Cybersecurity National Risk Management Center launched by DHS

With few details on how the DHS’s new National Risk Management Center will operate, success will likely depend on how much cooperation it receives from the private sector.

U.S. Department of Homeland Security building in Washington, D.C. (Photo by Diego M. Radzinschi/ALM)

The U.S Department of Homeland Security has refocused its efforts to promote private-sector cybersecurity with the launch of a new National Risk Management Center. Announced at the DHS’s National Cybersecurity Summit in New York City, the new center will look to collaborate with the private sector on identifying and reducing cyber threats and developing risk management strategies.

Speaking at the summit in late July, U.S. Secretary of Homeland Security Kirstjen Nielsen said the center “would recast what is now NPPD, or the National Protection and Programs Directorate — our cybersecurity arm — into an ambitious operational agency capable of better confronting digital threats.”

She added that the goal of the center is to become a first resource for companies after they experience a cyber incident. “I occasionally still hear of companies and locals that call 9-1-1 when they believe they’ve been under a cyberattack,” she said. “The best thing to do would be to call this center.”

Uncertain how private-sector participation will shape up

Whether the center will succeed in this goal, however, will likely depend on how much cooperation it receives from the private sector. But with few details of how the new center will operate, it’s far from certain how private-sector participation will shape up.

Related: IBM study calculates full cost of ‘mega breaches,’ topping $350M

“I think we’re at the early stages, and I expect there will be some optimism, but it will be a cautious and critical approach” from the private sector, said Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney’s Office for the Southern District of Florida.

Meaningful solutions to preventing & dealing with cyberattacks?

He added that in addition to waiting to see whether the center offers meaningful solutions to preventing and dealing with cyberattacks, private companies will also be looking at the potential negative consequences of working with DHS as well.

For example, in contacting the center after a cyberattack, companies will likely want to know if “someone is going to swoop in and take over — if they lose control — and how well their interest will be protected,” Christian said. “One of the main concerns for companies is how will they be subjected to, or shielded from, potential liability.”

Potential legal risk?

Bill Conner, founder and CEO of cybersecurity technology provider SonicWall, agreed, noting that potential legal risk is the main reason companies may be hesitant to join the new DHS initiative. “One of the issues is once you get involved from a private industry side, your lawyers get uncomfortable real quick with how much you say publicly.”

But he added that there are also other various reasons some may be not receptive to the new center as well. “There will always be some skeptical of government or skeptical of exposing their own competitive situation and intellectual property, or companies where lawyers are saying, ‘Don’t be associated with that because that would create a political risk.’”

Related: Cybersecurity insurance: popular but poorly understood

To be sure, this is not the first time DHS has spearheaded a public-private sector cybersecurity collaboration. Such partnerships have been a focus for the department since its founding.

Conner, for example, helped lead a task force for DHS shortly after the department was created in 2002 under former DHS Secretary Michael Chertoff. “It was the first public-private partnership task force with industry and the government around cyber, and our actual output result was around compliance,” he said.

‘More needs to be done’

Because of the agency’s history of collaboration, and the fact that in many cases DHS has shown to be easier to do business with than others, Conner expects there to be some private companies that readily embrace this new DHS effort.

Indeed, the launch of its center represents a move by the DHS to up the ante with how closely it works with the private sector and how much of an effect it has in promoting cybersecurity. “I think at a very high level, this represents the realization that is often expressed, that is, more needs to be done,” Christian said. “There has always been a sense of trying to catch up.”

Related: How to respond and recover quickly from a cyber event

Rhys Dipshan (rdipshan@alm.com) is a New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine.