Brian Harrell was appointed by the President of the United States in December 2018 to serve as the Department of Homeland Security’s Assistant Secretary for Infrastructure Protection. He now serves as the first Assistant Director for Infrastructure Security within the newly renamed U.S. Cybersecurity and Infrastructure Security Agency (CISA). He was recently recognized as Security Magazine’s “Most Influential People in Security”. Harrell is the former Managing Director of Enterprise Security at Duke Energy Corporation. He is also the former Director of the Electricity ISAC and Director of Critical Infrastructure Protection Programs at the North American Electric Reliability Corporation (NERC), where he was charged with helping protect North America’s electric grid from physical and cyberattacks. Brian has spent time during his career in the U.S. Marine Corps and various private-sector agencies with the goal of protecting the United States from security threats.
In an exclusive e-mail interview with Augustin Kurian of CISO MAG, Brian Harrell, Assistant Director for Infrastructure Security, CISA, DHS speaks about the role of CISA and its recent accomplishments in protecting organizations across industries from cyberattacks. He also explains how the Cybersecurity and Vulnerability Identification and Notification Act enables CISA to get past the hurdle of obtaining crucial information about vulnerable systems from ISPs, for its cybersecurity investigations.
How is CISA as a federal agency addressing the fact that several types of cyberattacks can have physical consequences?
Today, our physical infrastructure relies on web-enabled technology to operate efficiently, making it significantly more interdependent than ever before. When one company or network experiences a disruption, impacts can quickly ripple across the rest of the sector and many other sectors as well. The Cybersecurity and Infrastructure Security Agency (CISA), as the nation’s risk advisor, is taking a holistic approach to securing these systems. Last year, we worked with the private sector to develop a set of National Critical Functions, which provides a risk management approach to understanding those functions whose interruption may have a cascading effect across sectors. In addition, we continue working closely with public and private stakeholders to share information, provide cybersecurity tools, incident response services and assessment capabilities that safeguard networks essential to operations. At the same time, CISA coordinates security and resilience efforts and provides consolidated all-hazards risk analysis for U.S. critical infrastructure. CISA also conducts cyber and physical exercises with government and private sector partners to enhance the security and resilience of critical infrastructure. All these efforts can help inform risk mitigation activities and the development of new resources within the critical infrastructure community.
When it comes to threats, how should organizations go about securing their supply chain — that includes partners, contractors, and vendors?
Supply chain risk management is very important, especially with the globalization of vendors and suppliers, as well as the upcoming rollout of new technologies, including information and communications technology (ICT) like 5G. Additionally, as the cyber and physical worlds converge, threat actors are using a variety of tactics to exploit any weakness. CISA, government partners, and the private sector are all engaging in a more strategic and unified approach towards improving our nation’s overall defensive posture against malicious activity in the connected systems which underpin our critical infrastructure. In 2018, CISA established the Information and Communication Technology Supply Chain Risk Management Task Force as a collaborative endeavor between representatives of industry and government. The Task Force helps investigate and recommends methods to manage ICT supply chain risks. In September 2019, the Task Force released an Interim Report intended to provide insight and transparency on the work of the Task Force. The document serves as a reference to help industry and government stakeholders more effectively identify and manage risks to global ICT supply chains.
We believe the security of ICT networks and services is a critical element of national security, as they play a crucial role in the safety, security, and prosperity of all nations and are an attractive target for foreign adversaries and malicious cyber actors—5G is a prime example. Because of these concerns, CISA has urged governments at all levels, as well as the private sector, to adopt a risk-based security framework for the construction of all elements of 5G networks, and to conduct a careful evaluation of potential hardware and software equipment vendors and the supply chain.
Tell us the crucial role a CISO must play while handling insider threats as well as threats that may occur from a third-party vendor, since the role of a CISO has changed drastically over the last few years.
