Bridging the Gap Between the IC and Private Assets of National Importance
The Analysis and Resilience Center has the unique role of helping to protect industry-owned infrastructure.
Stood up last October—the Analysis and Resilience Center for Systemic Risk (ARC), a nonprofit, Arlington-Virginia-based organization—helps to protect the nation’s infrastructure by assessing the endemic cybersecurity risks to the critical energy, financial and other private sectors. A 2013 executive order identified some assets—on which the U.S. government relies but reside in the private sector—that if compromised by cyber attack could have a catastrophic impact on national security. A risk committee examines the critical systems, assets and functions of these so-called Section 9 member companies, and based on a prioritized identification, the center creates a risk register on which to conduct analysis and recommend resilience measures.
The center is working with the U.S. government, the intelligence community, and the energy and financial services information sharing and analysis centers (ISACs) to monitor and provide warnings against threats, explained Chris Button, ARC’s director of intelligence. Button spoke May 25 at AFCEA’s Spring Intelligence Symposium on a panel entitled Advancing National Security Through Intelligence Community-Private Sector Collaboration.
“It's a fairly small group, all things considered, of the private sector,” he noted. “For all of the Section 9 firms that exist, the financial sector and the energy sector make up the bulk of the Section 9 firms, and they all fund my organization to reduce the systemic threats to those critical assets.”
The center conducts in-depth analysis to reduce systemic threats to those specific assets, Button continued. “We do deep work to unpack what that Section 9 designation means,” he said. “This goes back to the critical functions way of approaching critical infrastructure, which means it's not really the firm or the government agency that is the asset, it is something that they do.”
ARC’s analysis is performed at a systems, technology, software and hardware level. The center then works with the intelligence community and government to promote a greater comprehension of those particular national security-related resources,” Button said.
“The difference maker, in the art of our role, is a sort of facilitating role to get those assets into the intelligence cycle,” he clarified. “And we work with the IC [intelligence community] so that they can understand the assets that we're talking about in a way that enables them to then work with us to understand and warn against those threats.”
Chris Button, director of Intelligence, Analysis & Resilience Center (ARC): the early warning function that the ARC provides is not possible without good threat collection so we work closely with the Intel Community#AFCEAIntel @AFCEA_Intel pic.twitter.com/l4u9YOUlaD
— Kimberly Underwood (@Kunderwood_SGNL) May 25, 2021
And because the assets in question are private sector investments, ARC must take steps to protect its property. “We still deal a lot with information that sensitive, the proprietary systems that our members used, or how they're wired, or the vendors that they use, these are all things that are sensitive,” Button noted. “We find ways, whether it is through anonymizing, whether it is through handling or point-to-point relationships on the most sensitive matters, we find a way to deal with those, with encryption. You have to be sensitive about where everyone is at with their own data, and meet them where they are, and just stay focused on trying to protect against systemic threats and get just enough information for us to do that.”
The partnerships that ARC is building within the government and the intelligence community have been crucial to its Section 9 member companies, especially during the recent cyber attacks, Button stated. As such, the center will continue to further its relationships.
“To address systemic cyber threats to the critical assets in the finance sector and in the energy sector, requires working with the government to [have them] understand up front which systems and which technologies are embedded in the delivery of those critical functions,” he emphasized. “And when something is happening, it really goes a long way towards putting it into context and figuring out the relevance of particular threat.”