The Department of Homeland Security on Tuesday released a long-awaited cybersecurity strategy that looks to more proactively tackle the agency’s mandate to protect critical infrastructure from cyberattacks.
The department’s cybersecurity support for critical infrastructure operators must “focus on systemic risk or address risk at individual entities that have the greatest potential impact on national security, public health and safety, and economic security,” the strategy states.
The document will chart DHS’s course in cyberspace over the next five years and is an effort to keep pace with a changing threat landscape, the department said. “Nation-states continue to present a considerable cyber threat,” the document states, “but non-state actors are emerging with capabilities that match those of sophisticated nation-states.”
The five broad aims of the strategy are to better identify digital risks, reduce threats and vulnerabilities, mitigate the consequences of cyberattacks, and “enable cybersecurity outcomes” by making infrastructure more resilient and improving DHS management of the cyber portfolio. The strategy comes as hackers, including those linked to nation-states, have scoured U.S. critical infrastructure for vulnerabilities.
The DHS strategy comes a day after the Department of Energy released its own cybersecurity strategy focused on fortifying power systems.
The DHS document also identifies “end-to-end encryption, anonymous networks, online marketplaces, and cryptocurrencies” as cybersecurity challenges that the department needs to get better at addressing.
Homeland Security Secretary Kirstjen Nielsen said last month the department wants to do more to curb “systemic” cyber risk in the private sector by helping to secure common digital tools used across industries.
“We must be more aware of single points of failure [and] concentrated dependencies,” she said at the RSA conference in San Francisco.
Congress mandated that DHS deliver the strategy by March 2017 but, citing a change of administration and a queue of other reporting requirements, department leadership repeatedly asked for more time. DHS officials have indicated for weeks that the strategy would soon be released, and pressure has been mounting from Capitol Hill for the department to finally publish it.
In a May 11 letter to Nielsen obtained by CyberScoop, Rep. Bennie Thomson, D-Miss., ranking member on the House Homeland Security Committee, criticized the department for the long delay in articulating a strategy.
“The rising frequency of cyberattacks means the department will need to spread its limited resources even thinner while simultaneously taking on new responsibilities,” Thompson and Rep. Cedric Richmond, D-La., wrote. “A clear, detailed strategy that contemplates roles, responsibilities, and program functions will empower DHS officials to use resources judiciously and deliberately.”
DHS is the lead civilian agency for cybersecurity and, since it’s post-9/11 inception, the department has grown into that role by cultivating relationships with critical infrastructure firms. Some lawmakers have criticized the quality of the threat data that DHS shares with the private sector, and adoption of the Automated Indicator Sharing program lagged in its first year. The program has nonetheless matured and officials plan to update it this year based on private-sector feedback.
Election security, supply chain risk loom large
One of the department’s top priorities has been helping to secure voting systems ahead of this year’s midterm elections through vulnerability assessments and classified briefings for state officials. The U.S. intelligence community concluded that Russian hackers meddled in the 2016 presidential election, and U.S. officials have warned of more Russian information-influence leading up to the midterms. Nonetheless, the department’s top cybersecurity official, Jeanette Manfra, told Congress last month that DHS had yet to detect Russian cyber-activity on state systems this election season.
A recent omnibus bill gave the department $26 million in additional funding for election security. The department’s top infrastructure security official, Chris Krebs, was in Pennsylvania Tuesday pledging to continue that work and revealing that the department will conduct a security exercise later this summer with state officials.
The House Homeland Security Committee’s chairman, Rep. Michael McCaul, R-Texas, said Friday that registration databases, rather than voting machines themselves, are where vulnerabilities lie in election infrastructure.
An attacker “could go in and change, say, a name and an address and then basically that person’s voice gets manipulated and the data has changed,” McCaul said at the Council on Foreign Relations. “That’s probably the biggest weakness I see right now, and that’s what we’re trying to harden.”
DHS has also been the fulcrum of the Trump administration’s work to improve supply-chain security in the public and private sectors. DHS last September ordered federal agencies to remove all Kaspersky Lab products from their networks out of concern over the antivirus vendor’s alleged ties to the Russian government. Earlier this year, the department set up a supply-chain program that provides cyber risk assessments to critical infrastructure firms and federal agencies on products they may acquire or deploy.
You can read the full strategy below.