The Department of Homeland Security will soon release a “how-to manual” for the cybersecurity support it offers to federal, state and local government agencies, as well as operators of critical infrastructure, Secretary Kirstjen Nielsen told reporters.
The nation’s interconnectivity means a cyberattack on the financial sector, for example, could quickly affect the electric grid, Nielsen said Tuesday in a speech at the RSA Conference in San Francisco. “We must be more aware of single points of failure [and] concentrated dependencies,” she said. A DHS official said the strategy could be released next week.
The goal of the new cyber strategy is to curb “systemic risk” by helping to secure digital tools used across sectors, Nielsen said. The document will also focus on mitigating the consequences of cyberattacks.
“Whether it is common tools such as GPS or payment and settlement systems, our cyber risk assessments need to factor in shocks to the system that could have untold, cascading consequences,” Nielsen said.
A recent attack on billing software used in the U.S. gas industry disrupted customer transactions for a sprawling network of pipelines. The gas companies’ operating systems weren’t hit, but it was a cautionary tale in supply-chain vulnerabilities.
DHS has long focused on helping private firms prepare for and respond to cyberattacks. The impending strategy, however, seeks to make that collaboration more proactive to focus on chinks in the cyberdefenses of critical infrastructure.
One of those weaknesses is the supply chain. The department earlier this year established a program to provide cyber risk assessments to companies and agencies on products they may acquire or deploy. Supply chain vulnerabilities “amount to a digital public health crisis,” Jeanette Manfra, DHS’s assistant secretary for the Office of Cybersecurity and Communications, said at a CyberScoop event Monday.
Nielsen said in her RSA speech that DHS is “working with users, buyers, tech manufacturers, and others…to hunt down unseen security gaps—and to share actionable information that will help close them.”
Nielsen also echoed Manfra’s tough talk on nation-state hacking, singling out Russia and North Korea as purveyors of malicious activity. “In some ways we are at a disadvantage because our cyber-adversaries have a different risk calculus or cyberattack threshold than we do,” Nielsen said.
“Last year both Russia and North Korea unleashed destructive code that spread across the world, causing untold billions in damage,” she added. Russia and North Korea carried out those attacks because “they think they can get away with it,” she said. “And too often they have.”
Despite a rallying cry to collective cyberdefense, Nielsen’s speech came with a gloomy forecast: she cited a Cybersecurity Ventures stat about the financial toll of cybercrime, which will hit $6 trillion annually by 2021.
“The threat picture is getting dimmer, not brighter,” Nielsen said. “Our infrastructure can be hijacked and used to hold us hostage.”