The Department of Homeland Security on Tuesday released its strategy for securing the homeland against cyber attacks and illicit cyber activity, the same day the White House reportedly eliminated the position of cyber security coordinator from the National Security Council.
The new strategy, which creates a framework for DHS to carry out its cyber security responsibilities over the next five years, highlights continued and growing threats from nation-states, non-state actors, criminals, transnational criminal organizations, and proxies that make it hard to discern whether cyber threats are coming from nation-state or non-state actors. The report also points out that the explosion of connected devices, commonly called the Internet of Things, is increasing the attack space and creating new vulnerabilities to the nation’s critical infrastructures.
Homeland Security Secretary Kirstjen Nielsen told the Senate Homeland Security Committee that a “historic turning point” has been reached where physical, personal and digital security have converged with potentially dangerous consequences.
In a statement accompanying the release of the strategy, Nielsen said, “This is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In and age of brand name breaches, we must think beyond the defense of specific assets, and confront systemic risks that affect everyone from tech giants to homeowners.” She said the strategy will help DHS “get ahead of emerging cyber threats.”
The White House didn’t respond to a request for comment about the elimination of the cyber security coordinator, a position that was created early in the Obama administration to help coordinate cyber security policy across the federal government.
Sen. Mark Warner (D-Va.), ranking member on the Senate Intelligence Committee, tweeted after the White House news broke that “we should be investing in our nation’s cyber defense, not rolling it back. We also need to articulate a clear cyber doctrine. I don’t see how getting rid of the top cyber official in the White House does anything to make our country safer from cyber threats.”
The cyber security coordinator job was held by Rob Joyce for the past year-plus. Joyce was detailed from the National Security Agency, where he went back to work earlier this month.
Nielsen, testifying before the Senate committee, said the new DHS strategy was coordinated closely with the White House National Security Council, which is working on a national cyber security strategy. Responding to a question from Sen. Gary Peters (D-Mich.) about the elimination of the White House position, Nielsen said she hasn’t discussed this with John Bolton, the new head of the National Security Council who reportedly made the decision to discontinue cyber coordinator position.
A vision statement accompanying the new DHS strategy says that “By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.”
The 35-page strategy outlines five pillars—risk identification, vulnerability reduction, threat reduction, consequence mitigation, and enabling cyber security outcomes—and seven accompanying goals that include a number of objectives, subobjectives and outcomes.
For example, under the pillar of mitigating consequences, one of the goals is to respond effectively to cyber incidents through enhanced and broad coordination and thereby reduce the impact of events. One objective here is to increase voluntary reporting of incidents with an accompanying subobjective being to increase information sharing by the federal government to victims of incidents.