Homeland Security Secretary Kirstjen Nielsen laid out the tenets of her agency’s new cybersecurity strategy and it came with a clear warning.
“Complacency is being replaced by consequences. We will not stand on the sidelines while our networks are compromised. We will not abide the theft of our data, our innovation and our resources. And we will not tolerate cyber meddling aimed at the heart of our democracy,” Nielsen said today at the RSA Conference in San Francisco, California. “The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility. In today’s hyper-connected world, cybersecurity is national security. Our cyber defenses help guard our very democracy and all we hold dear. So to those who would try to attack our democracy, to affect our elections, to affect the elections of our allies, or to undermine national sovereignty, I have a simple word of warning: DON’T.”
Nielsen’s comments also set forth the mindset of the Trump administration and the forth coming DHS plan.
“The Department of Homeland Security is adopting a more forward-leaning posture,” she said. “[The strategy] will bolster our digital defenses by prioritizing enhancements in risk identification, vulnerability reduction, threat reduction and consequence mitigation. And it will focus on strengthening the security of the broader cyber ecosystem.”
Insight by Bizagi: During this exclusive webinar, executives from the General Services Administration, Defense Logistics Agency and Bizagi will discuss how their agencies are achieving automation through fast and low-cost strategies.
Trevor Rudolph, a former chief of the Cyber and National Security Division at the Office of Management and Budget and now a cybersecurity policy fellow at New America, said he was pleased and a little surprised by Nielsen’s blunt language.
“I think the U.S. government has struggled to establish proper consequences for cyber attacks. This type of language coupled with the appointment of John Bolton [as National Security adviser], gives us opportunity to define some specificity on what the consequences are and whether the administration backs up their words with action,” Rudolph said in an interview. “The differences in the two presidents is with Barack Obama you had president who was by nature a cautious academic that wanted to weigh all the options. With President Trump, he is less concerned with facts and willing to act on perceived interests. For example, if you take a nation-state attack like the election meddling, there was a lack of public consequences. I would be surprised if this same thing happened with this administration. I think we’d see a real response in the same nature of the attack. I would be interested to see what unintended consequences would come from a more aggressive approach.”
Nielsen detailed five themes that will guide this new strategy
The first is how DHS can help the public and private sector better mitigate systemic risk, such as those from the supply chain or due to interconnected devices.
“We must be more aware of vulnerabilities built into the fabric of the internet and other widespread weaknesses. We must be more aware of single points of failure, concentrated dependencies and cross-cutting underlying functions,” Nielsen said. “An attack on the financial sector, for instance, can quickly have an impact on the energy grid, which can affect water systems, which can affect healthcare and agriculture, and you can’t predict where it will stop because of our endless inter-connectivity and digital dependence.”
Nielsen said one of the best ways to mitigate the risk is by ensuring industry sectors don’t work in siloes by focusing only on vulnerabilities that matter to their systems or networks.
She said DHS and the private sector should prioritize securing essential functions across sectors, including those executed through multiple assets and systems.
“I am making sure this perspective shapes DHS engagement with the private sector, our risk assessments, and our prioritization of services and tools. For instance, we recently launched a voluntary initiative to identify and mitigate systemic risk in supply chains,” Nielsen said. “We are working with users, buyers, tech manufacturers, and others to hunt down unseen security gaps—and to share actionable information that will help close them. This includes identifying companies in the supply chain whose risks might go unnoticed otherwise. And we need your help. We ask you to work with us to identify systemic risks, to flag emerging ones, and to work with us to fix them.”
Rudolph said traditionally DHS has struggled in helping agencies and the private sector deal with risk.
“You hear a lot of private sector elements saying for DHS to just pay attention to the government because they can barely do that job well,” he said. “I’ll be interested to see how DHS will back the speech up with actions.”
Nielsen said a related theme is around collective defense. She said one example is the Financial Systemic Analysis and Resilience Center, which was started by a number of banks in 2016 to understand and manage systemic cyber risk.
“The FSARC stood up an initiative to help industry and government alike identify the key players and unique threats around a national critical function — the wholesale payment system — and to jointly develop solutions to buy down that risk end-to-end. I encourage other sectors to emulate the FSARC model and drive towards collective defense,” she said.
A fourth theme of the strategy will focus on resilience, and not just recovering, but getting better because of the attack.
Nielsen said the plan will focus on what she called “advanced persistent resilience,” which means the system or technology must continuously deliver its intended services despite ongoing attacks.
“We must be obsessed with building redundancy into our systems so that when they get attacked and fail, they fail gracefully. So that when they fail, we innovate as we recover,” she said. “We not only ounce back but we bounce forward. Systems should be designed so that parts can function offline—‘unplugged’—without a requirement to take down the entire system or network.”
The fifth theme is cyber deterrence where Nielsen offered a final word to nation-states and other hackers: “DON’T.”
Rudolph said Nielsen’s speech provides many reasons to be optimistic about where DHS and the administration is heading. Now, he said, comes the hard part of turning the strategy into actions.
“The government and industry need to think holistically as a nation if we ever are going to secure technology properly,” he said. “Whether or not DHS can play the role she is referring to is something I’m not convinced of, and they have to prove it to other sectors that they can add value.”