President Biden has made cybersecurity, a critical element of the Department of Homeland Security’s (DHS) mission, a top priority for the Biden-Harris Administration at all levels of government. To advance the President’s commitment, and to reflect that enhancing the nation’s cybersecurity resilience is a top priority for DHS, Secretary Mayorkas issued a call for action dedicated to cybersecurity in his first month in office. This call for action focused on tackling the immediate threat of ransomware and on building a more robust and diverse workforce.
In his March 31, 2021, address, Secretary Mayorkas outlined a bold vision for the Department’s cybersecurity efforts to confront the growing threat of cyber-attacks, including a series of 60-day sprints to operationalize his vision, to drive action in the coming year, and to raise public awareness about key cybersecurity priorities.
The cyber threat landscape is different today because cyber is not only a target. Cyber can be used as a weapon and as an attack vector or method through which nefarious activity is conducted. Today, our innovations can be stolen and used to diminish our prosperity…our infrastructure can be hijacked and used to hold us hostage…and our institutions can be compromised and used to undermine our democratic process.
“Cybersecurity used to be a problem reserved for the IT department. It was something out there that someone else handled. It was not my problem. Now it is a real-life, daily concern for parents, teenagers, teachers, small business owners, and beyond. Every facet of our society is now being targeted and at every level: individuals… industries… infrastructure… institutions… and our international interests.” Simply put, it is now everyone’s problem. And it is affecting our lives, our livelihoods, and our way of life, said Secretary Nielsen. Making matters worse, the proliferation of internet-connected devices—which make our lives easier, and in some cases more fun—have also made it easier to attack us.If the past year showed us anything, it’s that our cyber enemies are bolder, more brazen, and savvier than ever before.
A report from McAfee estimated that global losses from cybercrime topped $1 trillion in 2020, and they are expected to skyrocket to more than $6 trillion in 2021. As tensions rise in the standoff over Ukraine, the Department of Homeland Security has warned that the U.S. response to a possible Russian invasion could result in a cyberattack launched against the U.S. by the Russian government or its proxies.
“We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” a DHS Intelligence and Analysis bulletin sent to law enforcement agencies around the country and obtained by ABC News said.
Russia, DHS said, has a “range of offensive cyber tools that it could employ against US networks,” and the attacks could range from a low level denial of service attack, to “destructive” attacks targeting critical infrastructure.
When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents.
DHS Cyber security strategy
Looking five years out, the Department of Homeland Security aims to have far greater awareness of dangerous threats before they hit our networks…to dismantle major illicit cyber networks in minutes, not months…and to be faster, smarter, and more effective in responding to incidents.
He called for collective response. “Everyone is cyber vulnerable. And everyone has a role to play in making cyberspace more secure. The attack-and-defend cycles are no longer merely fights between hackers and network defenders. Today, we are ALL on the frontlines of the digital battlefield.” The bad guys are crowd-sourcing their attacks, so we need to crowd-source our response.
Our approach to addressing this problem is two-fold. First, we want to enable better “supply-side” security by helping creators build defenses into the design and creation of their products. We are developing tools we can share to identify bugs and risks earlier, with the goal of moving from “first-to-market” to “first-to-market secure.” We are also working to coordinate the disclosure of newly-discovered vulnerabilities so that developers can correct problems before adversaries exploit them.
Secondly, we need to drive “demand-side” security by educating more consumers to be security conscious, and ensuring our services match up with what the consumer needs and wants. Consumers must demand products that put security first. And we can help do that by raising greater public awareness of cyber risks.
Despite our best efforts, we will get hit, over and over again. We have moved from “if” to “when” to “how often” and “how long can you withstand persistent attacks.” So in an era of advanced persistent threats, we need to urgently focus on what I have called “advanced persistent resilience.” I would offer in the cyber realm this means the system or asset must continuously deliver the intended outcome despite ongoing attacks.
We must be obsessed with building redundancy into our systems so that when they get attacked and fail, they fail gracefully. So that when they fail, we innovate as we recover. We not only ounce back but we bounce forward. Systems should be designed so that parts can function offline—“unplugged”—without a requirement to take down the entire system or network.
“I have a news flash for America’s adversaries: Complacency is being replaced by consequences. We will not stand on the sidelines while our networks are compromised. We will not abide the theft of our data, our innovation and our resources. And we will not tolerate cyber meddling aimed at the heart of our democracy.” The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility.
DHS creates Cyber Safety Review Board in Feb 2022
The US Department of Homeland Security announced in Feb 2022 the creation of a new body, the Cyber Safety Review Board (CSRB), to investigate major cybersecurity events.
