tashatuvango - Fotolia
Can a new DHS cybersecurity strategy help the private sector?
The U.S. Department of Homeland Security outlines federal plans to improve public and private cybersecurity, but analysts advise caution over strategies that can't be mandated.
U.S. Department of Homeland Security Secretary Alejandro Mayorkas outlined broad Biden-Harris administration plans to strengthen and speed improvements in national cybersecurity defense at a pre-RSA Conference webinar. But, whether private enterprises will be able to rely on DHS for practical, tangible cybersecurity assistance remains an open question.
The DHS cybersecurity strategy Mayorkas outlined consists of closer public-private sector cooperation because so much infrastructure is in the hands of the private sector. A series of fast-tracked and longer-term cyber projects that will be managed by DHS' Cybersecurity and Infrastructure Security Agency (CISA), which was formed in late 2018, were also included.
If the DHS outline is focused on the public sector, others will pay attention, but any further efforts or relationships won't be mandated or even a sure thing, said Jon Oltsik, analyst at Enterprise Strategy Group (ESG), a division of TechTarget.
Due to the extensive recent SolarWinds attacks, Mayorkas emphasized the need to modernize the government's cybersecurity strategies. "It wasn't until one of the world's best cybersecurity companies got hacked itself and alerted the government that we found out," he said. In financial terms, Mayorkas said the FBI reported more than $4.1 billion in financial losses tied to cybercrime in 2020 alone.
"CISOs do pay attention to federal government initiatives around cybersecurity," ESG's Oltsik said. "There's a real effort and need to improve the efficacy and timing of threat sharing. CISA is really the agency leading this effort for civilian agencies and the private sector," Oltsik said.
Jon OltsikAnalyst, ESG
But where it gets dicey is that DHS has some oversight for civilian agencies and the private sector, but so do other agencies, including the U.S. Departments of Justice and Energy, to name two, Oltsik added.
Commenting on the DHS cybersecurity strategy, Nemertes Research CEO and founder Johna Till Johnson said it's not to say that the U.S. government hasn't been at the forefront of cybersecurity initiatives, "but in Nemertes' experience working with enterprises, CISA has generally been a follower rather than a leader in providing tangible cybersecurity assistance."
Johnson cited NIST's Cybersecurity Framework and the Mitre ATT&CK framework as examples of two frameworks enterprises rely on but added that, while CISA also tracks attacks and threats, generally, Mitre is more comprehensive and up to date because it's community-sourced.
"Clearly, we're not doing enough around cybersecurity at a federal level, NIST and Mitre notwithstanding," Johnson said. In fairness, she added that NIST and Mitre have been around far longer than CISA.
60-day DHS cybersecurity 'sprints' on the agenda
In addition to the major initiatives, Mayorkas said DHS will launch a series of 60-day "sprints" to focus on the most urgent priorities needed to reach its cybersecurity goals and remove roadblocks.
The first sprint will focus on the fight against ransomware, which Mayorkas emphasized now poses a national security threat. "Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits," he said.
While industry analysts agree that ransomware is a major problem, they say the industry also needs to focus on next-generation attacks on the horizon using the most sophisticated tools available.
The second sprint will examine the cybersecurity workforce skills shortage and the need to train people to help protect schools, hospitals, critical infrastructure and communities. Later this year, additional sprints will focus on improving the resilience of industrial control systems, such as water treatment facilities, better protecting transportation systems and safeguarding election security.
Providing an assist for Mayorkas' cybersecurity skills plans was interim CEO of the Girl Scouts of the USA Judith Batty, who made it clear that, through partnerships with Palo Alto Networks, AT&T, Raytheon and now DHS in place, the organization has moved far beyond cooking and sewing badges. A cyber badge program was added at the request of the scouts in 2019. Mayorkas announced an initiative at the webcast to provide Girl Scouts and others with DHS internships to help address the cybersecurity skills shortage in the future.
5 DHS cybersecurity principles for the U.S.
According to Mayorkas, the high-level Biden-Harris administration's DHS cybersecurity strategy roadmap includes the following:
- Championing a free and secure cyberspace that "cannot ignore the broader geopolitical context and democratic backsliding" that is happening in the world.
- Prioritizing investments inside and outside of government to focus on immediate innovations, investments and raising the bar of essential cyber hygiene to improve cyber defenses. The federal government also needs to bolster its ability to respond when cybersecurity incidents happen, Mayorkas said. The current administration is preparing an upcoming executive order designed to improve detection and information sharing, modernizing federal cybersecurity, procurement and incident response, with details to be shared soon, he added.
The effectiveness of the upcoming executive orders depends on what they are, Nemertes' Johnson said. "A very real question is how CISA envisions coordinating with not just the private sector, but all the other cybersecurity organizations that exist. That's not an easy task."
- Focusing on a risk-based approach to determine what risks to prioritize and how to allocate limited resources is crucial to maximize the government's impact. Mayorkas emphasized a fact-based framework is needed to guide risk assessment in the U.S. and abroad.
- Sharing responsibility with stronger collaboration between the private sector and the government to address the most important risks and quickly generate insights needed to detect malicious cyber actors. "If actionable, timely and bidirectional information is not distributed quickly, malicious cyber actors will gain the advantage of more time to burrow into systems and inflict damage," Mayorkas said.
- Addressing diversity, equity and inclusion in terms of the recruitment, development and retention of diverse talent. "It requires equal access to professional development opportunities to fill the current half-million cyber vacancies across our country and to prevent future shortages," he said.
Mayorkas: CISA to function as program quarterback
DHS' CISA will be at the center of the administration's cybersecurity initiatives. CISA is headed by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, who was formerly the National Security Agency's cybersecurity director. Mayorkas said Neuberger is coordinating a whole government response to build and modernize the country's cyber defenses.
The appointment of Neuberger is a positive note and definitely not business as usual for DHS, Johnson said.
DHS will launch an awareness campaign to ensure private companies know what resources and services CISA offers. It also plans to launch an expanded cybersecurity grant program to support the adoption of those services. CISA is also placing state cybersecurity coordinators across the country and is working on a proposal for a cyber response recovery fund that will help the agency provide assistance to state, local, tribal and territorial governments.