In the United States, the federal Department of Homeland Security (DHS) has released a strategy on its approach to identifying and managing national cybersecurity risk. The DHS speaks of a Department-wide approach to address the evolving threats to the US cyber and critical infrastructure security.
Directed by the National Defense Authorization Act of 2017, this strategy addresses strategic and operational goals and priorities for a unity of effort.
DHS Secretary Kirstjen Nielsen said: “The cyber threat landscape is shifting in real-time, and we have reached a historic turning point. Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets—and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats.”
It sets out a five-prong approach:
Risk Identification: Assess the evolving cybersecurity risk posture to inform and prioritise risk management.
Vulnerability Reduction: Protect federal government information systems by reducing the vulnerabilities of agencies to ensure they achieve adequate cybersecurity.
Threat Reduction: Reduce national cyber threats by countering transnational criminal organizations and sophisticated cyber criminals.
Consequence Mitigation: Respond to cyber incidents to thereby minimise consequences from potentially significant cyber incidents through coordinated community-wide response efforts.
Enable Cybersecurity Outcomes: Strengthen the security and reliability of the cyber ecosystem by supporting policies and activities that enable improved global cybersecurity risk management.
Comment
Andrew Lloyd, President of Corero Network Security, called it a well-considered and thorough top-down strategy. “The DHS has defined a more comprehensive Critical Infrastructure (CI) definition than that adopted in the UK/EU within the NIS Directive. With DDoS being the cyber-criminals tool of choice against both CI and government, DHS will need to swiftly convert this strategy in to action to protect against this threat. Ironically, onerous and restrictive Federal Government procurement policies may prove to be a significant barrier to DHS being able to select the most effective technologies to mitigate DDoS and other high risk cyber-threats.”
