What Wells Fargo’s cyber boss is doing to protect critical infrastructure
The National Infrastructure Advisory Council is picking up where it left off.
Rich Baich, chief information security officer at Wells Fargo, will begin an indefinite term on the committee next month, more than one year since it NIAC released its most recent public report on cybersecurity.
The executive group, charged with providing the president and secretary of Homeland Security with advice on how to secure the U.S. critical infrastructure sectors and their information systems, largely has kept out of the public eye. In August 2017, eight members resigned from the council, citing President Donald Trump’s “insufficient attention” to growing threats and his reaction to a white nationalist rally Charlottesville, Va. in which a counter-demonstrator was killed.
Little has happened since those resignations. Existing council members have met since 2017, though according to its website NIAC last submitted a report to the president and Department of Homeland Security in August 2017. That publication was a list of recommendations on how the U.S. should secure its cyber assets.
The White House in April announced that William Fehrman, CEO of Berkshire Hathaway Energy, would join NIAC. But Baich’s appointment, first revealed in September, could be an indication NIAC is revisiting cybersecurity amid growing awareness about threats in critical infrastructure industries like financial services, healthcare and the energy sector.
Baich will join an existing council of 20 members, including Benjamin Fowke, chairman and CEO of Xcel Energy, James Murren, CEO of MGM Resorts, and Keith Parker, CEO of Metropolitan Atlanta Rapid Transit Authority.
NIAC’s charter, which allows for up to 30 members, states that the council is meant to enhance public and private sector partnerships, and offer guidance on how organizations can harden their defenses.
“Both the public and private sectors have unique capabilities and when we bring those things together we can do a lot more to stop some of these cyber threats,” Baich told CyberScoop. “There’s an opportunity for collective efforts to enhance the nation’s resilience across all sectors…This continues to be one of the most important issues for our country.”
For more than a decade Baich has quantified cyber risk by measuring known vulnerabilities, threats, the value of corporate assets and the likelihood of a security incident. Asset value will rise as critical enterprise information becomes more valuable, for example. The likelihood of a breach may increase as firms become more reliant on technology, or if another company in the supply chain is hacked.
Minimizing any one factor can help an organization lower its overall cyber risk, Baich said. It’s a mentality he will keep in mind as he begins his government role.
“One of the things I’m going to suggest we focus on and begin to understand, and it’s a big potential issue, is dependencies in our critical infrastructure,” he said. “For example: a financial institution may be able to continue working during a crisis, but how would you carry out a transaction if the power is down? A big goal is going to be understanding our dependences like that, and what is an acceptable level of risk.”
The advisory group had previously called on the Trump administration to take “bold, decisive action” to better protect U.S. cyberspace. A list of 11 recommendations included streamlining the security clearance process to speed up government breach response time, establishing secure backup communication networks, declassifying more threat information, and identifying best scanning practices to more quickly identify threats on government networks.
“It’s a matter of understanding all the risks and prioritizing them so you spend your time chasing key [priorities],” Baich said. “That’s the key point for all this.”
