Department of Homeland Security Secretary Kirstjen Nielsen is stumping for a new cybersecurity logistics program as a means of engaging with many of the country’s biggest providers of critical infrastructure including electrical, oil, and water treatment industries.
“Our nation’s supply chain is being targeted by our most sophisticated adversaries with increasing regularity,” Nielsen said recently in a meeting with private-sector firms. “We ask for you to work with us on this initiative … the goal of this initiative is to help stakeholders make better-informed procurement decisions by providing them with supply chain risk assessment and mitigation recommendations.”
One American media outlet reported:
The program is focused on DHS authoring and providing digital risk assessments to companies and government agencies about products that they may acquire or install on their systems. The move comes after the federal government banned the use of Moscow-based Kaspersky Labs’ anti-virus software across government systems. In addition, legislation has been introduced that would similarly ban products made by Chinese tech firms Huawei and ZTE in federal agencies.
“As our cyber dependence increases and the connectivity of our networks and assets and data continue to grow, your risk — each of you individually in this room, each of your entities’ risk — becomes my risk,” Nielsen said. “Government and industry must work together today more than ever if we are serious about improving our collective defense. This is a context and environment in which if we prepare individually then we will all fail collectively.”
Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS, who spoke about the program at the Brookings Institute last week, noted, “We can’t just all throw up our hands and say, ‘It’s too complicated, I’ll never know where the code is coming from.’ At some point we will know; we can figure it out — collectively. We’re working on building those mechanisms and DHS’s role in pulling that all together, and also working with industry experts to refine what are the supply chain risks that we should be concerned about.” [source]
Analysis: Should the U.S. be hit with major cyber attacks that took out large segments of the power grid, every other industry would be affected — oil/gas; financial; water treatment; nuclear plants; air traffic; communications; city services; etc. The result would be pandemonium.
But what Nelson is attempting to do is construct a supply chain that would be activated in order to restore power (and, thus, critical services) as quickly as possible. DHS has obviously determined that the existing supply chain is either inadequate or non-existent.
And attacks need not be overwhelming, per se. A Council on Foreign Relations report, citing data from a Lloyds of London analysis, said that as few as 10 percent “of targeted generators needed to be taken offline to cause widespread harm.”
“In the event that an attack on the grid succeeds in causing blackout to some extent, the Trump administration should ensure that both the government and the industry are prepared to respond,” the report recommends, among other things. This effort by Nelson appears to be in line with that recommendation. [source]