Information Sharing, Incident Response, and Mitigating Threats to the Supply Chain: Wiley Rein Hosts DHS Panel on Cybersecurity
June 6, 2018
On June 6, 2018, Wiley Rein LLP hosted clients and other interested parties to learn more about the Department of Homeland Security’s (DHS or Department) cybersecurity initiatives and priorities. This is part of the firm’s ongoing Outlook on Cyber series, which brings government and the private sector together to talk cyber.
Senior lawyers from DHS’s National Protection and Programs Directorate, and the head of International Strategic Affairs in the Office of Cybersecurity and Communications, touched on agency cybersecurity authorities, information sharing structures, engagement with the private sector on incident response and system analysis, supply chain considerations including the Internet of Things (IoT), and collaboration with international partners. Wiley Rein lawyers Megan Brown and Matt Gardner moderated the discussion.
The Department is a key federal entity when it comes to cybersecurity and engaging the private sector. DHS, with the Commerce Department, recently published several major reports in response to Executive Order (E.O.) 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The highly-anticipated Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (Botnet Report) released in May aims to combat botnets by focusing on six principle themes and five goals. Each goal includes several action items, with a heavy emphasis on private sector activity and accountability. The Botnet Report includes a section on next steps for stakeholder action, which calls for the development of a road map with government, industry, civil society, and international partner coordination, and a “status update that will evaluate the level of progress made by stakeholders in countering automated, distributed threats.” We discussed the actions called for in the Botnet Report in more detail here.
The E.O. also tasked the agencies with supporting greater transparency in the marketplace related to cybersecurity, specifically with publicly traded critical infrastructure entities. The summary of the report on Supporting Transparency in the Marketplace, (1) identifies existing federal policies and practices; and (2) identifies and reviews third-party evaluations of transparency practices and systems from independent sources. DHS notes that due to the short timeframe for the report, there was “limited private industry engagement.” The report also makes suggestions for further research and policy considerations.
DHS also produced, along with the Departments of Defense, Justice, and others, a report impacting critical infrastructure operators (see the Support to Critical Infrastructure at Greatest Risk (“Section 9 Report”) Summary) and, with the Department of Energy, a report impacting operators within the Energy Sector (see Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities).
Beyond these latest initiatives, DHS Secretary Nielsen announced, “a voluntary initiative to identify and mitigate systemic risk in supply chains,” in which DHS will work with “users, buyers, tech manufacturers, and others to hunt down unseen security gaps—and to share actionable information that will help close them. This includes identifying companies in the supply chain whose risks might go unnoticed.” One recent, and very public, example of DHS managing threats identified in the supply chain was the issuance of a Binding Operational Directive, requiring federal agencies to remove and discontinue use of Kaspersky Lab products and solutions. In related litigation, on May 30, a federal judge ruled in favor of the United States in this matter.
As we have noted several times, these initiatives have significant implications for many stakeholders. The recent reports and recommended follow-on actions amplify calls for greater public-private partnerships, cooperation on vulnerability disclosure and information sharing, and the implementation of thorough and thoughtful supply chain management programs.