DHS releases cyber strategy

security (ranjith ravindran/ 

The Department of Homeland Security released its long-awaited cyber strategy May 15.

The document, which will guide DHS policy for the next five years, articulates the department's cybersecurity role as almost entirely defensive in nature. It lays out five "pillars" of managing cybersecurity risk: understanding the evolving nature of threats from state and non-state actors, protecting federal networks and critical infrastructure sectors, countering transnational criminal hacking groups, imposing consequences on nation states for malicious cyber activity and globally promoting best practices around cybersecurity.

The strategy also lists a series of guiding principles, from making cost-effective investments and prioritizing systemic risks to the cyber ecosystem to ensuring that any actions taken to protect the country minimize disruption to commerce and innovation and take into account national values like privacy and civil liberties.

Cybersecurity will continue to be a shared responsibility between DHS, the Office of Management and Budget and individual agencies, with agencies handling key aspects of risk management while DHS provides "tailored capabilities, tools and services to protect legacy systems as well as cloud and shared infrastructure."

However, DHS notes that "it is necessary to further refine and clarify" the roles and responsibilities of each party, and it acknowledges the department could do more to support OMB's policy development and federal cybersecurity oversight role as well as develop clear accountability metrics for individual agencies.

The department also must improve the way it integrates information from existing capabilities. Two of the department's crown jewel programs, the Automated Indicator Sharing program and Continuous Diagnostics and Mitigation, are designed to leverage such information from the private sector and federal agencies respectively, but both programs have been plagued by delays and low participation rates.

The strategy also  calls for DHS to build on and expand automated mechanisms "to receive, analyze, and share cyber threat indicators, defensive measures, and other cybersecurity information."

The federal government writ large is seeking to take advantage of its unique stockpiles of data. In a May 3 speech, Federal CIO Suzette Kent called for more agencies to embrace automation and analytics, saying "we have the best data in the world."

The document does not specifically mention or reference election security -- a topic which has become one of the most high-profile examples of the department's expanding cyber mission after it formally designated election systems as critical infrastructure in 2017.

In his confirmation hearing, Chris Krebs, acting undersecretary for DHS' cyber department, called election security his "top priority" if confirmed.

Two Democrats on the House Homeland Security committee, Reps. Bennie Thompson (D-Miss.) and Cedric Richmond (D-La.), called the strategy "an important and promising framework" but honed in on the omission of election security and criticized the department for punting on many key issues of cybersecurity policy.

"Unfortunately, the Strategy arrived 14 months late and primarily identifies policies and procedures the Department needs to further develop and more clearly articulate its doctrine."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.