DHS cyber strategy to land by mid-May
- By Mark Rockwell
- Apr 26, 2018
The Department of Homeland Security will issue a national cybersecurity strategy in mid-May, the DHS chief told a key House committee oversight hearing.
"It will be shortly, within the next two weeks," DHS Secretary Kirstjen Nielsen told the ranking member of the House Homeland Security Committee on April 26 during a full committee hearing on the agency's fiscal 2019 budget request.
The strategy's release has been anticipated in the last month, but the official deadline has long passed. The National Defense Authorization Act in 2016 directed the DHS secretary to develop a departmental cybersecurity strategy and submit it to Congress within 90 days of the act's passage. The strategy's official due date was over a year ago.
Committee Ranking Member Rep. Bennie Thompson (D-Miss.) pressed Nielsen on a firm date for the strategy's release.
Earlier this month, Defense Department officials had said it could be released this summer. Nielsen referenced the strategy in an April 17 speech at the RSA Conference in San Francisco.
"We wanted to make sure we had stakeholders involved" in the strategy, she said. Nielsen said the strategy will rest on four pillars, including identifying risks, reducing threats, reducing vulnerabilities and mitigating consequences.
Nielsen also said DHS was also paying attention to bug bounty legislation wending its way through Congress. The Senate passed such a bill. Homeland Security Committee member Rep. James Langevin (D-R.I.) is sponsoring similar legislation.
Langevin noted that some at DHS "have criticized the idea as being premature without robust vulnerability triage processes."
Nielsen said that "a bug bounty program is a very important tool. It's not a silver bullet, but nothing is. It’s an important tool. We look forward to learning the lessons that [the Defense Department] has learned in their own [program]. We're watching the legislation that's going through Congress very closely, and we will prepare on our side the resources and planning to respond to what we find out through the bug bounty program."
Langevin also pressed Nielsen on whether the DHS was currently able to accept bug reports for vulnerabilities within DHS networks and systems.
Nielsen said she would work with Langevin and Congress to develop a vulnerability disclosure program to cover DHS systems, but she also said that National Cybersecurity and Communications Integration Center and US-CERT can field inquiries about possible DHS vulnerabilities.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.