Summary: The Department of Homeland Security’s Cybersecurity Strategy
With an anticipated 20 billion devices connected to the internet by 2020, cybersecurity has become a core component of homeland security. Complicating the threat picture, nation-states have begun to use proxies, and malicious actors with apparent criminal and nation-state affiliations now engage in online criminal activity.
Published by The Lawfare Institute
in Cooperation With
With an anticipated 20 billion devices connected to the internet by 2020, cybersecurity has become a core component of homeland security. Complicating the threat picture, nation-states have begun to use proxies, and malicious actors with apparent criminal and nation-state affiliations now engage in online criminal activity. In 2015, an intrusion into a federal agency resulted in the compromise of over 4 million federal employees’ personnel records, affecting nearly 22 million people. The proliferation of internet-of-things devices increases the chances that cyberactivity and ransomware incidents—such as WannaCry and NotPetya—will have serious kinetic consequences.
Amid concern about the security of the midterm elections and high-profile attacks on private companies, on May 16, the Department of Homeland Security issued its Cybersecurity Strategy, as mandated under Section 1912 of the 2017 National Defense Authorization Act. The strategy provides DHS with a five-year framework for reducing cybersecurity vulnerabilities, building resilience and enhancing response capabilities.
The DHS Office of Strategy, Policy, and Plans led the development of the strategy, in collaboration with all DHS components. In accordance with the NDAA, Homeland Security will issue an implementation plan for executing the strategy no later than 90 days after the strategy’s enactment, or August 14, 2018. That office will annually audit how DHS is executing the strategy and provide a report to the secretary on its progress. The department plans to review and update the strategy in 2023, and periodically (though it is unclear how frequently) thereafter.
The strategy document identifies five pillars of a department-wide risk-management approach to cybersecurity. The first pillar aims to better understand the threats facing the U.S. The second, third and fourth pillars work to reduce the frequency and damage of cyberthreats. Finally, the fifth pillar aims to make cyberspace more defensible.
Pillar I: Risk Identification
Goal 1: Assess Evolving Cybersecurity Risks
Central to Homeland Security’s strategy is a better understanding of global cyberthreats and how they affect the United States. The department plans to work with sector-specific agencies, such as the Department of Defense and the General Services Administration, and cybersecurity firms that are not affiliated with the federal government. DHS will develop plans both to address gaps in its preparedness to handle existing threats and to predict future risks.
Pillar II: Vulnerability Reduction
Goal 2: Protect Federal Government Information Systems
DHS will work to reduce organizational and systemic vulnerabilities across the federal government and empower its stakeholders to better manage their cybersecurity risks. DHS works with the Office of Management and Budget (OMB) to address risks across agencies. In leading the effort to secure the federal government, as well as protecting its own information systems, DHS intends to triage the risks the government faces. Additionally, DHS will continue close collaboration with the General Services Administration, the National Institute of Standards and Technology, and those entities responsible for protecting military and intelligence networks.
In order to reduce federal agencies’ vulnerabilities, DHS plans to improve the governance model for federal cybersecurity, information-security policies, and oversight. DHS will continuously provide feedback on federal information-technology policies and government-wide policies and programs that affect cybersecurity. It will further clarify the distribution of responsibilities between OMB, DHS and other agencies, with the goal of developing and implementing a clear governance model for federal cybersecurity. DHS will also try to increase compliance with information-security policies and accountability for missteps, and assess federal government and individual-agency risks.
Additionally, the department plans to preempt cyberthreats to itself and other government agencies. DHS plans to centralize protective capabilities and offer additional cybersecurity tools and services to agencies in response to emerging or identified threats. In addition, DHS will create performance metrics to measure the effectiveness of its cybersecurity capabilities, tools, and services. Last, as it increasingly leverages cloud and shared services, DHS will continue to explore new ways to protect DHS systems that may be scalable across the federal government.
Goal 3: Protect Critical Infrastructure
To address significant national risks to critical infrastructure, DHS plans to evaluate its current cybersecurity risk-management offerings, identify and prioritize gaps in those offerings and in personnel engagement, and address the gaps by providing tools and services to critical-infrastructure owners and operators. To effectively leverage field personnel to adopt cybersecurity risk management best practices, including the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, DHS is prepared to engage with officials at the appropriate levels.
To improve the sharing of cyberthreat indicators, defensive measures, and other cybersecurity information, DHS intends to expand automated mechanisms that receive, analyze, and share threat information. The department also plans to improve its own ability to analyze, correlate and enrich cybersecurity information, and improve its information-sharing mechanisms, including those that allow access to U.S. government information.
DHS intends to maintain relevant expertise, mature existing partnerships, and continue to integrate resources for the ten critical-infrastructure sectors for which it is responsible. It will assess and update DHS policies and regulations to address cybersecurity risk, and it will support each sector in integrating cyber and physical resources.
