ARLINGTON, Va.–As the Department of Homeland Security looks to strengthen a collective defense approach to cyber security between government and industry, it is working with the private sector to help develop a mutual understanding of the roles and responsibilities of all stakeholders in preparing for and responding to incidents and events, according to a department official.

“Every stakeholder that’s involved in managing a national critical function should have a playbook for how we would respond and mitigate the consequence” of attacks on, and disruptions to, these functions, Jeanette Manfra, the assistant secretary for the DHS Office of Cybersecurity and Communications, said in interview this week. There are “plenty of playbooks” already but “We want to make sure we have that mutual understanding” so that everyone is on the same page, she said.

DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.
DHS Assistant Secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.

Last December, Manfra said that following North Korea’s WannaCry ransomware attack that struck computer systems globally in May 2017, DHS wanted to find ways to work better and more closely with the private sector. These common playbooks are just one area that Manfra and her team are seeking to work on to enhance the collaborative approach with industry to develop a collective defense model for cyber security.

In July 2016, then President Barack Obama issued Presidential Policy Directive (PPD) 41 on cyber incident coordination for the U.S. government, which outlined the roles and responsibilities for the federal government in responding to cyber incidents. Manfra said told Defense Daily on July 16 in her office that the new effort about roles and responsibilities is an evolution from PPD-41 and takes it to the “operational level,” to include the private sector.

“Does the electric company know what DHS is going to bring to the response?” Manfra said. For “the Internet service providers, do we have a clear understanding of what they can and are allowed to do in a major incident response.” Industry is committed to this and has been, she added.

Manfra’s office is part of the National Protection and Programs Directorate (NPPD), which she said has a “national risk manager” function for the country in terms of cyber and infrastructure protection. DHS doesn’t own or manage all the risk, but for NPPD this risk manager task is one of the founding “concepts” of the organization, she told Defense Daily on July 16 in her office.

Manfra is also working with the Federal Emergency Management Agency with regard to cyber incident scenarios and the National Response Framework Doctrine.

At a speech in June, Manfra said DHS is working with industry on identifying the national critical functions that the U.S. and its citizens depend on and what the risks to these are. These functions and services are frequently provided by the private sector but also the government and are still being defined, and could include things like a stable financial system, clean water supply, and resilient communications infrastructure.

Ultimately, there will be a list of national critical functions that are high level, and from there the risks to those functions will be fleshed out, stakeholders that deliver these functions will be identified, and  instrumented systems indicators and warnings that these functions are being attacked or jeopardized will be more clearly established, Manfra said in the interview.

Industry sectors have already been working on critical functions and related risks and the new effort is around so it’s all being done from “scratch,” she said.

“So sort of what that means is we’re all kind of on the same page in terms of, if I’m looking out for these types of things and I provide an alert to the financial sector it can be more directly connected to a critical function or service vice the entity itself,” Manfra said.

Manfra, in the June speech at  an event hosted by Akamai Technologies, mentioned the need for an “instrumented system” for industry and government to share indicators and warnings more effectively. She told Defense Daily that as industry sectors and the government fully understands system risks and the indicators and warnings, it comes down to improving the sharing of information.

Some of the improved sharing can be done through more automation and it also entails a deeper dive by stakeholders on the analysis side and then operationalizing the responses, she said. DHS for the past few years has had in place an automated portal for sharing cyber threat indicators within the federal government and between the government and the private sector.

Manfra said the Automated Indicator Sharing portal can be improved to provide more contextual information around threat indicators that that in general, DHS wants to share these indicators with “as broad of a base as possible.” Part of this is to get more trust from industry and for DHS to keep evolving the system, she said.

On the analysis piece, Manfra said she wants to take better advantage of the existing Cyber Information Sharing and Collaboration Program (CISCP), which is a mechanism for DHS and participating companies to share information about cyber threats, incidents and vulnerabilities.

There are quarterly technical analysts’ exchanges within the CISCP that “are going well” but “we want to build that forum to really hone in on priority issues,” she said. “It’s cross-sector, which is very useful because you get banks talking to aviation, sort of at that analytic level, which we think is really important.”

“So there’s some newness in it that we want to add more capability to it but we’re not changing the fundamentals of the program in anyway,” she said of CISCP.

To Manfra, her vision of collective defense is “this sort of broad bucket of, if you’ve got these national critical functions and we get to this place where everybody in industry and government understands what their role is in defending those critical functions, and we’ve got, whether it’s information sharing programs, sensors, automated sharing, whatever the mechanisms are, the right mechanisms, is that we’re all positioned to work together to defend those critical functions.”