DHS releases cyber strategy

security (ranjith ravindran/ 

The Department of Homeland Security released its long-awaited cyber strategy May 15.

The document, which will guide DHS policy for the next five years, articulates the department's cybersecurity role as almost entirely defensive in nature. It lays out five "pillars" of managing cybersecurity risk: understanding the evolving nature of threats from state and non-state actors, protecting federal networks and critical infrastructure sectors, countering transnational criminal hacking groups, imposing consequences on nation states for malicious cyber activity and globally promoting best practices around cybersecurity.

The strategy also lists a series of guiding principles, from making cost-effective investments and prioritizing systemic risks to the cyber ecosystem to ensuring that any actions taken to protect the country minimize disruption to commerce and innovation and take into account national values like privacy and civil liberties.

Cybersecurity will continue to be a shared responsibility between DHS, the Office of Management and Budget and individual agencies, with agencies handling key aspects of risk management while DHS provides "tailored capabilities, tools and services to protect legacy systems as well as cloud and shared infrastructure."

However, DHS notes that "it is necessary to further refine and clarify" the roles and responsibilities of each party, and it acknowledges the department could do more to support OMB's policy development and federal cybersecurity oversight role as well as develop clear accountability metrics for individual agencies.

The department also must improve the way it integrates information from existing capabilities. Two of the department's crown jewel programs, the Automated Indicator Sharing program and Continuous Diagnostics and Mitigation, are designed to leverage such information from the private sector and federal agencies respectively, but both programs have been plagued by delays and low participation rates.

The strategy also  calls for DHS to build on and expand automated mechanisms "to receive, analyze, and share cyber threat indicators, defensive measures, and other cybersecurity information."

The federal government writ large is seeking to take advantage of its unique stockpiles of data. In a May 3 speech, Federal CIO Suzette Kent called for more agencies to embrace automation and analytics, saying "we have the best data in the world."

The document does not specifically mention or reference election security -- a topic which has become one of the most high-profile examples of the department's expanding cyber mission after it formally designated election systems as critical infrastructure in 2017.

In his confirmation hearing, Chris Krebs, acting undersecretary for DHS' cyber department, called election security his "top priority" if confirmed.

Two Democrats on the House Homeland Security committee, Reps. Bennie Thompson (D-Miss.) and Cedric Richmond (D-La.), called the strategy "an important and promising framework" but honed in on the omission of election security and criticized the department for punting on many key issues of cybersecurity policy.

"Unfortunately, the Strategy arrived 14 months late and primarily identifies policies and procedures the Department needs to further develop and more clearly articulate its doctrine."

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected