The First National Cybersecurity Summit

On July 31, 2018, I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan.  The building itself was constructed around 1902-1907 in order to collect tariffs.  Teddy Roosevelt was President and tariffs were a subject of divisive national debate.  Global issues were still in evidence at the Cybersecurity Summit, with the administration promoting new initiatives to protect US critical infrastructure and democratic processes.  In attendance to support these new initiatives were:  Vice President Pence, Energy Secretary Rick Perry, FBI Director Wray, General Paul Nakasone (NSA and US Cyber Command), Kirstjen Nielsen, Secretary of DHS, Chris Krebs, head of DHS’s NPPD (National Protection and Programs Directorate) as well as CEO’s from industry and leaders from academia.  Audience members filled the 350-seat auditorium and spilled over into another viewing room down the hall.

So, what was new, if anything?  Secretary Nielsen announced the new National Risk Management Center (NRMC), designated to be a focal point within the government for private-public collaboration on cyber-related risk issues.  You can find the fact sheet on NRMC here.  Interesting that the word “cybersecurity” is not in the name of this group.  Two thoughts:  maybe she is thinking the term will go out of favor.  Also, many of the real risks to society and the economy are second and third order effects, not just the initial cyber-attack consequences.  To start, the focus in NRMC will be on the financial sector, energy sector and ICT (Information and Communications Technology) sectors.  A 90-day sprint will be initiated.  The NRMC Director is yet to be named.

A second new direction was articulated by Vice President Pence, when he argued that the previous administration had been weak on cyber preparation and response; now the Trump administration is reversing that strategy with stronger action in both areas.  Given that everything in DC must have a political component, this sounded like one positive step for better cyber security both within government and in the private sector.

The NRMC sounds promising; I am hoping it does not just focus on incident detection and response.  Risk management includes the whole lifecycle, from identify, protect, detect, respond to recover.  I would like DHS to share more proactive information regarding cyber-attacks.  The 2015 Cybersecurity Information Sharing Act did call for the Federal government to share best defensive practices based on ongoing analysis of threat indicators.  I call this “evidence-based security”.  This is needed to develop cost effective defenses ahead of the next attack.   Unfortunately, the supporting legislation in Congress, HR 5074, does seem to focus on attack detection and remediation.  Another new private group, the Financial Systems Analysis & Resilience Center, is focusing on analysis of strategic cyber risks within and between member banks.

One more note from the Summit:  the President’s NSTAC (National Security Telecommunications Advisory Committee), which has been working on a Cyber Moonshot study, will report out in the next couple of weeks.  This could be the overall risk management and mitigation program that we need.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management