Introduction
In an increasingly interconnected world, the threat landscape of cybersecurity is evolving rapidly. In today’s digital age, the Department of Homeland Security (DHS) plays a pivotal role in safeguarding the United States against cyber threats and attacks. With cyber threats becoming increasingly sophisticated and pervasive, DHS has devised a robust and multifaceted cybersecurity strategy aimed at defending the nation’s critical infrastructure, government networks, and private sector organizations.
This blog post delves into the DHS Cybersecurity Strategy, highlighting its full spectrum of response options to protect the nation’s digital frontiers. This blog explores how DHS’s cybersecurity strategy is shaping the response to growing cyber threats, with a focus on the 60-day sprints, the Cyber Safety Review Board, and the department’s commitment to research and development.
The Digital Battlefield
Cyber threats know no boundaries. From nation-states to criminal syndicates and hacktivists, the digital battlefield is vast and unforgiving.
Today’s cyber threat landscape is ever-expanding, and cyberattacks are not merely attempts to infiltrate but acts of aggression. Innovations can be stolen, infrastructure hijacked, and institutions compromised. It is now a concern for everyone, from parents and teenagers to business owners, affecting every facet of society.
In 2020, global losses from cybercrime exceeded $1 trillion, and this number is expected to surge beyond $6 trillion in 2021.
As tensions continue to escalate between Russia and Ukraine, the potential for a cyberattack against the United States has become increasingly concerning. The Department of Homeland Security (DHS) has issued a warning that a U.S. response to a possible Russian invasion of Ukraine could trigger a retaliatory cyberattack from Russia or its allies.
The DHS warning highlights the growing interconnectedness of the digital world and the potential for cyberattacks to have significant impacts on critical infrastructure and daily life. Russia, DHS said, has a “range of offensive cyber tools that it could employ against US networks,” and the attacks could range from a low level denial of service attack, to “destructive” attacks targeting critical infrastructure. In the event of a cyberattack, vital services such as power grids, financial systems, and communication networks could be disrupted, causing widespread chaos and economic damage.
The DHS recognizes the need for a comprehensive approach that encompasses a range of response options to counter these threats effectively.
A Call to Action
From the moment Secretary Mayorkas assumed his role at DHS, enhancing the nation’s cybersecurity resilience became a top priority. A call for action was issued to address immediate threats like ransomware and to build a stronger and more diverse workforce. The urgency of this call demonstrated the department’s commitment to safeguarding critical infrastructure and government networks.
“Cybersecurity used to be a problem reserved for the IT department. It was something out there that someone else handled. It was not my problem. Now it is a real-life, daily concern for parents, teenagers, teachers, small business owners, and beyond. Every facet of our society is now being targeted and at every level: individuals… industries… infrastructure… institutions… and our international interests.” Simply put, it is now everyone’s problem. And it is affecting our lives, our livelihoods, and our way of life, said Secretary Nielsen. Making matters worse, the proliferation of internet-connected devices—which make our lives easier, and in some cases more fun—have also made it easier to attack us.If the past year showed us anything, it’s that our cyber enemies are bolder, more brazen, and savvier than ever before.
“Everyone is cyber vulnerable. And everyone has a role to play in making cyberspace more secure. The attack-and-defend cycles are no longer merely fights between hackers and network defenders. Today, we are ALL on the frontlines of the digital battlefield.” The bad guys are crowd-sourcing their attacks, so we need to crowd-source our response.
Our approach to addressing this problem is two-fold. First, we want to enable better “supply-side” security by helping creators build defenses into the design and creation of their products. We are developing tools we can share to identify bugs and risks earlier, with the goal of moving from “first-to-market” to “first-to-market secure.” We are also working to coordinate the disclosure of newly-discovered vulnerabilities so that developers can correct problems before adversaries exploit them.
Secondly, we need to drive “demand-side” security by educating more consumers to be security conscious, and ensuring our services match up with what the consumer needs and wants. Consumers must demand products that put security first. And we can help do that by raising greater public awareness of cyber risks.
