By Paul Ciampoli
APPA News Director
Posted October 9, 2018

The White House and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response recently released their National Cyber Strategy.

Karen Evans, the DOE’s Assistant Secretary for the Office of Cybersecurity, Energy Security, and Emergency Response, briefed stakeholders, including the American Public Power Association, on the new strategy, which was unveiled Sept. 21.

In a letter accompanying the strategy, President Trump said that the strategy will:

“Defend the homeland by protecting networks, systems, functions, and data;
“Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
“Preserve peace and security by strengthening the ability of the United States — in concert with allies and partners — to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
“Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet."
The strategy offers a broad overview of how each of these four “pillars” will be achieved.

Of particular relevance to public power, the first pillar (Defend the homeland by protecting networks, systems, functions, and data), includes a plan to secure critical infrastructure, which will focus on several priority actions relevant to our sector.

Part of the plan to secure critical infrastructure calls for refining roles and responsibilities. “The Administration will clarify the roles and responsibilities of Federal agencies and the expectations of the private sector related to cybersecurity risk management and incident response,” the strategy said.

In addition, the plan to secure critical infrastructure says there is a need to prioritize actions according to identified national risks. The strategy said that the U.S. government will work with the private sector to manage risks to critical infrastructure at the greatest risk. “The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks.”

In addition, The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.

This section of the first pillar also sees a need to leverage information and communications technology providers as cybersecurity enablers: “Information and communications technology (ICT) providers are in a unique position to detect, prevent, and mitigate risk before it impacts their customers, and the Federal Government must work with these providers to improve ICT security and resilience in a targeted and efficient manner while protecting privacy and civil liberties.”

The strategy also calls for incentivizing cybersecurity investments. The strategy said the government will work with private and public sector entities to promote understanding of cybersecurity risk so they make more informed risk-management decisions, invest in appropriate security measures, and realize benefits from those investments.

When it comes to securing critical infrastructure, there is also a need to prioritize national research and development investments, according to the strategy.

“The Federal Government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure,” the document said. “Departments and agencies will align their investments to the priorities, which will focus on building new cybersecurity approaches that use emerging technologies, improving information-sharing and risk management related to cross-sector interdependencies, and building resilience to large-scale or long-duration disruptions.”