The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide “the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.”
This framework comprises five pillars containing seven separate goals. The pillars are risk identification; vulnerability reduction Including the twin goals of protecting federal systems and critical industries); threat reduction by proactive means; consequence mitigation (that is, improved incident response); and to enable cybersecurity outcomes. The last pillar comprises the twin goals of strengthening the security and reliability of the cyber ecosystem, and improving the management of its own activities.
“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” said DHS Secretary Kirstjen Nielsen. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets — and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats.”
Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes — but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with “stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors.”
However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.
The third pillar, threat reduction together with goal #4 (prevent and disrupt criminal use of cyberspace) is also interesting. The strategy states, “We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals.” Again, the obvious question is, ‘How?’. The strategy states, “our law enforcement jurisdiction is broad”. But it does not reach into those countries that are generally considered to be the prime movers of serious cyber criminality: Russia, China, Iran and North Korea.
Indeed, the U.S. government has so far failed to repatriate Edward Snowden from Russia, nor even to apprehend Julian Assange in the European Union. It is difficult to see how the DHS will be able to prevent and disrupt advanced foreign criminal use of cyberspace without resorting to new tactics — such as a more aggressive active defense verging on hacking back. Neither ‘active defense’ nor ‘hack back’ are mentioned in the strategy document.
Ray DeMeo, COO at Virsec, has similar concerns. “Cybersecurity is an inherently global issue and it’s good that the DHS strategy recognizes the need for a ‘global approach with robust international engagement’,” he told SecurityWeek. “But it’s yet unclear how an agency with a domestic mandate is going to effectively engage globally. The reality is that a large portion of internet crime is driven from the international “wild west” from areas with lax law enforcement, or actual nation-state sponsorship. This problem is as much diplomatic as it is technological.”
These caveats aside, it is good to see a formal strategy to cover the DHS’ entire theater of responsibility with a clearly stated objective: “By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.”
“The strategy put forth by DHS is very comprehensive and well thought out,” says Rishi Bhargava, co-founder at Demisto. “The inclusion of response plan coordination under the Consequence Mitigation section is a critical piece to be able to contain damage from an attack. Any strategy is as good as it’s execution. I look forward to seeing this put in action across different departments and policies.”
It is reassuring that the organization is not seeking to develop its own new framework, but to encourage the use of existing relevant frameworks. “DHS,” says the document, “must expand efforts to encourage adoption of applicable cybersecurity best practices, including NIST’s Framework for Improving Critical Infrastructure Cybersecurity.”
It is a little surprising, however, that while NIST is specified, the Domain Message Authentication Reporting & Conformance (DMARC) protocol is not mentioned. In October 2017, DHS issued a binding operational directive requiring that all federal agencies start to use DMARC. By January 2018 it was reported that about half of the agencies had implemented DMARC, but only at its lowest level.
It is easy to be critical of a high-level strategy document — it is the detail of implementation that will decide on the effectiveness of this strategy. For the moment, this document marks a valuable and important approach to unifying and strengthening the domestic cybersecurity remit of the DHS. “The DHS approach to managing cybersecurity risk on the national level,” comments Brajesh Goyal, VP of engineering at Cavirin, “is a good analogy for what organizations need to do to manage their cyber-posture. A good framework for this is the NIST Cybersecurity Framework (CSF). This can serve as a foundation for other security in-depth actions.”
“It’s important that the DHS has finally published its cybersecurity strategy,” explains DeMeo; “but by definition, this is high-level. For the most part, these are sensible recommendations. What’s critical now is making this strategy actionable. One of the document’s guiding principles is to foster innovation and agility — this is a big ask, where existing time horizons must be reduced from years down to months. We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happen
ing daily, if we are going to change the asymmetric nature of today’s threat landscape.”