The strategy envisions clearer consequences for agencies that don’t meet their cyber responsibilities.
The Homeland Security Department plans to take a more muscular approach to cybersecurity in coming months, including by establishing clearer consequences for federal agencies that don’t adopt best practices, according to an updated cybersecurity strategy released Wednesday.
Homeland Security is the government’s lead civilian agency for cybersecurity but has struggled to force other agencies to take the cyber threat seriously or to allocate sufficient resources to the threat.
Going forward, Homeland Security will “develop new processes to ensure accountability within agencies and across the federal enterprise in order to affect necessary cybersecurity changes,” according to the strategy. The department will also “develop a formalized approach to measure and track agency adoption of information security policies, practices, and required controls,” the strategy states.
The language mirrors plans in a year-old cybersecurity executive order in which the Trump administration promised to hold top agency officials accountable for preventable cyber breaches.
Since that executive order, Homeland Security has released numerous mandatory cybersecurity directives to agencies, including a ban on the Russian anti-virus Kaspersky and a requirement to adopt anti-spoofing email security tools.
The department highlighted the latter directive in a fact sheet about the strategy under a section titled “our cybersecurity strategy in action.” Independent studies have found only about two-thirds of government email domains have implemented the new protection, but that government still leads major industry sectors.
The new strategy comes after a series of high profile breaches across the government in recent years, including at the White House, and State and Commerce departments.
Homeland Security has also taken the lead in helping states and localities shore up the cybersecurity of their election systems after Russia probed election infrastructure in at least 18 states before the 2016 election.
“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” Homeland Security Secretary Kirstjen Nielsen said in a statement, adding that “cyber adversaries can now threaten the very fabric of our republic itself.”
The cybersecurity strategy also formalizes a plan Nielsen earlier outlined last month for her department to share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, airports and chemical plants.
The process for sharing those tools will resemble the Continuous Diagnostics and Mitigation program under which Homeland Security shares a suite of cyber tools with federal agencies free of charge, Nielsen said.
It will be on top of a major program the department already runs to share cyber threat information with industry.
The strategy also stresses a “risk based” and “cost effective” approach to cybersecurity.
That includes identifying the government computer systems and data sets that cyber criminals and adversary governments are most likely to try to hack into and “prioritizing protections around those systems,” the strategy states.
Homeland Security is working with the White House on a governmentwide cybersecurity strategy that should be out shortly, Nielsen told lawmakers during a hearing Tuesday.