With new and evolving threats, the role of CISOs is becoming more important every day, especially as it relates to the significant challenge of managing insider threats. Employees tend to have a strong understanding of organizational operations, and they have the potential to cause catastrophic damage, whether intentionally or unintentionally. A CISO must understand the risks posed by insiders, consider potential implications of a successful attack or unintended action, and prepare mitigating measures. A critical step toward preventing a threat or mitigating the damage from one entails positioning the CISO in a leadership role within the establishment, as well as having an insider threat mitigation program, including a threat management team, in place.
How can an organization’s management and its HR team set up a more proactive or reactive measure toward addressing insider threats? What are the best practices that should be established?
While each organization’s structure and requirements are specific to that organization, any management or HR team should be actively engaged in recognizing and identifying early insider threat warning signs and practicing (in advance) how to address a potential insider threat situation. Whether individuals attempt to join an organization with the intention to inflict harm, become a disgruntled employee who feels he/she has been wronged, or unintentionally introduces a threat through carelessness, the consequences of insider actions can be detrimental. In addition to considering cyber impacts, recent incidents demonstrate that organizations should increasingly be aware of the potential for workplace violence. CISA provides comprehensive information to support organizations in establishing a program through our insider threat mitigation website.
What are your thoughts on the need for Red Teaming for organizations? As Red Teaming is one method where both physical security and cybersecurity of organizations are thoroughly checked time and again. Do you think Red Teaming must be staple of organizations?
Red teaming is a great way to test vulnerabilities and risks within an organization. CISA helps both public and private sector stakeholders identify and test these vulnerabilities through our exercise resources. Exercises provide stakeholders with effective and practical mechanisms to examine plans and procedures, identify areas for improvement, and share best practices. They also inform future planning, technical assistance, training, and education efforts. CISA offers both discussion-based and operations-based exercises. Among other things, these exercises are employed to validate or enhance understanding of plans and procedures, rehearse concepts, assess incident response and recovery needs, identify strengths and areas of improvement, simulate reality by presenting complex and realistic problems that require critical thinking, rapid problem solving, and effective responses by trained personnel; thereby testing and validating many facets of planning and preparedness. Overall, red teaming is a very useful tool for an organization to test, mitigate, and manage overall risk to business operations.
Tell us a bit about the CISA’s subpoena Bill which will give the agency better authority to probe cyber risks on critical infrastructure? Tell us about the benefits of having the Bill passed?
CISA analysts work around the clock to identify and address critical infrastructure cybersecurity vulnerabilities and, ultimately, share this timely risk management information with CISA’s partners. Unfortunately, too often we come across cybersecurity vulnerabilities in industrial control systems and other critical networks sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system. For these vulnerable systems, CISA is unable to identify the system’s owner or operator because of the internet protocol (IP) address, or the unique address that identifies the device or system, generally resolves to an internet services provider (ISP), which masks the owner or operator’s contact information. We need a legal mechanism, whereby if we identify the IP address of a potentially vulnerable system, the ISP can give us the contact information for the vulnerable entity so we can notify them of the vulnerability and provide valuable mitigation information.
The Cybersecurity and Vulnerability Identification and Notification Act establishes the legal mechanism necessary that allows CISA to request subscriber information to alert system owners and operators of vulnerabilities, which, if left unmitigated leave the system open to attack. The authority applies to a very narrow set of circumstances where CISA has specific information about a known vulnerability and is unable to determine the entity’s identity. The authority honors long-held privacy fair information practice principles, ensuring that CISA only obtains information for a cybersecurity purpose, that the information is used only for the purpose for which it was collected, and that CISA asks only for the minimal information necessary to contact the owner or operator and alert them to the vulnerability.
CISA has a long history of working with private and public-sector companies to collect sensitive data through voluntary programs and a demonstrated history of protecting information. This authority does not change the voluntary relationship between CISA and its critical infrastructure partners. It allows CISA to contact a vulnerable entity, notify them of the existing risk, and offer mitigation advice or assistance. CISA cannot compel companies to act or to work with CISA on the basis of this authority.
After years of trying several different methods to contact these affected entities and share what we’ve found, the status quo is simply not working. This new proposed legal authority is a smart, reasonable, and targeted tool that will allow the men and women of CISA to live up to the mission Congress set out for us—to improve American critical infrastructure cybersecurity.