The U.S. Department of Homeland Security (DHS) understands the threat posted by bad apples on the Internet: Long-standing threats are evolving as nation-states, terrorists, individual criminals, transnational criminal organizations, and other malicious actors move their activities into the digital world. Enabling the delivery of essential services—such as electricity, finance, transportation, water, and health care—through cyberspace also introduces new vulnerabilities and opens the door to potentially catastrophic consequences from cyber incidents. The growing number of Internet-connected devices and reliance on global supply chains further complicates the national and international risk picture.”
That’s part of the introduction to the long-awaited Cybersecurity Strategy report, released by the DHS on May 15. It’s not a long document – 35 pages – and the focus is on what the DHS needs to do in order to protect America’s vital interests, including national security. Here are three takeaways worth considering.
The DHS must protect itself. Clearly, Homeland Security can’t protect the country from enemies foreign and domestic if its key IT systems are compromised, damaged, taken offline, or even used against the country through a data breach or botnet infestation. Here’s what the report says:
DHS must maintain an adequate level of security for our own systems. Many DHS information systems remain largely decentralized and are operated by Components without a standardized cybersecurity approach or methodology. DHS must undertake a systematic effort to assess our information systems at greatest risk, and to ensure that appropriate protective capabilities and methodologies are in place to secure sensitive information while enabling critical mission functions.
The above is also true for every organization – protecting IT infrastructure is a matter of survival. In additional, the DHS report focuses in on new technologies, which is the future of information technology. Every company should do this too:
As we increasingly leverage cloud and shared services, DHS must continue to develop and pilot emerging capabilities, tools, and practices to more effectively detect and mitigate evolving threats and vulnerabilities in a timely fashion and ensure that our cybersecurity approaches are flexible and dynamic enough to counter determined and creative adversaries.
The DHS is going to help distribute information about threats, and while this isn’t spelled out explicitly, we hope this means even more funding and resources for US-CERT, the Computer Emergency Readiness Team, which is an important part of the DHS. Here’s what the report says:
We serve as the main federal interface for receiving and sharing cyber threat indicators and defensive measures between and among nonfederal entities and with other agencies. DHS must build on and expand automated mechanisms to receive, analyze, and share cyber threat indicators, defensive measures, and other cybersecurity information with critical infrastructure and other key stakeholders. DHS must continue to pursue programs for sharing vulnerability information and classified cybersecurity information where appropriate, while also emphasizing the need to rapidly declassify cyber threat and associated contextual information.
A key part of the DHS goal here is to do better sharing:
DHS must continue to partner with information sharing and analysis centers and other information sharing and analysis organizations to increase access to and collaboration regarding cybersecurity information… In addition to expanding its information sharing and collaboration capacities, DHS must improve its analytic capabilities to enhance the quantity and quality of information shared and increase the value of information sharing programs for all critical infrastructure stakeholders.
- Could DHS respond to cyberattacks in a way comparable to what FEMA (the Federal Emergency Management Agency), does with natural disasters like floods and volcanoes like at Hawaii’s Kilauea? That would be great, especially if the response is to first mitigate the damage, and worry about assessing blame later. Think about the Equifax disaster. Millions of Americans could have used effective Federal help there. Here’s what the Cybersecurity Strategy report says:
Many cyber incidents do not require a national response. But, where they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk (asset response) and in investigating the underlying crimes (threat response)… In our role as asset responder, DHS must enhance capabilities to protect entities from additional harm following an incident, reduce the risk to others, safeguard sensitive personal and business information, and coordinate responses to significant incidents.
In addition, says the agency, “DHS must also ensure that we have in place mechanisms to coordinate with international partners as cyber incidents, whether they originate domestically or abroad, assume international implications.”
The DHS Cybersecurity Strategy report is aspirational. The report lists objectives. However, there are no timelines, no milestones, no cost estimates. Even so, the report concludes, and let’s hope the agency is successful:
Meeting the goals and objectives outlined in this strategy requires a unified, long-term approach across the Department. Aligning departmental network protection and law enforcement authorities with traditional risk management, information sharing, and incident response efforts will enhance DHS cybersecurity efforts moving forward and provide the Nation with a secure cyberspace for future generations.