The 15-person board will be comprised of a mixture of senior officials from agencies like the NSA, FBI and CISA, and governmental departments including the Department of Defense and Department of Justice, along with private sector executives from companies including Google, Microsoft, and Verizon.
“The Biden-Harris administration has taken bold steps to meaningfully improve our cybersecurity resilience,” said Secretary of Homeland Security Alejandro N. Mayorkas. “At the president’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors.”
The mandate of the CSRB will be to investigate significant cybersecurity events that affect government and industry and produce reports containing recommendations for improving the nation’s cybersecurity resilience.
The first review undertaken by the board will be focused on vulnerabilities associated with the Log4j library, a serious and widespread security flaw uncovered in December 2021. The ensuing report, which will be delivered by summer 2022, will include an assessment of the vulnerability, including threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate its impact.
DHS Cybersecurity Sprints
Understanding that most challenges require a more sustained effort than what can be accomplished within 60 days, the sprints are designed to leverage the Office of the Secretary to (1) elevate existing work to address the specific challenge, (2) remove roadblocks that have slowed down efforts, and (3) launch new initiatives and partnerships where needed.
In addition to the series of 60-day sprints, the Secretary will focus on four ongoing priorities: (1) cementing the resilience of democratic institutions, including the integrity of elections and institutions outside of the executive branch, (2) building back better to strengthen the protection of civilian federal government networks, (3) advancing a risk-based approach to supply chain security and exploring new technologies to increase resilience, and (4) preparing for strategic, on-the-horizon challenges and emerging technology such as the transition to post-quantum encryption algorithms.
“Ransomware” Sprint (April 2021 — May 2021)
This sprint focused on leveraging the Office of the Secretary to elevate the fight against ransomware, an increasingly devastating and costly form of malicious cyber activity that targets organizations of all sizes and across all sectors. Ransomware is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, police departments, and even hospitals and other critical infrastructure have been among the recent victims.
“Cybersecurity Workforce” Sprint (May 2021 — June 2021)
The second sprint focuses on building a more robust and a more diverse cybersecurity workforce. DHS cannot tackle ransomware and the broader cybersecurity challenges without talented and dedicated people who can help protect the Nation’s schools, hospitals, critical infrastructure, and communities.
“Industrial Control Systems” (ICS) Sprint (July 2021 — August 2021)
This sprint is driven by the White House Industrial Control Systems Cybersecurity Initiative, designed to mobilize action to improve the resilience of industrial control systems. The attempted cyber-attack on a water treatment facility in Florida in early 2021 as well as the Colonial Pipeline ransomware attack were powerful reminders of the substantial risks that need to be addressed.
“Cybersecurity and Transportation” Sprint (September 2021 — October 2021)
During this sprint, the Secretary will focus specifically on the need to increase the cyber resilience of the Nation’s transportation systems – from aviation to rail, pipelines, and the marine transport system. The Transportation Security Agency (TSA), the U.S. Coast Guard, and CISA are all part of DHS, which presents a unique opportunity for the Department to make progress in this area, to leverage respective best practices, and to deepen the collaboration with the U.S. Department of Transportation, other interagency stakeholders, and industry.
“Election Security” Sprint (November 2021 — January 2022)
This sprint will focus on the need to cement the resilience of the Nation’s democratic infrastructures and protect the integrity of its elections. Leveraging the lessons learned from the previous elections and the relationships CISA has built with local and state authorities across the country, this sprint will ensure election security remains a top priority every year, and not only during election season.
“International Cybersecurity” Sprint (January 2022 — March 2022)
This sprint is dedicated to the Department’s international cybersecurity activities ranging from those outlined in CISA’s first international “CISA Global” strategy to the U.S. Coast Guard’s Strategic Outlook to protect and operate in cyberspace, an inherently international effort. Most of the cybercrime investigations that the Secret Service and Immigration and Customs Enforcement-Homeland Security Investigations (HSI) pursue every day also include a transnational dimension that requires cooperation with law enforcement partners around the globe.
Science and Technology Directorate (S&T) funds research and development (R&D) projects
To accomplish this new stance, the Department of Homeland Security’s Science and Technology Directorate (S&T) is working in tandem with DHS operational components by conducting research and development (R&D) in numerous areas that will help strengthen DHS’s ability to detect and defend against cyberattacks.
She added that DHS is adopting a more forward-leaning posture that will bolster the nation’s digital defenses by prioritizing enhancements in risk identification, vulnerability reduction, threat reduction and consequence mitigation. The new plan also included a new focal area: enabling cybersecurity outcomes. S&T is conducting several R&D project that support the newly-introduced strategy.