Despite our best efforts, we will get hit, over and over again. We have moved from “if” to “when” to “how often” and “how long can you withstand persistent attacks.” So in an era of advanced persistent threats, we need to urgently focus on what I have called “advanced persistent resilience.” I would offer in the cyber realm this means the system or asset must continuously deliver the intended outcome despite ongoing attacks.
We must be obsessed with building redundancy into our systems so that when they get attacked and fail, they fail gracefully. So that when they fail, we innovate as we recover. We not only ounce back but we bounce forward. Systems should be designed so that parts can function offline—“unplugged”—without a requirement to take down the entire system or network.
“I have a news flash for America’s adversaries: Complacency is being replaced by consequences. We will not stand on the sidelines while our networks are compromised. We will not abide the theft of our data, our innovation and our resources. And we will not tolerate cyber meddling aimed at the heart of our democracy.” The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility.
DHS Cybersecurity Strategy
DHS’s cybersecurity strategy encompasses five core elements: Risk Identification, Vulnerability Reduction, Threat Reduction, Consequence Mitigation, and Enable Cybersecurity Outcomes. Let’s explore these pillars in more detail:
1. Risk Identification: Knowing the Enemy “We must be more aware of vulnerabilities built into the fabric of the internet and other widespread weaknesses …We must also prioritize securing essential functions across sectors, including those executed through multiple assets and systems,” Secretary Nielsen said in her RSA Conference remarks.
- Threat Intelligence: The DHS actively collects, analyzes, and shares threat intelligence to identify emerging threats and vulnerabilities.
- Asset Identification: Identifying critical infrastructure and systems that require heightened protection.
- Collaboration: Establishing partnerships with government agencies, private sector entities, and international partners to enhance situational awareness.
2. Vulnerability Reduction: Strengthening the Defense
“Looking out five years, DHS aims to have far greater awareness of dangerous threats before they hit our networks … to dismantle major illicit cyber networks in minutes, not months … and to be faster, smarter and more effective in responding to incidents,” Secretary Nielsen said. Among S&T’s many projects supporting this area is the Critical Infrastructure Design and Adaptive Resilient Systems project, which develops the technical basis and analytical tools needed to support cross-sector cybersecurity risk assessments. It also identifies standards of practice to support the expanded use of risk methodologies for cyber and physical systems and resource planning. Separately, the Cybersecurity for the Oil and Gas Sector project undertakes collaborative R&D efforts to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. These projects are driven by the Critical Infrastructure Security and Resilience Research and Development Implementation Plan, which outlines federal R&D priorities and activities to strengthen critical infrastructure security and resilience.
- Cyber Hygiene: Promoting best practices for cybersecurity, such as patch management and secure configurations.
- Secure Technology Adoption: Encouraging the adoption of secure technologies and practices within organizations.
- Incident Response Planning: Developing robust incident response plans to minimize the impact of cyber incidents.
3. Threat Reduction: Disrupting Adversaries
Among S&T’s many projects supporting this area is the Anonymous Networks and Currencies and Cyber Forensics projects, which are developing cost-effective and novel solutions to aid law enforcement agencies in their investigations of criminal activity in these areas. S&T also offers Autopsy, an open-source, digital forensics platform and iVe, a vehicle navigation infotainment system forensics tool used by law enforcement agencies worldwide. Autopsy determines how a digital device was used in a crime and recovers evidence, and is enhanced with the addition of several new capabilities requested by law enforcement. The iVe technology is a digital forensics toolkit that obtains digital evidence from vehicle navigation and infotainment systems. This technology is currently supported in more than 10,000 vehicle models.
- Law Enforcement Action: Partnering with law enforcement agencies to apprehend cybercriminals and bring them to justice.
- International Cooperation: Collaborating with foreign governments to disrupt transnational cyber threats.
- Cyber Deterrence: Leveraging diplomatic and economic tools to deter adversaries from launching cyberattacks against the United States.
