DHS floats 'collective defense' model for cybersecurity

The upcoming White House national cybersecurity strategy will empower the Department of Homeland Security to more forcefully respond to cyber threats directed at the private sector and critical infrastructure entities, according to agency chief Kirstjen Nielsen.

Nielsen said that DHS was set to adopt "a more forward-leaning posture" when it comes to defending U.S. cyberspace assets from nation-states, arguing that a more forceful response is needed to deter nation-state adversaries.

"If the past year has shown us anything, it is that our cyber enemies are bolder, more brazen and savvier than ever before," Nielsen said in an April 17 speech at the RSA Conference in San Francisco. Citing attacks like WannaCry and NotPetya, Nielsen said that adversaries "seem to believe the digital realm is fair game for nefarious activity, and they are often indifferent to collateral damage."

DHS plans to directly offer additional cybersecurity services to private companies and critical infrastructure entities. DHS already shares threat information through programs like automated indicator sharing, but it is looking to more fully share DHS security tools with companies and infrastructure organizations.

Nielsen compared the idea to the Financial Systemic Analysis and Resilience Center in the financial sector, where the Department of Treasury, DHS and the FBI teamed up with financial firms and banks to coordinate and mitigate systemic risk across the entire sector.

"I encourage other sectors to work with us to emulate the FSARC model and drive towards collective defense," Nielse said.

The move is in line with a strategy floated last year, when a DHS cybersecurity official told FCW that the department was looking to enter into more proactive cooperative agreements with Section 9 critical infrastructure organizations to share information and combat cyberthreats.

Nielsen also outlined a handful of aspects of the department's approach to cybersecurity that are expected to change with the strategy. Those changes include working to gain a greater appreciation of interconnected, systemic risks within the digital ecosystem and identifying pressure points where a successful cyberattack could have "cascading effects" across multiple sectors and industries.

"An attack on the financial system, for instance, can quickly have an effect on the energy grid, which can affect water systems, which can affect agriculture," Nielsen said.

The department also wants to rethink the federal government's role in fostering better cybersecurity practices among device manufacturers. She flagged the burgeoning market for internet-connected devices, particularly products on the lower end of the price scale, as a growing problem.

Too often manufacturers are in a rush to be first to market and thus are incentivized to design and build products quickly rather than securely, she argued. DHS is currently developing tools to share with industry that can identify bugs and security risks in connected devices at the design stage.

"Why sell a $30 cyber-secure pedometer for marathon runners when you can sell a basic version for five dollars?" Nielsen asked.

Finally, Nielsen said she wants to move towards a cybersecurity model where compromise and failure are a given. Instead of focusing all their energy on stopping intruders at the point of entry, agencies and industry should instead focus on building multiple layers of resilience into their networks, such that it would be possible to continue day-to-day work even while under a persistent cyberattack and even if internal systems are offline.

"We must be obsessed with building in redundancy, so that when our systems do get attacked and fail, they fail gracefully," she said.