The recent DHS Cybersecurity Strategy was released at a crucial time when today’s cyberspace has become a new frontier for warfare for both nation states and criminal hackers. And as we continue to move into an era of digital transformation and interconnectedness, there is increasing concern among organizations and average citizens around the security of sensitive data.
The DHS Cybersecurity Strategy is a well-thought-out framework with five pillars of cybersecurity goals to support critical infrastructure, government networks and non-government entities. The first pillar involves the discovery and understanding of the ever-evolving cyberthreat environment, and the second flows into vulnerability and threat reduction. These approaches are sound in theory, but may prove to be more difficult when applied by large bureaucratic organizations that take months or even years to affect change. The key to successfully applying the first two pillars of the strategy includes evaluating cyberthreats quickly and mitigating risks or remediating threats swiftly. In doing so, organizations must resist paralysis from existing procedures that do not operate at speeds appropriate to respond to the current cyberthreat landscape. Innovation is crucial, and it is critical that organizations use tools that not only monitor and discover threats, but also protect cyber infrastructure.
The next three pillars in the cybersecurity strategy focus on threat reduction, consequence mitigation and enabling cybersecurity outcomes. These pillars are well designed and show that the DHS realizes that to be effective they will require a great deal of interagency collaboration. The DHS’ effort to take a leading role in threat deterrence and cyber incident response should be well received if they lead by example within their own infrastructure and communicate openly and often with partner organizations. Interagency trust will take time, but as relationships mature they will speed up incident response times and help with deterrence. With the reality of today’s digital connectedness and Internet of Things (IoT), it is important to specifically call out the fifth pillar: “Objective 6.1 – Foster improved cybersecurity in software, hardware, services, and technologies, and the building of more resilient networks.” The DHS does well in suggesting a need to stop treating security as an afterthought when constructing software, hardware, services and technologies. We need to encourage manufacturers and suppliers to create “trusted” products that are secure and come from secure supply chains. This will be an ongoing challenge to address but continued education and awareness should drive suppliers to deliver more secure solutions based on customer demand.
All in all, the DHS Cybersecurity Strategy provides a solid framework for cybersecurity. However, there are some areas that were not highlighted in the strategy, but will hopefully mature and evolve in the near future, including:
A shift in focus from an “outside in” to an “inside out” security model – With the new paradigm of digital connectedness, too many organizations are overemphasizing perimeter defense, which continues to lead to data breaches. A change needs to happen, not to eliminate perimeter defense, but to shift the focus to placing protection closer to data.
“Enforced” least privilege access – Organizations should practice the principle of “enforced” least privilege access. Least privilege access is the concept of limiting user profile privileges on a computer. While this principle has been around for a long time, it was only set as a policy without much ability to provide technical enforcement. However, there are tools currently available that allow organizations to provide “enforced” least privilege access, ensuring that only the authorized users accessing data.
Cyber accountability from the top down – Far too many organizations are focused on simply checking compliance boxes rather than actually improving security. Without holding organizations accountable from the top down, the same problem will continue to occur, especially within the public sector. Organization leaders strive for compliance without understanding what the mandate is trying to achieve, and often feel that once compliant, they are absolved of their security responsibilities. For a long time, it was widely believed that IT departments were solely responsible for cybersecurity, but it needs to be realized that it is everyone’s responsibility. By holding organizations accountable from the top down, leaders are more likely to instill a culture of organizational accountability.
Organizations taking responsibility for data in the cloud – For a while, the government has been pushing towards cloud adoption. While it may be cost effective, it needs to be made clear that organizations are still responsible for their data in the cloud, and failure to properly secure that data may make the cloud a far more expensive option. There are several ways to mitigate and secure data based on ownership in the cloud, and it is crucial that organizations are not only rely on the cloud providers for data protection.
The release of the DHS strategy is certainly a step in the right direction. My hope is that it only continues to evolve to further emphasize the tightening of IT infrastructures, possible counter attacks and the importance of continued sharing of threat data between organizations.