Pillar III: Threat Reduction
Goal 4: Prevent and Disrupt Criminal Use of Cyberspace
DHS intends to reduce cyberthreats by countering transnational criminal organizations and sophisticated cyber criminals. As financial fraud, money laundering, theft of intellectual property, selling of illicit goods and child exploitation are increasingly conducted online, nearly all criminal investigations require investigators to have knowledge of computer forensics, digital investigations, and the cyber tradecraft. DHS plans to leverage its capabilities for targeting financial and international cyber crime, and to collaborate more closely with its law-enforcement partners. To that end, DHS will investigate cyber crimes and illicit uses of cyberspace by transnational criminal organizations. It intends to focus its core investigative responsibilities on financial services and payment systems, computer fraud and abuse, cross-border transmission of illicit materials, human trafficking and child exploitation, intellectual property violations, misuse of cryptocurrencies, and other violations of customs law.
In the past, DHS has been a leader in integrating traditional law-enforcement methods to strengthen cybersecurity, as demonstrated through its electronic crimes task forces. DHS further plans to prevent, disrupt, and counter cybersecurity threats to persons, events, and infrastructure through strengthening its ability to apply its full range of authorities and implementing detection and protection measures to appropriately secure key systems and assets.
DHS plans to collaborate with other law enforcement agencies, strengthen its collaboration with private industry and academia, and bolster its international law enforcement partnerships and their capabilities for cyber crime investigations and digital forensics.
DHS will invest in cutting-edge technical resources and advanced law enforcement capabilities for both itself and its partners.
Pillar IV: Consequence Mitigation
Goal 5: Respond Effectively to Cyber Incidents
DHS will limit the impact of cyber incidents through coordinated, community-wide response efforts. When cyber incidents occur, DHS currently assists through both asset response—technical assistance to affected entities and other at-risk assets—and threat response—investigating the underlying crimes. DHS plans to implement information-sharing mechanisms to ensure that asset and threat responders communicate with each other, sector-specific agencies, and the private sector; in the case of significant cyber incidents, DHS will ensure preparedness for a coordinated government-wide response.
To better assist victims after cyber incidents,, DHS plans to encourage voluntary reporting of cyber incidents and improve victim notification.. As the lead agency for asset response, part of a Cyber Unified Coordination Group, and a support to the White House-led Cyber Response Group, DHS provides critical asset-response assistance following cyber incidents. To expand asset response capabilities and mitigate cyber incidents, DHS plans to establish a common operating picture across the department and with other stakeholders, and to support emergency management efforts under the National Response Framework.
To increase coordination between incident responders, DHS will leverage both DHS and non-DHS investigative resources to provide incident and threat attribution information to federal incident responders and sector-specific agencies. DHS will also develop holistic assessments of adversaries, threats, and incidents, increase field-level collaboration, and coordinate federal response assistance where appropriate.
Pillar V: Enable Cybersecurity Outcomes
Goal 6: Strengthen the Security and Reliability of the Cyber Ecosystem
DHS will support policy and operational efforts that make the “cyber ecosystem” more secure and reliable. DHS describes the cyber ecosystem as including not only cyberspace—the interdependent network of information technology infrastructure—but also the people, environment, norms, and conditions that influence that space. DHS plans to invest in research and development efforts that support its mission, and to more quickly expand its cyber personnel programs.
To strengthen the security and reliability of the ecosystem, DHS aims to foster improved cybersecurity in software, hardware, services, and technologies, and to build more resilient networks. DHS will support the development of technical, operational, and policy innovations, and develop solutions to identify and manage supply chain risks for stakeholders. DHS further plans to engage with stakeholders to enhance the cybersecurity of cloud infrastructure, internet-of-things products, and other emerging technologies.
Additionally, DHS plans to prioritize research, development, and technology transition activities that support incident response, information sharing, and other cybersecurity objectives. It will identify, develop, and transition new capabilities that will enable DHS to protect critical systems, investigate cyber crimes, and respond to cyber incidents.
DHS also plans to expand international collaboration to advance its objectives and promote an open, interoperable, secure, and reliable internet. DHS aims to improve international cooperation and build capacity by sharing best practices, cybersecurity information, expertise, and technical assistance. Its anticipates that the expansion of this international collaboration will result in shared global approaches to cybersecurity and increased risk management capabilities.
With a critical shortage of cybersecurity talent globally, DHS also endeavors to improve recruitment, education, training, and retention to develop a world-class cyber workforce. DHS will continue to support efforts to increase the supply of cybersecurity talent through cyber education programs and the National Initiative for Cybersecurity Education. It will also continue to develop and promote cybersecurity training programs, working in particular to drive approaches to recruitment and retention. DHS plans to develop a cutting-edge network protection and cyber investigative workforce.
Goal 7: Improve Management of DHS Cybersecurity Activities
DHS plans to integrate department-wide cybersecurity policy development, strategy, and planning activities. DHS will establish internal mechanisms to ensure consistency across cybersecurity policy and strategic plans through the DHS Office of Strategy, Policy, and Plans, and in collaboration with the DHS Management Directorate and affected components.
DHS aims to prioritize and evaluate the effectiveness of its cybersecurity programs and activities in accordance with its Cybersecurity Strategy. It will then identify and address gaps within the strategy, ultimately ensuring that the cybersecurity programs address the department’s goals and objectives.