4. Consequence Mitigation: Minimizing Damage
To make it harder for cybercriminals to hack networks and systems, S&T’s Cyber Physical System Security project is helping ensure security considerations are added into the design of cyber physical systems, such as the Internet of Things, while they are being built. Also, S&T is working closely with the National Institute of Standards and Technology on its Global Cities Team Challenge (GCTC) to raise awareness for cybersecurity and privacy needs in emerging “smart cities” systems. The Smart and Secure Cities and Communities Challenge is encouraging GCTC participants to adopt designed-in cybersecurity for “smart city” systems that are more secure, reliable, resilient and protective of privacy.
- Incident Response: Coordinating incident response efforts to minimize the impact of cyber incidents.
- Public-Private Cooperation: Partnering with private sector organizations to enhance cybersecurity resilience.
- Resource Allocation: Ensuring that resources are readily available to support response and recovery efforts.
5. Enable Cybersecurity Outcomes: Building a Secure Future
- Education and Workforce Development: Fostering a skilled cybersecurity workforce through education and training programs.
- Research and Development: Investing in cutting-edge technologies to stay ahead of cyber threats.
- Innovation: Encouraging innovation in cybersecurity to adapt to evolving threats.
The Cyber Safety Review Board (CSRB)
In February 2022, DHS established the CSRB, a 15-member board comprising senior officials and private-sector executives from tech giants like Google, Microsoft, and Verizon. The CSRB’s mandate is to investigate major cybersecurity events and produce recommendations for improving national cybersecurity resilience. Its first review will focus on vulnerabilities associated with the Log4j library, with results expected by summer 2022.
Establishment of Homeland Intelligence Experts Group
DHS Secretary Alejandro N. Mayorkas, along with Under Secretary for Intelligence and Analysis Ken Wainstein and Counterterrorism Coordinator Nicholas Rasmussen, has introduced the Homeland Intelligence Experts Group (Experts Group), composed of private sector experts. This group will offer unique perspectives and insights on the U.S. intelligence enterprise to DHS’s Office of Intelligence and Analysis and the Office of the Counterterrorism Coordinator. In the face of a diverse range of threats, including foreign nation-state adversaries, domestic violent extremists, cyber criminals, and transnational criminal organizations, this initiative is critical to enhancing national security.
Members of the Experts Group comprise former senior intelligence officials, journalists, human rights advocates, and civil liberties advocates, including notable figures such as John Brennan, James Clapper, and Michael Leiter. They will meet four times a year to provide valuable input on complex issues like terrorism, drug trafficking, and emerging technology, strengthening the Department’s ability to protect the homeland in this evolving threat environment.
DHS Cybersecurity Sprints
DHS’s commitment to addressing cybersecurity threats is demonstrated by a series of 60-day sprints. These sprints aim to elevate ongoing efforts, remove roadblocks, and initiate new initiatives and partnerships. The department also focuses on four ongoing priorities: safeguarding democratic institutions, strengthening the protection of federal government networks, enhancing supply chain security, and preparing for emerging technology challenges.
“Ransomware” Sprint (April 2021 — May 2021)
This sprint focused on leveraging the Office of the Secretary to elevate the fight against ransomware, an increasingly devastating and costly form of malicious cyber activity that targets organizations of all sizes and across all sectors. Ransomware is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, police departments, and even hospitals and other critical infrastructure have been among the recent victims.
“Cybersecurity Workforce” Sprint (May 2021 — June 2021)
The second sprint focuses on building a more robust and a more diverse cybersecurity workforce. DHS cannot tackle ransomware and the broader cybersecurity challenges without talented and dedicated people who can help protect the Nation’s schools, hospitals, critical infrastructure, and communities.
“Industrial Control Systems” (ICS) Sprint (July 2021 — August 2021)
This sprint is driven by the White House Industrial Control Systems Cybersecurity Initiative, designed to mobilize action to improve the resilience of industrial control systems. The attempted cyber-attack on a water treatment facility in Florida in early 2021 as well as the Colonial Pipeline ransomware attack were powerful reminders of the substantial risks that need to be addressed.
“Cybersecurity and Transportation” Sprint (September 2021 — October 2021)
During this sprint, the Secretary will focus specifically on the need to increase the cyber resilience of the Nation’s transportation systems – from aviation to rail, pipelines, and the marine transport system. The Transportation Security Agency (TSA), the U.S. Coast Guard, and CISA are all part of DHS, which presents a unique opportunity for the Department to make progress in this area, to leverage respective best practices, and to deepen the collaboration with the U.S. Department of Transportation, other interagency stakeholders, and industry.
