Matthew Travis, deputy undersecretary of the Department of Homeland Security’s National Programs and Protection Directorate (NPPD), said today that DHS’s recently-established National Risk Management Center (NRMC) represents the agency’s plan to play “the long game” in defending U.S. critical infrastructure sectors from attacks.
Speaking at an event organized by the Digital Government Institute, Travis recapped the highlights of DHS’s July 31 announcement of the NRMC and contrasted its activities with those of DHS’s National Cybersecurity and Communications Integration Center (NCCIC), which will continue its present function as a 24/7 cyber situational awareness, incident response, and management center that integrates input from the Federal government, intelligence community, and law enforcement.
He said NRMC was in one sense a “reincarnation” of DHS’s Office of Cyber Infrastructure Analysis, which was created in 2014 to implement Presidential Policy Directive 21–which calls for integrated analysis of critical infrastructure–and Executive Order 13636–which identifies critical infrastructure where cyber attacks could have catastrophic impacts to public health and safety, the economy, and national security–but said that NRMC was conceived “to do much more.”
Distinguishing NRMC’s mission from that of its predecessors, among other steps, will include taking analysts employed by critical infrastructure sectors and joining them with DHS personnel in order to assess critical infrastructure interdependencies, understand the cascading effects of attacks on various critical sectors, and “work on real risk reduction strategies.”
NRMC, Travis said, “is the difference between the long game and the short game” on cybersecurity protection, with NCCIC in charge of the short game, and NRMC working to “buy down” longer-term security risk.
He said DHS’ historical mission of providing cyber threat data to critical infrastructure sectors has been good so far as it went, but that the advent of NRMC represents “locking arms with industry” in order to come up with a “joint playbook” for defense of critical infrastructure sectors.
Two of NRMC’s initial areas of focus include tackling longer-term, systemic supply chain risks, and improvements to election infrastructure security. On the latter front, he said “we are getting great cooperation from the states,” and that DHS aims to make states “as ready as they can be” for the midterm elections this fall.
Asked whether blockchain technology would be useful for improving election infrastructure security, Travis call blockchain “interesting,” but instead advocated that state and local election authorities use paper ballots as a back-up system. “If everyone has a paper ballot backup then it doesn’t matter if someone got hacked,” he said.
Travis reiterated the oft-stated wish of DHS officials for Congress to approve legislation to create from NPPD a new entity called the Cybersecurity and Infrastructure Security Agency, which would separate those functions from NPPD’s other current operations–which include protection of Federal buildings, and biometric technology operations. “Let’s call us what we are,” he said of the proposed new DHS component agency.
More broadly, he shed light on NPPD’s daily view of the cyber threat landscape in somewhat stark tones.
“Everyday you will see activities from folks who want to do us harm,” he said of life at NPPD, and confirmed that Russia, China, Iran, and North Korea often are seen as the principal nation-state villains that are probing U.S. assets. “It’s every day…the cyber threat is increasingly creative and persistent.”
The question, he said, is “are we making the full investment that we need to meet the threats,” and he responded to that question by saying he is “not sure our actions are meeting that threat,” which he said warrants more attention from the government and the private sector.
