- S. Secretary of Homeland Security details Federal Cybersecurity Strategy.
- Initial focus on ransomware, workforce, industrial control security.
- The federal government needs to take a risk-based, long-term view on cybersecurity.
With a spate of recent successful attacks that targeted federal agencies, including historic software supply chain attacks, election security at the fore, and rising geopolitical tensions — cybersecurity is clearly now a top U.S. policy issue.
In a presentation for the RSA Conference, in partnership with Hampton University and the Girl Scouts of the USA, Secretary of Homeland Security Alejandro Mayorkas detailed the administration's immediate and intermediate plans to bolster the cybersecurity efforts of the U.S. federal government.
Mayorkas cited Anne Neuberger's appointment as the first-ever Deputy National Security Advisor for Cyber and what he called "significant strides" in remediating the impact of recent high-profile incidents. "Deputy National Security Advisor Neuberger is coordinating a whole-of-government response to build back better and modernize our cyber defenses. We are working closely with Congress and the private sector to get this done," he said.
"We know that CISA is integral to this objective. As some have said, the government needs a quarterback on its cybersecurity team. CISA is that quarterback," he added. CISA is the Cybersecurity and Infrastructure Security Agency.
Mayorkas broke the high level of the administration's plan into two tracks, the short-term sprints (60-day sprints) and the longer-term intermediate track.
The short-term sprint consists of a series of what Mayorkas described as 60-day sprints:
The immediate focus on ransomware: Mayorkas is calling for increased efforts to stop out ransomware. "A particularly egregious type of malicious cyber activity that usually does not discriminate whom it targets. It is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, even hospitals, and other critical infrastructure have been among the victims," he said.
Mayorkas called ransomware a national security threat. He cited the warning issued by CISA, and others in government last fall about the increased ransomware attacks targeting hospitals and other providers.
"This should shock everyone's conscience. Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits. We must condemn them for it and remind them that any responsible government must take steps to prevent or stop such activity," he said.
Mayorkas described how efforts would be increased to prevent and respond to ransomware attacks, including launching an awareness campaign and strengthening the government's ability to disrupt those attacks and the associated marketplaces.
The immediate focus on cybersecurity talent: The second sprint will focus on attracting the "talented and dedicated people who can help protect our schools, hospitals, critical infrastructure, and communities. During the workforce sprint, which we will launch next month, we will focus on several elements. Front and center is support for our current workforce, who have done a heroic job protecting the election and now responding to two major incidents," he said.
DHS will also launch the DHS Honors Program, and it will initially focus on cybersecurity. Mayorkas also promised that the DHS would also be increasing its efforts for diversity, equity, and inclusion internally to attract, develop, and retain the best diverse talent.
"To this end, I am excited that we are partnering with the Girl Scouts today and exploring additional opportunities for us to collaborate in the future. To further help inspire the next generation of diverse cyber talent, we will also expand our cybersecurity education and training program that has reached over 25,000 teachers so far," he said.
A focus on industrial control systems (ICS): The third sprint on industrial control systems will kick off later this summer and be dedicated to mobilizing action to improve industrial control systems' resilience. "The cybersecurity incident at the water treatment facility in Florida last month was a powerful reminder of the substantial risks we need to address," he said.
The final three sprints for 2021 will focus on the security of transportation systems, election security, and advancing international capacity-building.
Mayorkas outlined the medium-term priorities as such:
Improve the resilience of the "democratic infrastructures" within the U.S. Mayorkas cited "great progress" in election security and said that the nation would need to continue to work toward the same for the years ahead. While he didn't cite specifics, he said that the U.S. must also improve the resilience of the other infrastructure our democracy depends upon.
"Several high-profile attacks against our allies and partners are warning signs that we must focus on securing all our democratic institutions, including those outside of the executive branch," he said.
Improve supply chain security. With successful attacks that targeted the software suppliers to the federal government, supply chain and third-party risks were thrown front and center.
Improving supply chain security will likely take years, Mayorkas said. "We are grateful to Congress for the support provided to CISA through the American Rescue Plan, which is a down payment to address this urgent challenge," he said. The American Rescue Plan provided $650 million to CISA to begin its investments in building a more resilient digital infrastructure. The Technology Modernization Fund received $1 billion to improve digital services and improve systems and data security.
Improve the federal government's focus on risk. Mayorkas said that the recent software supply chain exploitations highlighted the need to take a comprehensive look at such hazards. "While some risks are associated with certain foreign companies and governments, we need a risk-based approach to ensure we address all systemic supply chain risks. Bearing in mind that 100% cybersecurity is impossible, considering zero trust architectures to reach the level of resilience required.
Taking the long-term view on cybersecurity. Mayorkas said that the federal government needs to get beyond focusing on and fighting the current crises and think longer term. "It is imperative to dedicate senior leadership attention to strategic, on-the-horizon issues," he said.
One example he cited is the transition to post-quantum encryption algorithms, which depends on the development of quantum-resilient algorithms and their adoption. "While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future," he said.
Mayorkas concluded by saying that, for too long, cybersecurity has been seen as a technical challenge couched in bureaucratic terms. "But cybersecurity is not about protecting an abstract "cyberspace." Cybersecurity is about protecting the American people and the services and infrastructure on which we rely," he said.