Digging into the DHS cyber strategy
- By Derek B. Johnson
The Department of Homeland Security released its long-awaited cyber strategy May 15.
The document, which will guide DHS policy for the next five years, articulates the department's cybersecurity role as almost entirely defensive in nature. It lays out five "pillars" of managing cybersecurity risk: understanding the evolving nature of threats from state and non-state actors, protecting federal networks and critical infrastructure sectors, countering transnational criminal hacking groups, imposing consequences on nation states for malicious cyber activity and globally promoting best practices around cybersecurity.
The strategy also lists a series of guiding principles, from making cost-effective investments and prioritizing systemic risks to the cyber ecosystem to ensuring that any actions taken to protect the country minimize disruption to commerce and innovation and take into account national values like privacy and civil liberties.
Cybersecurity will continue to be a shared responsibility between DHS, the Office of Management and Budget and individual agencies, with agencies handling key aspects of risk management while DHS provides "tailored capabilities, tools and services to protect legacy systems as well as cloud and shared infrastructure."
However, DHS notes that "it is necessary to further refine and clarify" the roles and responsibilities of each party, and it acknowledges the department could do more to support OMB's policy development and federal cybersecurity oversight role as well as develop clear accountability metrics for individual agencies.
The department also must improve the way it integrates information from existing capabilities. Two of the department's crown jewel programs, the Automated Indicator Sharing program and Continuous Diagnostics and Mitigation, are designed to leverage such information from the private sector and federal agencies respectively, but both programs have been plagued by delays and low participation rates.
The strategy also calls for DHS to build on and expand automated mechanisms "to receive, analyze, and share cyber threat indicators, defensive measures, and other cybersecurity information."
The federal government writ large is seeking to take advantage of its unique stockpiles of data. In a May 3 speech, Federal CIO Suzette Kent called for more agencies to embrace automation and analytics, saying "we have the best data in the world."
The document does not specifically mention or reference election security -- a topic which has become one of the most high-profile examples of the department's expanding cyber mission after it formally designated election systems as critical infrastructure in 2017.
In his confirmation hearing, Chris Krebs, acting undersecretary for DHS' cyber department, called election security his "top priority" if confirmed.
Two Democrats on the House Homeland Security committee, Reps. Bennie Thompson (D-Miss.) and Cedric Richmond (D-La.), called the strategy "an important and promising framework" but honed in on the omission of election security and criticized the department for punting on many key issues of cybersecurity policy.
"Unfortunately, the Strategy arrived 14 months late and primarily identifies policies and procedures the Department needs to further develop and more clearly articulate its doctrine."