Twitter Facebook Google RSS
 
Homeland Security News 

Johnson: DHS Must Build Trust With Private Sector to Counter Cyber-Attacks 

2,014 

By Yasmin Tadjdeh 


Department of Homeland Security Secretary Jeh Johnson

As cyber-attacks increase, the Department of Homeland Security must begin building trust with the private sector if it hopes to quell more widespread and sophisticated intrusions, said the department’s new secretary.

“DHS must continue efforts to address the growing cyberthreat, illustrated by the real, pervasive and ongoing series of attacks on things like stores, banks, email services, power substations and the public that depends on them,” said Jeh Johnson at the Woodrow Wilson Center, a Washington, D.C.-based think tank.

 “Here, the key to the government’s efforts is to build trust with the private sector.”

Pervasive cyber-attacks are now a reality, said Johnson. Last year, President Barack Obama issued an executive order that aimed to improve cybersecurity within critical infrastructure. The order called for, in part, the development of incentives to encourage the private sector to share information about attacks with the government.

The executive order came on the heels of the failure of the Cyber Intelligence Sharing and Protection Act of 2011. CISPA, which failed to pass Congress in 2012, was designed to promote information sharing of cyber-attacks among the private sector, but critics said it could erode civil liberties.

Jane Harman, president and CEO of the Wilson Center, said one of the criticisms of CISPA was that DHS was not “well managed” enough as a department to take the reins.

“The big objection two years ago was it’s not a well managed department — I’m not saying this is fair, but this was the objection — and we’re wary of cooperating with [them],” said Harman.

Johnson said he did not disagree with Harman and that leadership is needed to increase trust between the department and industry.

“I think that the key … to answer the dilemma … is visible leadership. Good leadership, but also visible leadership,” said Johnson. “I think that we have to be fairly transparent to become familiar with the private sector, to become familiar with the public, so that we build trust.”

Johnson said he has plans to meet with different private sector companies throughout the country in the coming weeks and months.

Larry Clinton, president and CEO of the Internet Security Alliance, agreed that there is a trust issue between government and industry.

“There is a lack of trust on both sides. The government, for the most part, hasn’t trusted industry to treat sensitive information appropriately. They are afraid it will leak out to the bad guys,” said Clinton. “Industry, on the other hand, is very concerned that if they share information with the government, proprietary information will be compromised.”

One way to overcome this trust issue is by changing the nature of what data would be exchanged under an information sharing agreement, Clinton said.

“When government is looking at cyber-attacks, what government really is focused on most of the time is the source of the attack. They want to know who did this — [is it] the Chinese, is it the Russian mob?” said Clinton. “Industry, frankly, doesn’t care about that really. They don’t care whether it’s the Russians or the Chinese who are stealing their intellectual property. They want it stopped.”

If just technical information can be shared that doesn’t include proprietary data, but still gives enough information about the source of the attack to the government, both sides can work together, Clinton said.

“If we can do that, if we can change the nature of the information that is being shared, so that it doesn’t have any issues for industry and it doesn’t have any issues for the government, we can overcome some of the trust [problems],” said Clinton.

Photo Credit: Defense Dept.
Reader Comments

Re: Johnson: DHS Must Build Trust With Private Sector to Counter Cyber-Attacks

DOH Security Secretary Jeh Johnson is right-on-point in this assertion that "As cyber-attacks increase, the Department of Homeland Security must begin building trust with the private sector." Any plan, aimed at protecting U.S. critical infrastructure from cyber-attacks will have to entail developing a systematic approach where the government, private sector, and academia work together in the development of common practices and processes for protecting these elements and assuring their continued operation (Reno, 1998; Chabinsky, 2009). As the escalation in the use of information technology to improve performance, increased competitive pressures from deregulation and globalization, and the concentration of operations in a smaller number of facilities to decrease costs, has heightened security of critical operations and thus stepped up sophisticated IT system, intrusion capabilities vulnerability of U.S. critical infrastructure become equally increased (DHS, 2009).

U.S. critical infrastructures consist of a large sector that contains many basic necessities of our daily lives.

Such necessities include (a) food, (b) water, (c) public health, (d) emergency services, (e) energy, (f) transportation, (g) information technology and telecommunications, (h) banking and finance, and (i) postal services and shipping (GAO, 2004). One common element of all of these critical infrastructures is that they “...increasingly rely on computers and networks for their operations...” (p. 3).

One further feature of the U.S. critical infrastructures is that “...many of the infrastructures’ networks are also connected to the public Internet...” (p. 3).

The public-at-large has benefited in various ways since the inception of the Internet. This benefit has been realized by individual citizens, public, and private organizations (GAO, 2004). U.S. critical infrastructures’ have also established an increased reliance on networked systems attached to the Internet and intrusion risks via the Internet has increased the risk of cyber-attacks that could harm our nation’s infrastructures (GAO, 2004; The White House, 2009).

