DHS building actionable response plans for cyber attacks on critical infrastructure

Thursday - 8/8/2013, 5:41am EDT

Jared Serbu reports.

Download mp3

Even as they analyze and respond to operational cyber threats on a day-to-day basis, officials at the Homeland Security Department's National Cybersecurity and Communications Integration Center (NCCIC) say they're working to build concrete plans that public and private sector responders can act on in the event of a major attack in the future.

The relatively new planning effort grew out of a DHS project designed to get a better understanding of the cyber tools at the nation's disposal. The project, dubbed Energizer, was a response to a 2011 presidential policy directive which told DHS to draw up assessments of the national resources available to respond to crises, including cyber attacks.

Larry Zelvin, NCCIC's director, said for the last year and a half, the center has been busily inventorying all the capabilities the nation could bring to bear in a significant cyber incident.

"But when we looked at all these capabilities, we said, 'OK, that's interesting, but how can we use this to be a little bit better?' So we looked at 10 major urban areas and a few critical infrastructure sectors to start, including finance, transportation, energy and communications," he told attendees at AFCEA's Global Intelligence Forum in Washington. "The challenge I put before the group was, let's say everything in Manhattan between 40th St. and Battery Park goes completely dark because of a cyber incident. Where do we go? What do we do? What is Con Edison doing, and when they come to government, what are they asking us for? Then we have to look at whether we have that ability, do we have that authority, and then we have to worry about funding. So we're trying, in a very proactive way, to look at those kinds of challenges, and we're working very closely with the FBI, the Department of Energy and the intelligence community as we try and get a better handle on that."

Zelvin said a year ago, the NCCIC really had no playbooks for how it would respond to a given cyber incident. He says that's changing, and to draw up effective plans, he says the agency realized it needed visibility into the cyber capabilities of other entities including state, local and tribal governments and private organizations, not just the federal government.

He said he thinks the plans DHS has drawn up so far are good, even if the work is often slowed down by cyber incidents that divert the NCCIC's staff attention to real-time developments. Those incidents also inform future planning efforts, which he said need to include the understanding that a lot of the real-time information about a current or pending attack isn't held by the government, but by private companies.

"When somebody's trying to do something that we don't want them to do and I want to prevent it, I've got to look at exactly how I do that," he said. "For me, it's like a neighborhood watch. It's about who has the ability to tell me when somebody's doing something bad, and I will tell you that in my experience, in cyberspace, the private sector knows those answers more often and with better fidelity and actionability than anyone else. And then when they've done something bad, again, it's the private sector that really knows what's happened, because they're the ones who something bad is happening to. For government, it is hard to take what has been a very successful intelligence organization looking at national security issues and copy and paste that onto cybersecurity. It's going to have an important role, but it's not necessarily going to be a preeminent role. Some of the best information I've ever seen has come from private sector partners that are really focused on these problems, and really have the assets and availability to tell us what's going on, and then develop solutions and get them proliferated."

But for the moment, the barriers to that proliferation are numerous, Zelvin said. He says unlike in a disaster in the physical world, where all the responders to an incident tend to share a common purpose, that's not necessarily true when it comes to cooperation against a cyber threat.

"When you have a natural disaster or a terrorist event, it's a rush to the incident or to the crime scene," he said. "In cyber, it's neither. This is a competitive business, and in some cases the information we're talking about is how people are making their living. There seems to be a misperception out there that everybody's going to share. No, they're not. They're just not, because in some cases this is their business, in other cases this is about their reputation, and in some cases they're worried about government regulation. These are valid fears, and we have to understand that."