December 26, 2016 1 COMMENTS
5 to Watch in 2017

In cybersecurity role, House eyes gov’t, biz needs

HBJ PHOTO | Matt Pilon
HBJ PHOTO | Matt Pilon
Arthur House, Connecticut’s first chief cybersecurity risk officer, at DAS’ Farmington Avenue facility in Hartford.

An uncommonly diverse professional background in higher education, national intelligence, international finance, health insurance and state government has given Arthur House a healthy appetite for new challenges.

Now House, 74, faces his next big test as the state's first-ever chief cybersecurity risk officer.

Gov. Dannel P. Malloy appointed House for the position in October, based not on any superior technical skills, but because he has experience convening industry groups to collaborate on strengthening cyber defenses. At the Public Utilities Regulatory Authority (PURA), where House was a commissioner since 2012, he oversaw the creation of a cybersecurity plan for utility companies. The plan calls for confidential meetings in which utilities — which are already quite aware of cyber risks — share information with a limited number of state officials.

In some ways, House's new job is an expansion of the utility cybersecurity work he did at PURA, a role he openly admits to missing, though he is also enjoying having a sole focus, as opposed to handling countless cases involving electric, gas, water and telecom providers. He wanted to be reappointed to PURA, but Malloy approached him over the summer and asked him to take on a new role.

"In August we talked about reappointment, but he said 'I really want you to do this,' " House recounted during a recent interview in his new office at 55 Farmington Ave. in Hartford, where the Department of Administrative Services' technology division is housed.

Among House's assigned tasks in the coming year: Developing a statewide cybersecurity plan across multiple state agencies; identifying ways to respond to potential cyber attacks and related disruptions; and making inroads with the private sector to better understand how the state can help companies, hospitals and others improve their own cybersecurity. He is also expected to participate in PURA's cybersecurity meetings.

House admits that he's daunted by the scope of his new job, but is optimistic about the work, and believes Malloy was wise to create the position.

"I think the creation of the position itself was a recognition that we need to learn more about cybersecurity and how it affects us," House said. "The first step before we get to businesses is to make sure we have our own act together in the state of Connecticut."

But discussions with the defense, banking, insurance, utilities and healthcare sectors are already beginning. Some of those industries have advanced security, but House said he thinks the state can still help. His national-security clearance, which he received when working for the Director of National Intelligence in 2009, could prove to be an advantage in creating better collaboration with industry.

"It makes me much more savvy about what's going on," he said.

He won't be able to share direct classified information with industry, but he said it will help him identify developing problems as soon as possible and reach out to potentially impacted companies.

While House will seek to beef up cybersecurity for various companies, he said he is no "czar." Any cooperation from private industry would be voluntary. He doesn't have the power to regulate companies, like he did at PURA. And he doesn't want to worry businesses.

"We need to cooperate and we want to do what we can to help them be more secure," House said. "We're not going down some new regulatory path here."

In November, House visited Ukraine — the site of the first known cyber attack on utility infrastructure — to learn and share experiences with officials from a small consortium of countries.

No such attack has happened on U.S. soil, but House said hackers regularly probe system defenses used by both state agencies and companies.

Connecticut needs to better prepare for the possibility of an attack, which could have consequences far more devastating than Superstorm Sandy or the 2011 snowstorm that knocked out power in some places for several weeks, he said.

While cybersecurity is a highly technical subject, House readily admits he is no technocrat, though his security clearance has allowed him to witness cybersecurity operations to which the public is not privy.

"I'm a strategy and policy guy," he said.

House, who is married with three daughters attending college, reports to the state's chief information officer, Mark Raymond.

Raymond said House brings "an ability to coalesce" industry leaders and an understanding of the broader challenge of cybersecurity.

While the state hasn't played much of a role helping industry with cybersecurity, Raymond sees it as fitting into a broader collaboration with private entities related to public health and emergency management.

"I'm thrilled we have him in that role," Raymond said. "I think we're doing something very different."

In his free time, House enjoys reading, writing, gardening and sailing on his 12-foot boat.

"I burn a lot of wood in the winter," he said. "I'm an old Yankee and I feel insecure if my woodpile is low."n

Comments

Type your comment here:

Gordo

12/29/16 AT 08:37 AM
I am usually the greatest critic of those in state government as concerns security, and security of the the electric grid in particular. But in this instance, my hat is off to Art House for having brought the threat(s) of cybersecurity into focus for PURA and DEEP although the latter agency has been lax in recognizing the need for security as a metric in selecting energy sources for the state in their Comprehensive Energy Strategy. There is no one at either agency that has a grasp on this growing challenge. Increasing the use of natural gas to levels higher than 70% in summer and plans to import Canadian hydro from about 900 miles away are testament to lack of understanding security at even a basic level.

In an article on the same issue of HBJ as this one, it is recounted that a utility said::

"The company also added more than 60 "smart switches" to the system. Automated switches ensure there is more than one way the electricity can reach customers, reducing the duration of outages and the number of customers affected."

While what is stated is overtly correct on the value of such "smart" switches, they also hold a hidden weakness. Some of the technologies that adds complexity to our systems are the "Smart" technologies (as in smartgrid, smarthouse, smartcities) and the "internet of things" or IoT that may, themselves, become the largest short term threat we face. Amory and Hunter Lovins in their 1982 book Brittle Power warned us that a well designed, decentralized system must have user controllability but "smart" technology takes most of that away from us making us into even more of a tightly-coupled complex system than before. Some of the top cyber experts I know warn against this increasing our "attack surface" in this way. Events in Ukraine a year ago (and possibly in the past few weeks) prove beyond a doubt that a large portion of the grid can be made inoperative in the click of a mouse. I advocate decentralization as one way to prevent a cascading failures and while Art House has not endorsed such a strategy, he is well aware of it as an option. Meanwhile we are also deploying the very smart technologies that can do us severe harm prior to building the defenses into our grid architecture. First things must come first and I suggest we revisit this very central point of resilience in a smart manner. I think Art House is capable of doing that.
ADVERTISEMENTS
Most Popular on Facebook
Copyright 2017 New England Business Media