DHS needs assistance in systematically assessing threats to critical infrastructures. Moreover, the DHS needs information sharing among stakeholders and assistance in establishing common practices and processes for detecting, deterring, or mitigating probable damages occurring to U.S. critical infrastructure resulting from a cyber-terrorist attack.

The lack of a systematic approach to combating these issues continues to be of importance to public and private stakeholders across the nation (Johnson, 2012).

The impact of a cyber-based attack via the Internet or critical network nodes would be devastating to U.S.’s economy, psychology, and pride of the nation.

The nation, therefore needs to approach the evaluation of the terrorist threats, identification of critical infrastructure vulnerabilities and creation of common practices and processes in assessing threats to critical infrastructure from a multidisciplinary approach of systems engineering.

Research consistently shows that in approaching issues from a multidisciplinary approach of systems engineering in the identification of issues and developing the solution to problems and associated risks through design education, systems analysis, and other methods in addition to creating collaborative approaches with stakeholders is a very effective approach to problem solving (Bertalanffy, 1950; Kuhn, 1974; Sharp, 1991; O’Connor & McDermott, 1997; GAO, 2007).

These systematic methodologies coupled with collaborations are applicable to other disciplines in relating problem solving to organizational change initiatives.

Evidence from literature research suggests that this simple approach, allows the researcher to segment the issues and analyze them as interacting combination of elements as opposed to reacting to current results or outcomes of events and potentially contributing to further development of the undesired issue or problem (O’Connor & McDermott, 1997).

References:

Bertalanffy, L. von. (1950). An outline of general systems theory. British Journal for the Philosophy of Science, 1, 2.

Chabinsky, S.R. (2009). Congressional Testimony. Proceedings of the Senate Judiciary Committee, Subcommittee on Terrorism and Homeland Security. Retrieved January 10, 2010 from, http://www.fbi.gov/congress/congress09/chabinsky111709.htm.

Homeland Security Department (DHS). (2009). Ensuring a Secure Global Digital Information and Communications Infrastructure. Retrieved November 2, 2009 from, http://www.whitehouse.gov/issues/homeland-security.

Johnson, R.L. (2012). An analysis of IT governance practices in the Federal Government: Protecting U.S. critical infrastructure from cyber terrorist attacks. Retrieved 20 March 2014 from, http://search.proquest.com/docview/1022030532/citation?accountid=28165.

Kuhn, A. (1974). The logic of social systems. San Francisco: Jossey-Bass.

O’Connor, J. & McDermott, I. (1997). The act of systems thinking: Essential skills for creativity and problem-solving. San Francisco, CA: Thorsons Publishing.

Reno, J. (1998). Conference on critical infrastructure protection. Lawrence Livermore National Laboratory address by Attorney General Janet Reno, DOJ, 1-26.

Sharp, J.J. (1991). Methodologies of problem solving: An engineering approach. Vocational Aspects of Education, 42, 114-147.

The White House. (2009). Remarks by the President on securing our nation’s
cyber infrastructure. Retrieved January 22, 2010 from, http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/.

U.S. Government Accountability Office (GAO). (2004). Critical infrastructure protection: Challenges and efforts to secure control systems. Retrieved March 14, 2010 from http://www.gao.gov/new.items/d04628t.pdf.
U.S. Government Accountability Office (GAO). (2007). Critical infrastructure: Challenges remain in protecting key sectors. Retrieved November 2, 2009 from, http://www.gao.gov/new.items/d07626t.pdf.

Dr. R. LeWayne Johnson on 03/20/2014 at 12:23

Re: Johnson: DHS Must Build Trust With Private Sector to Counter Cyber-Attacks

There is an enigmatic Catch 22 dilemma, which will always be present and in need of constant and SMARTR Vigilant Guard on Lookout for abuse and/or unauthorised use, in any service/information/program/project which delivers/claims to be able to deliver effective CyberIntelAIgent Security and Virtual Protection against crippling cyber attack with devastating anonymous intelligence penetration sorties on key vital systems and SCADA Command and Control Centres/Key Intelligence Hubs and Virtual Nodes.

And that is, putting it in its simplest and most easily understood form, one has to know how to attack and destroy such systems to know how to defend and save them from collapse, and to intelligent entities working effectively and successfully in such fields, is there always the question to be asked for answering …….. Is that which is being thought worthy to be defended and saved, worthy of security and protection and CyberIntelAIgent Security and Virtual Protection, or is the Great Game and bigger future picture better servered with an attack and/or a whole series of interconnected and interconnecting attacks on an unworthy legacy establishment model/discovered systemic weaknesses vulnerable to 0day exploitation which renders the existing systems unpatchable and unfixable and therefore totally unfit for future better purpose?

And quite who and/or what would be fully qualified and able and enabled to answer that question is not something which is of major concern to all but those working the field and leading.

amanfromMars on 03/15/2014 at 04:36

Submit Your Reader's Comment Below
*Name
 
*eMail
 
The content of this field is kept private and will not be shown publicly.
*Comments
 
 
Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.
*Characters
  
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 
 
  Bookmark and Share