NEWPORT, RI – Over 100 senior leaders representing Rhode Island’s private industry, public agencies, law enforcement, and universities gathered at the Pell Center on March 10, 2014 to participate in a two-hour panel discussion on “Improving Critical Infrastructure Cybersecurity: The National Cybersecurity Framework and Beyond.” The event was the first event of its kind hosted in New England since the release of the National Cybersecurity Framework on February 12, 2014, and the panel explored how organizations charged with providing the nation’s financial, energy, healthcare and other critical systems could use the Framework to better protect their information and physical assets from cyber attacks.
The blueprint for the Framework grew out of President Obama’s Executive Order on “Improving Critical Infrastructure Cybersecurity,” in which he directed the National Institute of Standards and Technology (NIST) to work with various stakeholders to develop a comprehensive approach towards mitigating cyber risks to critical infrastructure. The document outlines a set of voluntary standards, guidelines, and best practices for cybersecurity and marks an important step forward in the national effort to combat cybercrime and protect our critical infrastructure.
The Pell Center brought together three distinguished panelists to discuss the specifics of this Framework and other national and state initiatives to support its implementation. The panel included Adam Segewick, NIST senior information technology policy advisor; Michal Leking, the Department of Homeland Security’s cybersecurity advisor for the Northeast region; and Jamia McDonald, executive director of the state’s Emergency Management Agency. Candice Barry, an intelligence cybersecurity officer for RBS Citizens, a subsidiary of the Royal Bank of Scotland, moderated the discussion.
In addition to the panel discussion, Sen. Sheldon Whitehouse (D-RI) and Rep. James Langevin (D-RI) – two of Congress’s strongest leaders on cybersecurity issues – delivered keynote speeches and stressed how critical systems–the majority of which are owned and operated by the private sector–are indeed increasingly vulnerable to cyber attacks that could cause large-scale disruption or economic loss. Both Senator Whitehouse and Congressman Langevin praised the work of NIST in developing the Framework, especially in light of Congressional inability to pass comprehensive cybersecurity legislation. They also acknowledged the commitment of RI leaders to strengthen the state’s cybersecurity posture and of institutions, like the Pell Center, that provide an excellent forum for regional efforts in this field. “Good intentions only go so far, however,” said Congressman Langevin, who has been a strong proponent of cybersecurity regulation ever since he chaired the Homeland Security Subcommittee that investigated the vulnerability of critical infrastructure to cyber attack in 2007. “We are going to need requirements at some point. We have an imperative to succeed and need to continue push for legislation in Congress” he continued. “There are two types of companies in the U.S.,” Senator Whitehouse said—“those that have been hacked, and those that don’t yet know that they have been hacked. The American people need to better understand cyber threats,” he continued, “so that Congress can do its job to do everything in our power to stop those threats.” Senator Whitehouse is championing new legislation (the Cyber Security Public Awareness Act of 2013) in the Senate, which he coauthored in a bipartisan effort with Sen. Blunt (R-MO), Sen. Graham (D-SC), and Sen. Blumenthal (D-CT). The bipartisan bill would improve public awareness of cybersecurity threats by instituting new reporting requirements for federal agencies charged with monitoring and responding to cyber threats.
The other panelists offered a wealth of information to the audience, laying the groundwork for a productive discussion on national and economic security and underscoring the importance of cybersecurity to Rhode Island and the nation at large. Mr. Sedgewick provided an overview of the Cybersecurity Framework, described its development throughout an unprecedented year of stakeholder engagement—during which NIST collected, evaluated, and incorporated feedback from more than 3,000 security professionals and corporations—and explained how to use it. “Organizations—regardless of their size, degree of cyber risk or cybersecurity sophistication—should use the Framework and provide feedback to NIST,” he told participants. The companion Roadmap to the Framework looks at the way forward for this living document and identifies key areas for cybersecurity development, alignment, and collaboration.
Mr. Leking outlined the broad mission of the Department of Homeland Security and in particular of the Office of Cybersecurity and Communication, whose task is “to enhance the security, resilience, and reliability of the Nation’s cyber and communications infrastructure.” He provided a wealth of information about DHS’ capabilities, programs, and resources as they relate to cybersecurity and infrastructure protection. In particular, he discussed DHS’ expanding role in helping the private sector implement the Cybersecurity Framework. This program, called the Critical Infrastructure Cyber Community or C3 (pronounced C-cubed), is designed to connect critical infrastructure operators around the goals of readiness, risk management, and response to cyber attack. The program is also open to state and local governments, which have networks with potentially vulnerable information and may operate infrastructure such as water supplies.
Mrs. McDonald described the role of the State Governor in emergency management and homeland security, including enhancing the security and resiliency of the state’s critical infrastructure and maintaining a cyber environment that protects businesses and communities. She praised the efforts of the Governor’s Cybersecurity Policy Group—formed by eight different state agencies—which issued the first RI Cybersecurity Strategic Plan in October 2012. Mrs. McDonald also acknowledged the need to update existing RI laws related to cyber, which “are responsive-driven, but not much else” she said. Finally, she described the State of Rhode Island as both a consumer and a supporter of the Cybersecurity Framework and stressed her commitment to continue working to expand the existing State Critical Infrastructure Program to incorporate Cyber Resiliency Review and the Framework as tools for their assessment process. Her hope is that Rhode Island state agencies and regulators can also use the Framework to help local businesses improve their cybersecurity posture.
This event was part of the Rhode Island Corporate Cybersecurity Initiative at the Pell Center. For more information on the initiative and future events, contact the Pell Center at [email protected] or 401-341-2927.