December 26, 2016
5 to Watch in 2017

In cybersecurity role, House eyes gov’t, biz needs

HBJ PHOTO | Matt Pilon
HBJ PHOTO | Matt Pilon
Arthur House, Connecticut’s first chief cybersecurity risk officer, at DAS’ Farmington Avenue facility in Hartford.

An uncommonly diverse professional background in higher education, national intelligence, international finance, health insurance and state government has given Arthur House a healthy appetite for new challenges.

Now House, 74, faces his next big test as the state's first-ever chief cybersecurity risk officer.

Gov. Dannel P. Malloy appointed House for the position in October, based not on any superior technical skills, but because he has experience convening industry groups to collaborate on strengthening cyber defenses. At the Public Utilities Regulatory Authority (PURA), where House was a commissioner since 2012, he oversaw the creation of a cybersecurity plan for utility companies. The plan calls for confidential meetings in which utilities — which are already quite aware of cyber risks — share information with a limited number of state officials.

In some ways, House's new job is an expansion of the utility cybersecurity work he did at PURA, a role he openly admits to missing, though he is also enjoying having a sole focus, as opposed to handling countless cases involving electric, gas, water and telecom providers. He wanted to be reappointed to PURA, but Malloy approached him over the summer and asked him to take on a new role.

"In August we talked about reappointment, but he said 'I really want you to do this,' " House recounted during a recent interview in his new office at 55 Farmington Ave. in Hartford, where the Department of Administrative Services' technology division is housed.

Among House's assigned tasks in the coming year: Developing a statewide cybersecurity plan across multiple state agencies; identifying ways to respond to potential cyber attacks and related disruptions; and making inroads with the private sector to better understand how the state can help companies, hospitals and others improve their own cybersecurity. He is also expected to participate in PURA's cybersecurity meetings.

House admits that he's daunted by the scope of his new job, but is optimistic about the work, and believes Malloy was wise to create the position.

"I think the creation of the position itself was a recognition that we need to learn more about cybersecurity and how it affects us," House said. "The first step before we get to businesses is to make sure we have our own act together in the state of Connecticut."

But discussions with the defense, banking, insurance, utilities and healthcare sectors are already beginning. Some of those industries have advanced security, but House said he thinks the state can still help. His national-security clearance, which he received when working for the Director of National Intelligence in 2009, could prove to be an advantage in creating better collaboration with industry.

"It makes me much more savvy about what's going on," he said.

He won't be able to share direct classified information with industry, but he said it will help him identify developing problems as soon as possible and reach out to potentially impacted companies.

While House will seek to beef up cybersecurity for various companies, he said he is no "czar." Any cooperation from private industry would be voluntary. He doesn't have the power to regulate companies, like he did at PURA. And he doesn't want to worry businesses.

"We need to cooperate and we want to do what we can to help them be more secure," House said. "We're not going down some new regulatory path here."

In November, House visited Ukraine — the site of the first known cyber attack on utility infrastructure — to learn and share experiences with officials from a small consortium of countries.

No such attack has happened on U.S. soil, but House said hackers regularly probe system defenses used by both state agencies and companies.

Connecticut needs to better prepare for the possibility of an attack, which could have consequences far more devastating than Superstorm Sandy or the 2011 snowstorm that knocked out power in some places for several weeks, he said.

While cybersecurity is a highly technical subject, House readily admits he is no technocrat, though his security clearance has allowed him to witness cybersecurity operations to which the public is not privy.

"I'm a strategy and policy guy," he said.

House, who is married with three daughters attending college, reports to the state's chief information officer, Mark Raymond.

Raymond said House brings "an ability to coalesce" industry leaders and an understanding of the broader challenge of cybersecurity.

While the state hasn't played much of a role helping industry with cybersecurity, Raymond sees it as fitting into a broader collaboration with private entities related to public health and emergency management.

"I'm thrilled we have him in that role," Raymond said. "I think we're doing something very different."

In his free time, House enjoys reading, writing, gardening and sailing on his 12-foot boat.

"I burn a lot of wood in the winter," he said. "I'm an old Yankee and I feel insecure if my woodpile is low."n

Most Popular on Facebook
Copyright 2017 New England Business Media