The Department of Homeland Security is collaborating more closely with industry to come to an agreed understanding of national risks to critical functions from cyber threats rather than just to systems and assets and then have a common warning system in place to respond to these threats, a department official said on Thursday.

The cyber threat also puts the private sector directly on the “front lines,” which means industry and government have to provide alerts and warnings, said Jeanette Manfra, the assistant secretary for the DHS Office of Cybersecurity and Communications.”

DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.
DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.

“I also believe, and we’ve been talking about this in a concept of a collective defense model, that those who participate in managing some aspects of those risks also have a duty to ensure that other members of that ecosystem are aware of what may be going on,” Manfra said at cyber security conference in Washington, D.C., hosted by Akamai Technologies.

Last December, Manfra said that DHS is looking for ways to work more closely and collaboratively with the private sector in formal and sustainable ways that go beyond the real-time sharing of cyber threat indicators. This enhanced collaborative approach stems from North Korea’s WannaCry ransomware attack that affected hundreds of thousands of computer systems globally but was largely thwarted in the U.S. through close cooperation among DHS, industry, and other partners.

Manfra said that DHS is beginning to work with the private sector on understanding “national critical functions,” which are those that people depend on daily, such as clearing financial transactions and ensuring a clean water supply and represent “national risk.” Once these functions are understood, then it’s time to “drill down” to linking their dependencies on networks, systems and platforms, she said.

Most organizations, regardless of whether they are in the government or private sector, have typically approached risk from a compliance-based approach that has little to nothing to do with fulfilling their missions, Manfra said. And until the past few years, these compliance-based risk assessments were delegated to the technical authorities in organizations rather than being addressed by their leadership, she said.

Once a “mutual understanding” of the national critical functions and the risks to those is achieved, Manfra said there will have to be a change in the “outputs of what we previously have been calling information sharing.”

“What we really need to do is think about, ‘do we have a well instrumented indicator and warning system across our country between industry and government,’” and also need to be “thinking about how do we alert and warn somebody if there’s an adversary trying to disrupt those,” she said.

“I think that’s a really important way to change the notion that it’s not just the government pushing out alerts, and bulletins, and people wondering which of these…you need to pay attention to,” Manfra said. “It’s about actually having an instrumented system that people know how to communicate with each other and how to connect the dots very quickly.”

This puts industry on the front lines and “That changes how the government works.”

Manfra said that DHS has made progress with “a couple of industries,” including the financial sector, in the area of understanding critical functions and how to work collaboratively on sharing warnings of threats.

The financial sector worked “In a really promising way where they pretty much own the entire process and they were able to boil down a key function into actual indicators and warnings that both government and industry can have access to and can ensure that we’re appropriately looking for anything that would alert for those” indicators and warning systems, she said.