As we go to press, the U.S. Congress is threatening to suspend funding for the Department of Homeland Security (DHS). Some members are even calling for its dissolution. But assuming it's still around when you read this, you might consider enlisting DHS in your efforts to improve cybersecurity.
"Many of you folks think cybersecurity is all about technology," said Gregory Touhill, retired brigadier general and now deputy assistant secretary of cybersecurity operations and programs at DHS, speaking to attendees of the recent ARC Forum. "I'm here to tell you cybersecurity is not a technology issue; it's a risk-management issue."
Start by recognizing the full value of your assets. "Do you know how much your information is worth?" Touhill asked. Businesses too often fail to account for intellectual property when determining the value of at-risk assets.
Recognize that cybersecurity is a 24/7 responsibility, and that no single piece of software or other technology offers fail-safe protection against cyber threats. "Are you training your workforce to take the same cybersecurity precautions at home as they do at work?" Touhill asked. Sophisticated hackers have begun targeting companies' high-ranking employees at home. "Threats will hunt you down at home to get access to your work," he said. "They'll hack your home network to get a vector."
It's not just nation-state bad actors or individuals who are looking to sell stolen protected information. "Hacktivists—folks who don't necessarily agree with your company's mission or core values," may look to damage a company, Touhill said. Then there are those in your own organization who are simply "stupid," he said.
Many industrial control systems were not designed for security. Companies are adding potentially vulnerable capabilities like remote access, wireless and mobile, with no dedicated on-site cybersecurity expertise. They may need help fitting these into a security strategy.
With that in mind, on February 12, DHS announced a new Critical Infrastructure Cyber Community C³ Voluntary Program. Pronounced "c-cubed," C³ is a public-private partnership designed to help industry adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The framework consists of standards, guidelines and best practices to protect critical infrastructure through cyber risk management.
Touhill was at ARC to announce the C³ program and advised attendees to adopt NIST's five-pronged, "defense-in-depth" core:
- Identify and inventory your valuables. Put an asset valuation on your intellectual property, and put that value on your balance sheet.
- Protect them appropriately, according to their value.
- Detect aberrant behavior. Get the tools and training to know when you're under attack.
- Respond according to a plan you develop before you're attacked. Practice the plan.
- Recover, again with a practiced plan.
I'm sure you want a literal explanation of C³, so here's what DHS says: "The C³ Voluntary Program emphasizes three C's: Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the framework; Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and Coordinating critical infrastructure cross-sector efforts to maximize national cybersecurity resilience."
The primary goals of the C³ Voluntary Program are to support industry in increasing cyber resilience, to increase awareness and use of the Cybersecurity Framework, and encourage organizations to manage cybersecurity as part of an all-hazards approach to enterprise risk management.
Think of it as a DHS community outreach program for NIST. "First, help yourself," Touhill said. "The government can't keep you free and give you absolute protection. Put risk management on your corporate agenda."
Then take advantage of your tax dollars at work. Touhill said DHS offers help through the Cyber Information Sharing and Protection Act (CISPA), where companies can anonymously share information about cyber attacks. It provides cybersecurity evaluations, and consults and sends emergency teams into the field to respond to attacks. DHS also issues bulletins about emerging cyber threats.
"It's a cyberhood neighborhood community," Touhill said. "We need to watch it."