The private sector is the key to success for the Department of Homeland Security

With the inauguration of our 45th President of the United States recently behind us, a new administration will be met with emerging and imminent threats to our homeland. As new leadership is appointed by the President and confirmed, the U.S. Department of Homeland Security (DHS) will maintain a clear understanding of their role within the national security apparatus, and will continue the difficult work of keeping Americans safe and critical infrastructure secure.

John Kelly, the newly confirmed DHS Secretary and former Marine Corps four-star General, has recently addressed the numerous homeland security issues facing the country. His main focus will be on defeating terrorism, more robust cybersecurity protections, and infrastructure security and resiliency. DHS is a huge federal department with many moving parts. The agency includes Customs and Border Protection, Secret Service, Coast Guard, Transportation Security Administration, and numerous offices dedicated to cyber and physical security missions. However, while the 240,000 employees serve a critical role within government, it’s the private sector that will help and ensure continued success at DHS.

It is widely understood that over 85% of all critical infrastructure is owned and operated by the private sector. Power grid operators, water treatment specialists, and chemical process engineers are the first to encounter security threats at their particular work stations. These subject matter experts are typically supported by cyber and facility security professionals dedicated to keeping their systems and infrastructure secure. The first line of defense resides outside of government and lands squarely in the hands of private industry. Fortunately, industry has long had the support and interest from DHS.

Currently, the most significant reliability threat to the U.S. power grid is associated with squirrels and balloons, and not a coordinated cyber-attack inspired by state-sponsored hackers. However, we have recently seen noteworthy interest in disabling or destroying critical infrastructure. Coordinated attacks specifically targeting the grid are rare, but an attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage.

DHS has always let the Sector Specific Agency (SSA), the Department of Energy (DOE), take the lead on coordinating response, recovery, and the security of the power grid. However, we may see DHS take a more active interest as a result of hackers causing a blackout in western Ukraine. After cutting off power to nearly 250,000 homes and businesses, this event demonstrated how a grid attack in North America could rapidly deteriorate and cascade into a catastrophic national security event. Under the new administration, it will be vitally important to increase information sharing with the electricity sector, provide additional security clearances, and tackle many of the lessons learned from grid security exercises.

The Chemical Facility Anti-Terrorism Standards (CFATS), one of the few regulations spearheaded by DHS, identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with dangerous chemicals. Currently, there are approximately 2700 facilities falling into strict compliance with the 18 Risk Based Performance Standards (RBPS), which provide individual facilities the flexibility to address their unique security challenges. Chemical plants, oil refineries, and water treatment facilities have long worked with DHS, government coordinating councils, and the trade associations to ensure the regulation is effective and remains malleable to existing threats and vulnerabilities found within the sector.

While CFATS got off to a rough start in 2007, industry and government have seemingly ironed out many points of contention. The Top-Screen process, which identifies facilities responsible for economically critical and mission-critical chemicals, has been streamlined and made painless for industry users. In addition, compliance inspections are now underway and the “help desk” has been a resource for those wanting to gain valuable insight. With over 4,000 inspections complete, CFATS is an example of the government using the expertise found within industry to help craft compliance guidance to better protect high-risk chemical facilities.

The United States Coast Guard enforces the Maritime Transportation Security Act (MTSA) which allows for the authority to regulate facilities located on or adjacent to waterways under U.S. jurisdiction. The Coast Guard typically conducts at least one scheduled audit and one unannounced “spot check” each year. MTSA-regulated facilities must complete a Facility Security Assessment (FSA) that identifies and evaluates critical assets, critical infrastructures, and potential threats and vulnerabilities to those assets.

The facility must then develop and submit a Facility Security Plan (FSP). The importance of keeping our ports and waterways secure cannot be overstated. Approximately 90 percent of all global trade and over 25 percent of our Gross Domestic Product moves via the sea. A terrorist attack at our ports could severely disrupt the supply chain, which would be catastrophic to our economy. Private industry and the Coast Guard have a long history of working together to mitigate safety, security, and environmental risks to U.S. ports and maritime critical infrastructure.

Cybersecurity at DHS has turned into a top priority and the department has seen tangible progress. The National Cybersecurity and Communications Integration Center (NCCIC), which can be characterized as the federal government’s 24/7 hub for cybersecurity information sharing, technical assistance, and incident response has grown to be a very useful resource for industry.

In 2016, the NCCIC disseminated more than 6,000 bulletins and responded on-site to 32 cybersecurity incidents. With the recent classification of election systems as “critical infrastructure”, this will add to the mounting pressure for the department to expand its cyber resources, funding, and expertise. This expansion will only aid the private sector when they are faced with cyber threats and will assist with intrusion detection and prevention capabilities.

DHS recently released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the U.S. can react to cybersecurity threats to critical infrastructure. The NCIRP describes a national approach to dealing with cyber incidents. In addition, it also addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response.

As mentioned above, the majority of infrastructure in North America is owned and operated by the private sector. Because of this, it is vital that the public and private sectors work together to share relevant threat information. Over the past few years, DHS, the FBI, and the Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts, and secret level briefings.

These data points have been used to mitigate threats, reduce risk, and update internal security policies. This data flow has enhanced communications between security teams, management, and board members by providing authoritative threat warnings. Ultimately, information sharing is a two-way street. Private sector entities must remove the words “compliance risk” from their lexicon and readily share timely information as it happens.

Nobody knows their systems better than they do. Cybersecurity alerts coming from industry professionals are imperative to the collaborative exchange process. Simultaneously, federal intelligence partners must alert those within the private sector who actually have the ability to mitigate threats. This partnership can become stronger and timelier with additional security clearances given to the private sector.

Given today’s cyber and physical security threats to the nation, the boundaries between the private and public sector have blurred. Whereas traditional national security has been the domain of the federal government, homeland security is not solely the responsibility of federal agencies, but also of state and local government and the private sector. Homeland security is a shared responsibility that cannot be met by government alone.

Uninterrupted operation of basic services such as energy, communications, water, transportation, and unbroken access to other goods and services used on a daily basis are essential to America’s security, safety, economic vitality. Congressman Mike McCaul (R-TX), Chairman of the House Committee on Homeland Security, recently said that, “DHS needs to work more urgently to assist the private sector in defending the nation’s critical infrastructure, including communications, the electric grid and nuclear energy.”

This is a partnership and we need to lean on each other’s strengths and expertise.