DHS ramps up supply chain security efforts

The Department of Homeland Security has embarked on a new effort to identify short-term solutions to close security gaps in the nation's telecommunications infrastructure, the agency's top cybersecurity official announced Aug. 15.

Chris Krebs, undersecretary of the National Protection and Programs Directorate at DHS, told an advisory group meeting that the push is designed to shore up the domestic infrastructure base.

Krebs made the announcement at a meeting of the National Security Telecommunications Advisory Committee, which is leading a "moonshot" effort launched last May to take a whole-of-nation approach to sprawling cybersecurity challenges.

Krebs said the DHS study will connect with the NSTAC moonshot effort and define where NSTAC could provide capabilities and solutions to protect telecommunications infrastructure. It will also look at how federal policy might incentivize those solutions.

While officials have identified potential risks to nation's telecommunications infrastructure from foreign-owned manufacturers, U.S. companies so far have resisted sweeping policy changes.

For example, telecommunications vendors and device manufacturers have pushed back on a proposal to restrict spending from the Federal Communications Commission's Universal Service Fund to companies identified as national security threats.

NSTAC industry members welcomed the DHS study, but cautioned against quick fixes.

"AT&T supports this because of the urgency and need for specific remedies and not only broad brush strokes" said John Donovan, CEO of AT&T Communications, the company's subsidiary that provides most of its worldwide telecommunications services. Donovan, an NSTAC member, noted that there are "tremendous nuances" in the telecommunications supply chain that could suffer from unintended consequences. He said efforts "need to be deliberate" and practical, driven by industry, aimed at specific problems and not overtaken by "government think tanks."

Krebs also fleshed out some of his department's vision for another cybersecurity project announced at the July 31 DHS cyber summit, the National Risk Management Center.

At the summit, DHS Secretary Kirstjen Nielsen said the center would be a central hub of help and collaboration with industry for cyber defenses and will identify potential points of failure among the 16 critical infrastructure sectors that DHS oversees. Its cyber experts will work with industry counterparts to contextualize threats and their potential impact, she said.

"The Risk Management Center is a manifestation of the work NSTAC has done for years," said Krebs, noting that the committee has long collaborated with the federal government to identify security and vulnerability gaps in the telecommunications infrastructure. The center, created based on industry suggestions, will provide a venue for a range of policy and technical coordination at the strategic level.

DHS' National Cybersecurity and Communications Integration Center, or NCCIC, he said, would remain the day-to-day information sharing and response hub. "The center will focus on strategic risk issues in the longer term," he said.

The Risk Management Center, he added, is also a logical "home" to address some of the cybersecurity moonshot's recommendations.