The Department of Homeland Security (DHS) has several initiatives underway to help U.S. critical infrastructure providers reduce risks – with partnerships between the public and private sectors positioned as the key to ensuring success of those initiatives, an agency official said last week.
“Whether we’re doing security directives or whether we’re doing the performance goals, we do them hand in hand with industry. And going forward, we’re committed to continuing that coordination with the private sector especially critical infrastructure providers,” said Iranga Kahangama, assistant secretary for Cyber, Infrastructure, Risk, and Resilience at DHS, during a webinar hosted by Billington Cybersecurity on Dec. 13.
Kahangama explained that cybersecurity is no longer an “IT only” profession. Rather, he said, everyone has a role to play in ensuring the nation is cyber resilient. Getting to that goal, he continued, “requires open communication between the Federal, state, and local government and critical infrastructure providers.”
“From that partnership perspective there’s no better example than with the recent publication of the cyber performance goals, which was done and crafted with the help of industry,” Kahangama said.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) component in October unveiled its long-anticipated cybersecurity performance goals (CPG) to help critical infrastructure owners and operators prioritize and set a foundation for key security measures.
The CPGs – applicable across the 16 critical infrastructure sectors already designated by DHS – feature a list of information technology and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques.
Kahangama also explained that the Federal government is guilty of overproducing regulatory requirements that complicate the understanding of what agencies should be doing in terms of cyber, which he said can complicate the public-private partnership dynamic.
The Cyber Incident Reporting Council brought together several Federal agencies – which all have varying incident reporting requirements – to harmonize and streamline “the way we do business. Therefore, regulatory agencies, independent agencies, departments, and agencies don’t have conflicting requirements,” Kahangama said.
Moreover, Kahangama explained that streamlining those requirements is also the first step to partnering with international allies on cyber goals.
“Partnerships in cybersecurity transcend borders and connecting with international allies in cybersecurity is just as critically important. But we need to make sure that we have handled our needs before moving on to international partnerships,” Kahangama said.