“Election Security” Sprint (November 2021 — January 2022)
This sprint will focus on the need to cement the resilience of the Nation’s democratic infrastructures and protect the integrity of its elections. Leveraging the lessons learned from the previous elections and the relationships CISA has built with local and state authorities across the country, this sprint will ensure election security remains a top priority every year, and not only during election season.
“International Cybersecurity” Sprint (January 2022 — March 2022)
This sprint is dedicated to the Department’s international cybersecurity activities ranging from those outlined in CISA’s first international “CISA Global” strategy to the U.S. Coast Guard’s Strategic Outlook to protect and operate in cyberspace, an inherently international effort. Most of the cybercrime investigations that the Secret Service and Immigration and Customs Enforcement-Homeland Security Investigations (HSI) pursue every day also include a transnational dimension that requires cooperation with law enforcement partners around the globe.
In addition to the series of 60-day sprints, the Secretary will focus on four ongoing priorities: (1) cementing the resilience of democratic institutions, including the integrity of elections and institutions outside of the executive branch, (2) building back better to strengthen the protection of civilian federal government networks, (3) advancing a risk-based approach to supply chain security and exploring new technologies to increase resilience, and (4) preparing for strategic, on-the-horizon challenges and emerging technology such as the transition to post-quantum encryption algorithms.
Research and Development
DHS’s Science and Technology Directorate (S&T) plays a pivotal role in supporting the cybersecurity strategy. By conducting research and development in risk identification, vulnerability reduction, threat reduction, and consequence mitigation, S&T helps strengthen the nation’s ability to detect and defend against cyberattacks.
- Risk Identification: S&T’s projects focus on innovative technologies to predict, attribute, and potentially mitigate network disruptive events.
- Vulnerability Reduction: The Critical Infrastructure Design and Adaptive Resilient Systems project supports cross-sector cybersecurity risk assessments.
- Threat Reduction: Projects like Anonymous Networks and Currencies and Cyber Forensics aid law enforcement agencies in investigations.
- Consequence Mitigation: The Cyber Physical System Security project ensures security is integrated into the design of cyber physical systems, like the Internet of Things, while they are being built.
S&T’s Application of Network Measurement Science (ANMS) project
The Application of Network Measurement Science (ANMS) project is a Department of Homeland Security (DHS) Science and Technology Directorate (S&T) initiative that is developing innovative technologies to enhance the nation’s cybersecurity capabilities. The project focuses on developing tools and techniques for network measurement science, which is the study of how networks behave and how to effectively measure their performance and security. The goal of the ANMS project is to provide DHS and other government agencies with the ability to:
- Identify and classify network/internet disruptive events
- Report and predict network/internet disruptive events
- Provide attribution for network/internet disruptive events
- Mitigate network/internet disruptive events
The ANMS project is developing a variety of technologies to achieve these goals, including:
- Network traffic analysis tools
- Network intrusion detection systems
- Network anomaly detection systems
- Network forensics tools
The ANMS project is also developing a cyber defense toolkit that will provide DHS and other government agencies with a suite of tools to protect their networks from cyberattacks. The toolkit will include tools for:
- Network vulnerability assessment
- Network penetration testing
- Network security incident response
Next Generation Cyber Infrastructure Apex program
The Next Generation Cyber Infrastructure Apex program is a Department of Homeland Security (DHS) Science and Technology Directorate (S&T) initiative that is addressing the cyber challenges facing the nation’s critical infrastructure sectors. The program is focused on developing and deploying next-generation cybersecurity solutions that will enable critical infrastructure entities to operate effectively even in the face of sophisticated, targeted cyberattacks. The Apex program is working with a variety of stakeholders, including critical infrastructure owners and operators, industry partners, and academia, to develop and deploy these solutions. The program is also working with DHS and other government agencies to ensure that these solutions are integrated into the nation’s cybersecurity framework.