“We must be more aware of vulnerabilities built into the fabric of the internet and other widespread weaknesses …We must also prioritize securing essential functions across sectors, including those executed through multiple assets and systems,” Secretary Nielsen said in her RSA Conference remarks.
S&T’s Application of Network Measurement Science (ANMS) project is developing innovative technologies that will provide the capability to identify, classify, report, predict, provide attribution and potentially mitigate network/internet disruptive events. Additionally, the Next Generation Cyber Infrastructure Apex program is addressing the cyber challenges facing our nation’s critical infrastructure sectors, enabling these essential entities to operate effectively even in the face of sophisticated, targeted cyberattacks.
“Looking out five years, DHS aims to have far greater awareness of dangerous threats before they hit our networks … to dismantle major illicit cyber networks in minutes, not months … and to be faster, smarter and more effective in responding to incidents,” Secretary Nielsen said.
Among S&T’s many projects supporting this area is the Critical Infrastructure Design and Adaptive Resilient Systems project, which develops the technical basis and analytical tools needed to support cross-sector cybersecurity risk assessments. It also identifies standards of practice to support the expanded use of risk methodologies for cyber and physical systems and resource planning.
Separately, the Cybersecurity for the Oil and Gas Sector project undertakes collaborative R&D efforts to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. These projects are driven by the Critical Infrastructure Security and Resilience Research and Development Implementation Plan, which outlines federal R&D priorities and activities to strengthen critical infrastructure security and resilience.
This area is focused on reducing cyber-threats by countering transnational criminal organizations and sophisticated cyber-criminals.
Among S&T’s many projects supporting this area is the Anonymous Networks and Currencies and Cyber Forensics projects, which are developing cost-effective and novel solutions to aid law enforcement agencies in their investigations of criminal activity in these areas. S&T also offers Autopsy, an open-source, digital forensics platform and iVe, a vehicle navigation infotainment system forensics tool used by law enforcement agencies worldwide. Autopsy determines how a digital device was used in a crime and recovers evidence, and is enhanced with the addition of several new capabilities requested by law enforcement. The iVe technology is a digital forensics toolkit that obtains digital evidence from vehicle navigation and infotainment systems. This technology is currently supported in more than 10,000 vehicle models.
Also, S&T’s Network System Security program is comprised of the previously mentioned ANMS, Distributed Denial of Service Defense and Federated Security projects, all of which are working on solutions to secure IT networks and emergency response networks from cyberattacks.
In the new plan, this focus is described as minimizing consequences from potentially significant cyber incidents.
To make it harder for cybercriminals to hack networks and systems, S&T’s Cyber Physical System Security project is helping ensure security considerations are added into the design of cyber physical systems, such as the Internet of Things, while they are being built. Also, S&T is working closely with the National Institute of Standards and Technology on its Global Cities Team Challenge (GCTC) to raise awareness for cybersecurity and privacy needs in emerging “smart cities” systems. The Smart and Secure Cities and Communities Challenge is encouraging GCTC participants to adopt designed-in cybersecurity for “smart city” systems that are more secure, reliable, resilient and protective of privacy.
Enable Cybersecurity Outcomes
This pillar talks about prioritizing DHS cybersecurity R&D and tech transition plus expanding international cooperation to ensure an open, interoperable, secure and reliable internet
S&T’s Transition to Practice Program is leading the effort to transition government-funded cybersecurity technologies to the marketplace. Earlier this month, the program announced its 20th transition, which equals half the technologies enrolled in the transition-to-market program.
On the international front, S&T enjoys a range of international partnerships on many issues, including cybersecurity. Next month, S&T will award its first international awards to U.S.-Dutch research teams that will be working on Distributed Denial of Service Defense and Industrial Control Systems/Supervisory Control and Data Acquisition projects. S&T also has cybersecurity-focused partnerships with more than 20 countries and international organizations that includes Great Britain, Israel, Australia, New Zealand, Canada and the European Union.
Supporting all cyber research and development efforts
Supporting each of the aforementioned projects and in fact all S&T cybersecurity R&D projects is the Cybersecurity Research Infrastructure program, which is comprised of the Information Marketplace for Policy and Analysis of Cyber-risk & Trust and Experimental Research Testbed. The former supports the global cyber-risk research community by coordinating and developing real-world data and information-sharing capabilities including tools, models and methodologies, while the latter enables cybersecurity researchers to run their advanced defense solutions safely against live threats on a “virtual internet” without endangering other research or the larger internet.