The Homeland Security Department unveiled its cybersecurity strategy, Tuesday, a series of seven goals the agency hopes to tackle — or at least improve on — over the next five years.
“By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure, decreasing illicit cyber activity, improving responses to cyber incidents and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership and close partnership with other federal and non-federal entities,” the department’s vision statement reads.
Many of DHS’ seven listed goals simply reiterate the department’s long-stated mission: it will continue to work with critical infrastructure sectors to monitor threats and share information. It will continue to take the lead in securing federal networks.
“The strategy is built on the concepts of mitigating systemic risk and strengthening collective defense,” DHS Secretary Kirstjen Nielsen told the Senate Homeland Security and Governmental Affairs Committee Tuesday afternoon. “Both will inform our approach to defending US networks and supporting governments at all levels and the private sector in increasing the security and resilience of critical infrastructure.”
But the strategy’s seventh goal represents a return to one of DHS’s major concepts: unity of effort.
Each of the department’s six other cyber goals involve multiple DHS components, and the agency needs all of them to work together to secure its own internal networks, hire top professionals and acquire and secure new technology, the policy said.
“To ensure departmental unity of effort and a coordinated approach to accomplishing our cybersecurity goals and objectives, DHS must constantly assess evolving risks and evaluate priorities in the cybersecurity mission space,” the new strategy said. “DHS must also develop department-wide processes and policies to align component programs and activities with this strategy, departmental priorities and changes in the cybersecurity landscape.”
Specifically, DHS’ Office of Strategy, Policy and Plans will work with all involved agency components to make sure they’re fulfilling the cyber plan consistently. The office will take a top-to-bottom look at the department’s current cyber programs and activities and review their effectiveness through the joint requirements process, the strategy said. It will identity internal communication methods to ensure all DHS components are collaborating on the goals of the new cyber policy.
DHS will issue a more detailed cybersecurity implementation plan, which will describe each component’s responsibilities, programs and timelines for achieving the strategy’s seven goals, according to the strategy. Both the strategy and the forthcoming implementation plan will inform the department’s future budget, planning, training and programming.
The Joint Requirements Council will also play a role and will evaluate gaps in the agency’s cyber capabilities and report them back to the DHS secretary, the new policy said.
“No one entity has the authorities, capabilities and capacity to address this, so we have to bring everything that we have to bare,” Nielsen said. “Within DHS, I find that we have pockets of excellence with the Secret Service, within [Immigration and Customs Enforcement], within the Coast Guard, within TSA and of course within [the National Protection and Programs Directorate]. We’re trying to knit all of that together so we have best-in-class services, that collective defense model.”
The department will review and update the strategy in 2023 and again periodically in the following years.
Nielsen said in her opening statement before the Senate panel that she looked forward to discussing the department’s new cyber policy with the committee in more detail. But most senators were more interested in discussing other topics, and Nielsen never got the chance to return to the topic.
Nielsen also continued to advocate for the Senate to pass the DHS Reauthorization Act, which would give her the authority to reorganize and rename the National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency.
Renaming and reorganizing the agency will give DHS a leg up in explaining its cybersecurity mission and recruiting and retaining a talented workforce of IT professionals, she said.
“We’ve reached a turning point in cyber threat evolution, where digital security is converging with personal and physical security,” Nielsen told the Senate panel. “Cybersecurity can no longer be relegated to the IT department and thought of as a nuisance. Now it’s a matter of preserving our lives, our livelihoods and our American way of life.”