DHS leaders push cybersecurity risk assessment program for critical infrastructure companies
Secretary of Homeland Security Kirstjen Nielsen is pitching a new supply chain cybersecurity program in an effort to engage with some of the country’s largest critical infrastructure providers, including the oil, electric and water treatment industries.
“Our nation’s supply chain is being targeted by our most sophisticated adversaries with increasing regularity,” Nielsen said Thursday to a room full of people representing private sector companies. “We ask for you to work with us on this initiative … the goal of this initiative is to help stakeholders make better informed procurement decisions by providing them with supply chain risk assessment and mitigation recommendations.”
The program is focused on DHS authoring and providing digital risk assessments to companies and government agencies about products that they may acquire or install on their systems. The move comes after the federal government banned the use of Moscow-based Kaspersky Labs’ anti-virus software across government systems. In addition, legislation has been introduced that would similarly ban products made by Chinese tech firms Huawei and ZTE in federal agencies.
“As our cyber dependence increases and the connectivity of our networks and assets and data continue to grow, your risk — each of you individually in this room, each of your entities’ risk — becomes my risk,” Nielsen said at the small, private event in Virginia. “Government and industry must work together today more than ever if we are serious about improving our collective defense. This is a context and environment in which if we prepare individually then we will all fail collectively.”
Nielsen explained the program is still in its “early stages.” It was originally announced last week by Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS, who spoke about the program at the Brookings Institute.
“We can’t just all throw up our hands and say, ‘It’s too complicated, I’ll never know where the code is coming from.’ At some point we will know; we can figure it out — collectively,” Manfra said on Feb. 24. “We’re working on building those mechanisms and DHS’s role in pulling that altogether, and also working with industry experts to refine what are the supply chain risks that we should be concerned about.”
In practice, the assessments will be measured against existing standards already created by the National Institute of Standards and Technology (NIST). Comparing these standards to each product’s computer code will be just one aspect of each available report.
It remains unclear how many companies have or are currently participating in the initiative, which was formally launched earlier this year by the National Protection and Programs Directorate (NPPD).
“We plan to continue to reach out to you and to other in industry to help us refine the scope of this issue,” Nielsen told the crowd.
