On 31 July, the US Department of Homeland Security (DHS) held a National Cybersecurity Summit, featuring the nation's top homeland, national-security, and law-enforcement officials. The event featured Vice President Mike Pence; DHS Secretary Kirstjen Nielsen; Department of Energy (DOE) Secretary Rick Perry; Federal Bureau of Investigation Director Christopher Wray; Commander, US Cyber Command and Director, National Security Agency Paul M. Nakasone; DHS National Protection and Programs Directorate (NPPD) Under Secretary Chris Krebs; US Secret Service Director Randolph Alles; and DHS NPPD Assistant Secretary Jeanette Manfra.
The summit focused on the importance of collective defense between and among the critical infrastructure sectors as well as the importance of public/private partnerships. It featured chief executives and speakers from several large investor-owned utilities, oil and natural gas companies, rural electric co-ops, and large energy trade associations, as well as Fortune 500 chief executives, presidents of higher education institutions, and other key trade associations. Sectors represented included energy, banking/financial services communications, information technology, transportation, and insurance.
DOE Secretary Perry focused on the increasing cyber risks to the energy sector as well as the role of the new Office of Cybersecurity, Energy Security, and Emergency Response at DOE created earlier in 2018. His remarks were consistent with the directives of the May 2017 White House Executive Order (EO) 13800. The EO included a standalone section focused solely on concerns to cyber risks to the grid, entitled "Assessment of Electricity Disruption Incident Response Capabilities," which resulted in a report that discussed the vulnerabilities to the grid and the challenges the electric utility sector would have in event of a major cybersecurity attack.
At the summit, DHS announced the creation of a National Risk Management Center that will work in conjunction with the National Cybersecurity and Communications Integration Center. The center will look at the cyber risks to the critical infrastructure, focusing on the nation's vital functions and the effects of a cybersecurity attack on them. It will also provide a focal point for companies and sectors to discuss cross-sector risk issues and identify better ways for key sectors to work together, as well as create joint action plans to manage and test responses to cyberattacks. This center will have a series of actionable work plans that will be structured in different 90-day sprints to ensure concrete plans are created and implemented.
The first project will focus on what Nielson called the "trisector model," which will include energy/electric utilities, banking/financial services, and communications. The center will look at and work with other critical infrastructure sectors for similar projects as well.
DHS also announced the creation of an Information and Communications Supply Chain Risk Management Task Force. It will function under the umbrella of the center and focus on the communications and information technology sectors, looking specifically at cyber supply chain risk as well as vendor/third-party risks. Federal Energy Regulatory Commission and North American Electric Reliability Corporation have also been looking at cyber risk to the supply chain specifically for the electric utility sector for some time. The task force will look at creating policy structures to manage the risk and to work collaboratively with the private sector to manage the risk.