May 22 2018

DHS’ New Cybersecurity Strategy Highlights Risk Prioritization

The long-awaited strategy document says that DHS must stay agile and innovative in using technology to combat cybersecurity threats.

Cybersecurity threats to the federal government are not going away anytime soon, and IT security needs to be a key element of technology modernization efforts.

Most federal IT leaders would agree with those statements. They also happen to now be codified in policy issued by the Department of Homeland Security, which on May 15 issued a long-awaited update to its cybersecurity strategy. The document, which will guide DHS’ approach to cybersecurity over the next five years, emphasizes that not all cybersecurity risks are equal, and that it and other agencies must prioritize those risks in their approach.

Another key element of the strategy is that DHS must lead by example and focus on innovative technology solutions to fight back against cybersecurity threats.

“The cyber threat landscape is shifting in real time, and we have reached a historic turning point,” DHS Secretary Kirstjen Nielsen said in a statement. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”

The strategy is broken out into five pillars, with seven goals under those pillars: risk identification; threat reduction; vulnerability reduction; consequence mitigation; and to enable cybersecurity outcomes.

And the goals are: assess evolving cybersecurity risks; protect federal government information systems and critical infrastructure; prevent and disrupt criminal use of cyberspace; respond effectively to cyber incidents; strengthen the security and reliability of the cyber ecosystem; and improve the management of DHS cybersecurity activities.

The strategy is also a long time in coming. As FCW notes, the National Defense Authorization Act in 2016 directed DHS to develop a departmental cybersecurity strategy and submit it to Congress within 90 days of the act’s passage — meaning it was due in March 2017.

The strategy also comes as the White House decided to eliminate the position of cybersecurity coordinator from the National Security Council, a decision some lawmakers are pushing back on.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Risk Prioritization Sits at the Heart of DHS’ Cybersecurity Strategy

Roughly a year ago, President Donald Trump signed an executive order on cybersecurity that set the tone for the administration’s approach to federal IT security, on that emphasized risk management and prioritization. Under the order, agency heads were made accountable by Trump “for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

That spirit is carried into the DHS strategy, with risk prioritization being one of its seven “guiding principles.”

“The foremost responsibility of DHS is to safeguard the American people and we must prioritize our efforts to focus on systemic risks and the greatest cybersecurity threats and vulnerabilities faced by the American people and our homeland,” the document states.

Another such principle is cost effectiveness. “Cyberspace is highly complex and DHS efforts to increase cybersecurity must be continuously evaluated and reprioritized to ensure the best results for investments made,” the strategy notes.

In looking across the federal enterprise and in protecting its own information systems, the strategy says that DHS “must address the greatest risks first and focus on the highest impact systems, assets, and capabilities.” DHS must identify the most critical systems and prioritize protections around those systems and use cost-effective approaches that “both get the most risk reduction leverage and ensure maximum return for investment.”

“DHS must exhibit leadership through direct action and offerings, but also through collaboration with other agencies and stakeholders to pursue innovations like changes in federal information technology and procurement policies, improved analysis, and better operational planning,” the strategy says.

DHS says it must continue to closely collaborate with agencies, including the Office of Management and Budget, the General Services Administration and the National Institute of Standards and Technology, as well as those responsible for protecting military and intelligence networks, to deliver cybersecurity outcomes for the federal enterprise.

DHS Emphasizes Technological Innovation to Enhance Cybersecurity

Another key element of the strategy is that DHS will lead other agencies by example in how it approaches cybersecurity, especially when it comes to deploying innovative technologies.

Cyberspace is an evolving domain with risks that are constantly developing and surfacing. “Although the proliferation of technology leads to new risks, it also provides an opportunity for innovation,” the document states. “DHS must lead by example in researching, developing, adapting, and employing cutting-edge cybersecurity capabilities and remain agile in its efforts to keep up with evolving threats and technologies.”

DHS must maintain an adequate level of security for its own systems, the strategy notes, adding that many DHS information systems remain largely decentralized and are operated by agency components “without a standardized cybersecurity approach or methodology.”

As a result, DHS “must undertake a systematic effort to assess our information systems at greatest risk, and to ensure that appropriate protective capabilities and methodologies are in place to secure sensitive information while enabling critical mission functions,” the document says.

DHS must adopt a more unified approach to securing its own information systems and, “where appropriate, deploy standardized, cost-effective, and cutting-edge capabilities across high-value departmental information systems.”

Like other agencies, DHS plans to increasingly leverage cloud and shared services, and as it does so, the agency “must continue to develop and pilot emerging capabilities, tools, and practices to more effectively detect and mitigate evolving threats and vulnerabilities in a timely fashion and ensure that our cybersecurity approaches are flexible and dynamic enough to counter determined and creative adversaries,” the document says.

“DHS must serve as a first adopter and model for other agencies as we work to modernize our information technology and the entire federal enterprise,” the report notes.

matejmo/iStock/Getty Images Plus