Cyber Goals: Past Due
On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.
"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."
Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.
"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."
More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.
Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.
"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.
To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks.
The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.
To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.
"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"
As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.
Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board.
"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.
To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies.
"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."
As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.
One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)
Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.
"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated.
An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.
In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall.
"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.
To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.
The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes.
With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said.
"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."
DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.
"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."
While the strategy is an important framework for the U.S. federal government, it has been met with criticism.
Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.
"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."
DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.
"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."
Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.
In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further.
"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."
The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.
"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.
As of Security Management's press time, DHS had not submitted an implementation plan to Congress.