Policy

Homeland Security, Cybersecurity and Silos

Administration looks for ways to strengthen cyberattack defenses

Homeland Security Secretary Kirstjen Nielsen said her department is working on a new cybersecurity strategy that can be applied in both the public and private sectors. (Bill Clark/CQ Roll Call file photo)

SAN FRANCISCO — The Homeland Security Department is working on a cybersecurity strategy that aims to strengthen the overall digital economy’s defenses against cyberattacks, Secretary Kirstjen Nielsen said at a cybersecurity conference here on Tuesday.

The strategy “will bolster our digital defenses by prioritizing enhancements in risk identification, vulnerability reduction, threat reduction, and consequence mitigation,” Nielsen said without identifying when the strategy is likely to be made public. “We must be more aware of vulnerabilities built into the fabric of the internet, and other widespread weaknesses.”

DHS has been working to update the U.S. cybersecurity strategy since President Donald Trump signed an executive order last May calling for strengthening the cybersecurity of federal networks and critical infrastructure sectors in the country. Tom Bossert, the White House counterterrorism and cybersecurity coordinator, last October said the strategy would likely include “punitive steps and measures” the United States would take.

The administration’s cybersecurity strategy could be delayed because top White House officials involved in the effort have quit recently. Bossert has resigned from his White House in a reshuffle after John Bolton replaced Lt. Gen. H.R. McMaster as national security adviser. Bossert’s deputy, Rob Joyce, also has resigned and has decided to return to his previous role at the National Security Agency.

Speaking here at the annual RSA Conference, Nielsen said the administration wanted to move away from addressing security weaknesses in specific industrial sectors to a broader approach.

“We cannot afford to get stuck in silos and focus only on vulnerabilities within specific sectors, assets, and systems,” Nielsen said. “We must also prioritize securing essential functions across sectors, including those executed through multiple assets and systems.”

To do that, DHS is working with “users, buyers, tech manufacturers, and others to hunt down unseen security gaps — and to share actionable information that will help close them,” Nielsen said. The effort involves identifying companies that make smaller components, which may have unaddressed security gaps that could make larger systems vulnerable to attack.

Nielsen said the new strategy is intended to help the United States quickly dismantle illicit cyber networks and respond faster to attacks. “We need your help,” she said. “The bad guys are crowd-sourcing their attacks, so we need to crowd-source our response.”

Nielsen said critical computer systems must be designed with enough redundancy so they can absorb a cyberattack without collapsing.

“Systems should be designed so that parts can function offline — “unplugged” — without a requirement to take down the entire system or network,” Nielsen said, highlighting the recent attack on the City of Atlanta where a cyberattack took down systems for collecting taxes and issuing parking fines.

Before Nielsen began speaking, a consortium of 34 tech companies including Facebook, Microsoft, Nokia, LinkedIn, Oracle and others announced that they had reached agreement among themselves to work together to share information on attacks and protect users everywhere in the world.

The group, however, said its members “will not help governments launch cyberattacks against innocent citizens and enterprises.”

Microsoft President Brad Smith, speaking at the RSA Conference, said governments of the world needed to come together to develop a new Geneva Convention for the digital economy, similar to what the world powers did after the end of World War II, which codified norms to protect civilians during armed conflict.

The group also pledged to “design, develop and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability and severity of vulnerabilities.” The group said its effort will include “stronger protections of democratic institutions and processes around the world.”

Some of the world’s largest tech companies that were notably absent from the 34-member consortium included Google, Amazon and Apple.

Watch: Facebook CEO’s First Hill Hearing

Get breaking news alerts and more from Roll Call on your iPhone or your Android.