The Department of Homeland Security has unveiled a new national strategy for addressing the growing number and scope of national cyber security risks the nation confronts, and bringing new security and resiliency to the Internet. Its 30+page US DHS Cybersecurity Strategy details some specifics and also offers broad goals aimed at addressing these threats, including to:
- better identify digital risks,
- reduce threats and vulnerabilities,
- mitigate the consequences of cyberattacks, and
- enable cybersecurity outcomes by making infrastructure more resilient and improving DHS management of the cyber portfolio.
In response, cybersecurity experts commented below.
Michael Magrath, Director, Global Regulations & Standards at VASCO Data Security:
“The strategy includes DHS expanding efforts to encourage adoption of applicable cybersecurity best practices, including NIST’s Framework for Improving Critical Infrastructure Cybersecurity. With the financial sector being one of the nation’s critical infrastructure sectors it is my expectation that best practices implemented by several banks will be advanced by DHS to make our critical infrastructure resilient to cyberattacks. This includes a movement away from vulnerable static passwords to risk-based, biometric adaptive authentication technologies. Frictionless authentication technologies will enable the nation to balance usability with security while simultaneously protecting privacy. It is well documented that too many organizations and their employees and customers have had their personally identifiable information stolen due to compromised passwords.”
Ray DeMeo, Chief Operating Officer at Virsec:
“It’s important that the DHS has finally published its cybersecurity strategy, but by definition, this is high-level. For the most part, these are sensible recommendations. What’s critical now is making this strategy actionable. One of the document’s guiding principles is to foster innovation and agility – this is a big ask, where existing time horizons must be reduced from years down to months. We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today’s threat landscape.”
Cybersecurity is an inherently global issue and it’s good that the DHS strategy recognizes the need for a “global approach with robust international engagement.” But it’s yet unclear how an agency with a domestic mandate is going to effectively engage globally. The reality is that a large portion of internet crime is driven from the international “wild west” from areas with laxed law enforcement, or actual nation-state sponsorship. This problem is as much diplomatic as it is technological.
Andrew Lloyd, President at Corero Network Security:
“This is a well-considered and thorough top-down strategy. The DHS has defined a more comprehensive Critical Infrastructure (CI) definition than that adopted in the UK/EU within the NIS Directive. With DDoS being the cyber-criminals tool of choice against both CI and government, DHS will need to swiftly convert this strategy in to action to protect against this threat. Ironically, onerous and restrictive Federal Government procurement policies may prove to be a significant barrier to DHS being able to select the most effective technologies to mitigate DDoS and other high risk cyber-threats.”