Questions linger as DHS eyes strategic boost from ‘cyber summit’

June 18, 2018

The Department of Homeland Security’s planned July 31 cybersecurity summit in New York City offers a chance for DHS to underscore both its central role on federal cyber policy and its bonds with the private sector, but private-sector sources are pressing for more details — quickly — as the event rapidly approaches.

Coming just over 14 months after President Trump’s cyber executive order, the summit could be viewed as similar to gatherings sponsored by the Obama administration — on release of the framework of cybersecurity standards in 2014, for example, or a 2015 event at Stanford University to unveil an executive order on information sharing.

The latter event, one industry source said, was also put together on a short deadline perhaps resembling the process around this one in which DHS leadership has essentially created an eight-week window to pull off a major public-private undertaking.

Summit details are still being finalized, according to DHS, but private-sector sources have said the event is being driven by DHS Secretary Kirstjen Nielsen and that participation by the president or vice president is a possibility.

It was characterized by sources as a “CEO summit,” with participation expected from leaders of companies in critical infrastructure sectors. One source said initial planning foresees seven CEOs participating in a roundtable with Nielsen, followed by panels with federal officials and other private-sector leaders.

“The DHS National Cybersecurity Summit will bring together a diverse group of stakeholders across government, industry, and academia to reinforce DHS’s collective defense mission and its commitment to working across a wide range of industries and sectors to protect critical national functions,” the Office of Infrastructure Protection said in a June 5 email circulated to sector coordinating councils.
“Through panels, keynote addresses, and breakout sessions, the Summit will aim to advance substantive discussions on important cybersecurity and infrastructure protection risk management issues,” the email stated.

A variety of industry sources cited concerns about the lack of details so far, noting that CEOs need lead-time before joining such events and are going to want a full picture of its format and goals before signing up.

“Other than a save-the-date and some very high-level topics for panel discussions, there is a lot of head-scratching across industry,” commented one industry source.
And how, the source asked, will DHS pick seven CEOs.

“They are cognizant that the date is close — it’s six weeks from now and that makes it difficult,” another industry source said of DHS. “They’re going to have to be flexible in terms of who participates. If they’re talking about high-level executives, their schedules are typically a year to 18 months out. CEOs want to know what they are getting into, what the expectations are.”

The source added, “We need to know more about the nature of the program before anyone hops on.”
On the other hand, Internet Security Alliance president Larry Clinton said “having a Cabinet-level cybersecurity event at this stage is very appropriate and welcome.” He noted that DHS and the administration through the 2017 executive order and a series of subsequent reports are “developing a more sophisticated model to understand cybersecurity” through a risk-management lens, which he said is “very good.”

“These things have been put on the drawing board and deserve to be further developed and highlighted,” Clinton said, adding that “bringing in CEOs is good.”

Newly confirmed DHS Under Secretary Chris Krebs and Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra at separate events last week both described the department’s evolving role and a sharper definition of its cyber strategy.

“The priority I’m placing across the organization, is that we are going to operate based on a set of requirements identified by our stakeholders, period, full stop,” Krebs said June 14 before the National Infrastructure Advisory Council, which is made up of industry leaders in the 16 sectors deemed critical infrastructure. “Define a requirement, that builds the demand signal, and I can align resources against it, because why else are we here except to respond to the requirement that comes from the critical infrastructure community?”

On the same day, Manfra at the Akamai Government Forum said, “Everyone is thinking about that individual risk, we need to understand national risk, and so the approach that we’re beginning to take is we’re thinking about the concept around what we’re calling national critical functions.”

Manfra added: “What are the functions that our nation, our citizens, our residents, those who come here to live or just hang out, what are those functions that they depend upon. This sort of rigorous thinking about what is critical to our nation’s functions hasn’t been done in a long time, and it totally hasn’t been done with the thought of our IT dependencies on those functions, and so we’re going to take a step back, we’re working very closely with industry to think about, what are the functions that your industry performs?”

On June 13, the morning after Krebs was confirmed by the Senate, the under secretary underlined his point at a Forcepoint conference: “There is a nasty rumor in town that there is no cybersecurity leadership … there is a plan … there is a strategy.”

And that, he said, is grounded in the National Protection and Programs Directorate’s mission as “the lead for national risk management.”

ISA’s Clinton last week saluted DHS for more clearly defining its focus on risk management and prioritization, but other industry sources have said the recent release of reports mandated by Trump’s cyber executive order still don’t add up to a national strategy.

“All of this still needs to be drawn into a coherent policy,” said a financial-sector source. “It comes down to implementation and there are still a lot of holes on implementation.” This source, like Clinton, praised the emphasis on risk management but said that still needs to be translated into implementation.

At the same time, the source said the finance sector will participate in the cyber summit

| Inside Cybersecurity