07 Jun The New DHS Cybersecurity Strategy: Identifying the Challenges and Possible Solutions
By John Harrison, Senior Cybersecurity Solutions Architect, Criterion Systems
The US Department of Homeland Security (DHS) recently published its five-year cybersecurity strategy, which outlines its key goals, objectives, and desired outcomes. The DHS is responsible for protecting the “.gov” domain across the federal government and includes some state and local governments as well. In addition, they are a major key supporting element responsible for helping protect 16 different critical infrastructure sectors.
The scale of this task and the level of responsibility is no small undertaking and has been met with some expected challenges. After reading though the strategy, these challenges stood out to me and supports what Brian Rodger, Director of Cyber Operation at Criterion Systems, discussed in his recent article on Nextgov, which is that “The Federal government continues to struggle implementing the most basic and fundamental building blocks of an effective cybersecurity program.”
Implementing and managing fundamental security building blocks at such an enormous scale will be — and already has been — met with political, bureaucratic, and budgetary challenges. Furthermore, DHS will have trouble implementing a cross-agency strategy across the federal government unless they are empowered to incentivize agencies to comply and, on the flip-side, be able to enforce consequences that matter for those who choose not to comply. I would like to summarize what DHS is calling for and what I believe needs to be standardized across the federal government’s “.gov” domain.
Understanding the Threats that Attempt to Exploit the Seams and Gaps
Everyone operating large, complex networks and IT environments such as DHS has vulnerabilities, inherent weaknesses, and aging computing resources. Certainly, DHS is researching and assessing how adversaries are targeting and attempting to — or successfully — exploiting these weaknesses, and probably has a good idea at the practitioner level of who is targeting what and when. However, questions remain. How is that threat intelligence being reported? Is it done in a way that can help create business cases that convert into investment?
If DHS is going to work to mature cybersecurity practices across many organizations, it must adopt a standard language and framework to be able to visualize and communicate the threat to business leaders, who then decide where budget and resources are allocated. The federal government has funded a lot of research in this area and one result is the MITRE Att&ck matrix, a knowledge base that displays and communicates the following (among other techniques):
- What pre- and post-attack Tactics, Techniques, and Procedures (TTPs) are being used by category as well as the phase in the cyber kill-chain
- What malicious cyber actor groups are using those TTPs
- What remediation, mitigations, and best practices could be deployed to prevent, detect, and respond to those TTPs
However, the real power of this framework and dataset is the ability to apply it to your own organization. For example, DHS cybersecurity staff could use a filter on cyber actor groups that have or may target DHS equities. With a filtered list of TTPs, they could audit security capabilities to determine if they could prevent and detect those TTPs and at what confidence level. This is one way to provide gap analysis using a standardized and proven approach to prioritize and implement projects across the federal government.
Enterprise Governance, Risk, and Compliance Done Right and At Scale
DHS has also indicated that they will standardize cybersecurity processes using Enterprise Governance, Risk and Compliance (eGRC). For this to be done right, leadership across the federal government will need to agree on fundamental guiding principles to ensure the intent is not to punish, but rather to inform. No one likes to air out their dirty laundry to others, yet within the strategy, this is exactly what DHS wants organizations to do when they ask them to communicate threat information. However, it is the only way for DHS to help improve security: If they don’t know where the weaknesses are, you can be sure an adversary will find them and either tell the entire world or — worse — keep it to themselves to use as leverage for the future.
An eGRC cybersecurity framework must ensure that the fundamental security functions such as Assessment and Authorization packages are completed correctly, monitoring plans are being conducted, vulnerabilities are being patched or mitigated, capability gaps are converted to projects, and projects are resourced and on-schedule. The federal government does not need more standards to do this work. We have NIST 800-53, libraries of cyber best practices and SOPs, Security Technical Implementation Guides, and other documents that guide activities and identify proper outcomes.
Other building blocks that many federal agencies still struggle with include knowing every asset processing, storing, or transmitting federal government data that needs to be protected. With a basic understanding of what requires protection, categorized based on criticality combined with who is targeting you and with what TTPs, it becomes much more manageable to prioritize tasks and assign resources to maximize the return on investment. Some of the benefits that DHS can achieve with such a capability include the following:
- Security configuration guides and standards across the federal enterprise
- Updated and continuous monitoring of cybersecurity postures across the government via standard cybersecurity data feeds and processes
- The sharing of information as it’s happening
- Extending tool best practices and mitigations across agencies as risk and mitigation plans are reported up and assigned resources
- Closing the gaps, perhaps based on the use of the MITRE Att&ck matrix as previously discussed
Training and Information Sharing
It is no secret that we have a huge cybersecurity talent shortage. DHS seeks and will continue to compete for this talent. Furthermore, they want to help build capacity for partners within the US and around the world. The two most obvious ways to overcome this challenge are through training and information sharing. The sharing of capabilities, tools, and playbooks will play an essential role in defending the vast number of complex decentralized networks at DHS.
Historically, DHS has not put enough emphasis on training its partners on the tools and frameworks that are being pushed out into production, leaving many agencies frustrated and unsure of what to do with the capabilities and information from an operational perspective. For the DHS cybersecurity strategy to work, these tools and information aids must come with a large training component and the tools themselves should be flexible enough to be used internally as well as for reporting up to the global enterprise.
Diplomacy and Information Campaigns
Lastly, DHS intends to deter cyberattacks through law enforcement activities. This will be challenging to do since most malicious cyber actors are operating outside of the United States and in countries that are not necessarily cooperative with the US. DHS should seek to integrate operations with the FBI and not attempt to recreate capabilities. The FBI has done a tremendous job in building up their cyber units and remains heavily under resourced as a result of increased demand. Furthermore, DHS and other government agencies should place more emphasis on information campaigns and diplomacy to deter cybercrime and attacks.
An example DHS could follow is the anti-tobacco campaign. Smoking use to be cool in the US, but now it is seen in a vastly different way because we are fully aware of all the harmful effects it causes. However, people still smoke and when non-smokers see smokers huddled in small areas they think to themselves: why are they harming themselves? The results of this campaign are clear:
- Smoking isn’t cool anymore and smoking in the US has dramatically gone down over the past decade
- Smokers usually crowd around other smokers so they are easy to spot.
The question here is how can DHS and other federal government agencies make malicious cyber operations socially unacceptable and divert that talent around the world towards making the world a better place?