The Apex program is focused on three key areas:
- Cybersecurity risk assessment and management
- Cybersecurity incident response
- Cybersecurity supply chain security
The Apex program is developing a variety of tools and techniques to address these areas, including:
- Cybersecurity risk assessment tools
- Cybersecurity incident response playbooks
- Cybersecurity supply chain security guidance
The Apex program is also developing a cybersecurity training and education program to help critical infrastructure entities develop the skills and knowledge they need to protect their networks from cyberattacks.
Both the ANMS project and the Apex program are important initiatives that are helping to improve the nation’s cybersecurity posture. These programs are developing innovative technologies and solutions that will help to protect critical infrastructure, identify and mitigate network/internet disruptive events, and provide attribution for cyberattacks.
The Cybersecurity Research Infrastructure program (CRI) plays a crucial role in supporting various cybersecurity R&D projects, including the Application of Network Measurement Science (ANMS) project and the Next Generation Cyber Infrastructure Apex program. CRI consists of two key components: the Information Marketplace for Policy and Analysis of Cyber-risk & Trust (IMPACT) and the Experimental Research Testbed (ERTB).
Information Marketplace for Policy and Analysis of Cyber-risk & Trust (IMPACT)
IMPACT serves as a centralized platform for the global cyber-risk research community to access and share real-world data, information, tools, models, and methodologies. It facilitates collaboration and knowledge exchange among researchers, enabling them to conduct more comprehensive and impactful studies.
IMPACT’s key functions include:
-
Data curation and dissemination: IMPACT collects, curates, and disseminates cybersecurity data from various sources, ensuring its accuracy, reliability, and accessibility to researchers.
-
Tool and methodology development: IMPACT supports the development of innovative tools and methodologies for cybersecurity research, providing researchers with the necessary resources to conduct their studies effectively.
-
Knowledge sharing and collaboration: IMPACT facilitates knowledge sharing and collaboration among cybersecurity researchers through workshops, conferences, and online forums, fostering a vibrant research community.
By providing a centralized hub for cyber-risk research resources, IMPACT accelerates the advancement of cybersecurity knowledge and enables researchers to address critical cybersecurity challenges more effectively.
Experimental Research Testbed (ERTB)
The ERTB provides a secure and controlled environment for cybersecurity researchers to test their advanced defense solutions against live threats on a “virtual internet.” This allows researchers to evaluate the effectiveness of their solutions without endangering other research or the wider internet.
The ERTB’s key features include:
-
Isolation and security: The ERTB is isolated from the public internet, ensuring that researchers’ experiments do not inadvertently harm other networks or research projects.
-
Real-world threat emulation: The ERTB enables researchers to test their solutions against a variety of real-world cyber threats, providing a realistic assessment of their effectiveness.
-
Flexible experimentation: The ERTB allows researchers to configure and customize their experiments, providing them with the flexibility to test their solutions under different scenarios.
By providing a safe and controlled environment for experimentation, the ERTB accelerates the development and validation of innovative cybersecurity solutions, enabling researchers to bring their ideas to life and protect against evolving cyber threats.
In conclusion, the Cybersecurity Research Infrastructure program, with its IMPACT and ERTB components, plays a vital role in supporting cybersecurity R&D projects and advancing the field of cybersecurity. By facilitating data sharing, tool development, knowledge exchange, and safe experimentation, CRI empowers researchers to tackle critical cybersecurity challenges and contribute to a safer digital world.
Conclusion
DHS’s comprehensive cybersecurity strategy, including the 60-day sprints, the Cyber Safety Review Board, and research and development initiatives, demonstrates a concerted effort to secure the digital future of the United States. The department’s commitment to addressing cyber threats underscores the importance of collective cybersecurity efforts. As threats continue to evolve, DHS is focusing on resilience, redundancy, and adaptation to protect the nation’s digital infrastructure. The battle against cyber adversaries is ongoing, but with these measures, the United States is sending a clear message: cyber threats will not be tolerated.
-
Enable Cybersecurity Outcomes
References and Resources also include:
https://www.dhs.gov/news/2018/04/17/secretary-kirstjen-m-nielsen-remarks-rsa-conference