DHS cybersecurity strategy keys in on risk, vulnerability management
DHS cybersecurity strategy keys in on risk, vulnerability management

The Department of Homeland Security (DHS) may have dragged its heels in crafting a cybersecurity strategy but the plan it released Wednesday drew praise for its emphasis on risk and vulnerability management.

“The DHS approach to managing cybersecurity risk on the national level is a good analogy for what organizations need to do to manage their cyber-posture,” said Brajesh Goyal, vice president of engineering at Cavirin. “A good framework for this is the NIST Cybersecurity Framework (CSF). This can serve as a foundation for other security in-depth actions.”

Andrew Lloyd, president of Corero Network Security, called the plan “a well-considered and thorough top-down strategy.”

The agency, under the direction of Secretary Kirstjen Nielsen, who has extensive cybersecurity expertise, laid out seven goals meant to help government understand the cybersecurity threats it faces and bolster the country's security posture. Chief among the goals: assessing evolving cybersecurity risks and then prioritizing risk management. DHS noted that while “nation-states continue to present a considerable cyber threat,” non-state actors, too, “are emerging with capabilities that match those of sophisticated nation-states.”

DHS also aims to protect the federal government's information systems, reducing the vulnerability of agencies, and safeguard critical infrastructure by partnering with stakeholders to manage national cybersecurity risks.

“The DHS has defined a more comprehensive Critical Infrastructure (CI) definition than that adopted in the UK/EU within the NIS Directive,” said Lloyd. “With DDoS being the cyber-criminal's tool of choice against both CI and government, DHS will need to swiftly convert this strategy into action to protect against this threat. 

But he noted that “ironically, onerous and restrictive federal government procurement policies” might stand in the way of “DHS being able to select the most effective technologies to mitigate DDoS and other high risk cyber-threats.”

The department also proposes to take on cybercriminals, aiming squarely at reducing the threat posed by increasing sophisticated bad actors and international cybercrime groups.

Recognizing the importance of effective response, DHS plans to coordinate community-wide response initiatives to mitigate the consequences of cyberattacks. “The inclusion of response plan coordination under the Consequence Mitigation section is a critical piece to be able to contain damage from an attack,” said Rishi Bhargava, co-founder at Demisto. 

The agency will also throw its weight behind policies that improve global cybersecurity risk management. Looking internally, DHS said it will integrate and prioritize its own cybersecurity initiatives.

"I fully support the new DHS strategy in its “risk-based” and “cost-effective” effort to prioritize our protective, investigative, and response activities,” said Sherban Naum, senior vice president of corporate strategy and technology at Bromium. “The perimeter is no longer the edge. Understanding what our high-value assets are and isolating those crown jewels will drastically reduce the impact of APTs and nation-state attacks."

While "the DHS strategy document does an excellent job of reminding us that continuous risk assessment and vulnerability management are key elements of an active cyber defense strategy,” Phil Neray, vice president of industrial cybersecurity for CyberX, said “many business leaders don't realize that the DHS has neither the resources nor the legal standing to defend civilian assets before they're attacked, such as plants belonging to energy, pharmaceutical, chemical and manufacturing companies.”  

He maintained that a lot more top-down commitment and budget dollars from senior management and possibly tax incentives, are required “to give CISOs and their teams the resources they need to effectively defend our critical infrastructure from ever-more sophisticated threats from nation-states and transnational criminal organizations."

DHS had been roundly criticized for significant delays in producing a cybersecurity strategy. Rep. Bennie G. Thompson, D-Miss., ranking member of the Committee on Homeland Security, and Rep. Cedric L. Richmond, D-La., ranking member of the Cybersecurity and Infrastructure Protection Subcommittee, had pressed Nielsen as late as last week on the status of the DHS strategy.

Thompson and Richmond, the latter of whom is the original author of the language included in the FY2017 National Defense Authorization Act that mandated the strategy, called the DHS plan “an important and promising framework to guide future efforts to address evolving cybersecurity challenges” and said they were “pleased that DHS finally submitted it to Congress as required by law.”

But the two expressed dismay that the strategy “fails to mention – at any point – one of the most pressing cybersecurity challenges of this moment: election security.” Because the department failed “to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities,” the lawmakers said.

“The Department is required to submit an implementation plan to Congress within 90 days, which we hope will put some meat on the bones of this strategy,” said Thompson and Richmond. “In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need.”