’ Krebs “is being very articulate about the differences between the public and private sector, that there is a gap in how we address the issue [of cyber risk],” Clinton said. “For many years there was an assumption that it was the same — that if only industry would spend more the problem would be solved.”

Clinton noted, “But appropriate spending for industry is different from what it is for government — companies have to make money and government has national security, privacy and other concerns that are different.”

These differences, Clinton said, “are realities and legitimate. But that is just now being appreciated on the government side.”

| Inside Cybersecurity