Printed from

Homeland Security unveils cyber security strategy

Posted On: May. 22, 2018 7:00 AM CST

Homeland Security unveils cyber security strategy

A new five-year U.S. Department of Homeland Security cyber security strategy, unveiled last week, is a step in the right direction, although it must still be implemented, say observers.

The release of the document came the same week it was learned that the White House has eliminated the position of cyber security coordinator, after President Donald Trump’s first appointee for the job departed.

The new DHS strategy, which is described as providing a framework to execute the United States’ cyber security responsibilities over the next five years, establishes five goals for the department:

• Assessing evolving security risks

• Protecting federal government information systems by reducing vulnerabilities

• Protecting the critical infrastructure

• Reducing cyber threats

• Minimizing consequences from potentially significant cyber incidents

• Supporting policies and activities that enable improved global cyber security risk management

• Improving management of DHS cyber security activities

Homeland Security Secretary Kirstjen Nielsen said May 15 in a statement: “In an age of brand-name breaches, we must think beyond the defense of specific assets — and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats.”

The strategy document says: “The growth and development of the internet has been primarily driven by the private sector, and the security of cyberspace is an inherently cross-cutting challenge.

“To accomplish our cybersecurity goals, we must work in a collaborative manner across our components and with other federal and nonfederal partners.”

The department said it will review and update its strategy in 2023, “and periodically, thereafter.”

Separately, news reports last week said the White House National Security Council was cutting the cyber coordinator role, with Rob Joyce, the latest to hold the post, returning to the National Security Agency.

A National Security Council spokesman said in a statement: “Today’s actions continue efforts to empower National Security Council senior directors. Streamlining management will improve efficiency, reduce bureaucracy and increase accountability.”

Commenting on the strategy, Michael R. Overly, a partner with Foley & Lardner L.L.P. in Los Angeles, said: “It’s clearly a good thing that the DHS is thinking about these issues and working hard to try to come up with alternative means.”

He added, however: “You look at this and say, ‘Where are the really specific things you can sink your teeth into and sleep better tonight?’”

Mr. Overly said also: “Whatever criticisms or praise you may have for the new administration, one thing that they have tried to do is be thoughtful about the security,” although he was “looking for something like this six months ago” and hopes matters now move “a lot quicker.”

Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber practice, said: “It’s a very high-level document, but it’s also a strong effort to carry out a mandate for President Trump’s executive order on cyber security.”

President Trump issued that order in May 2017. 

“I’m sure it’s welcome by both the government and the private sector. I think that they were very thorough” and “hit the mark on the priorities that needed to be addressed.” But, Mr. McCabe added, these strategies must also be implemented.

Jason Krauss, New York-based FINEX cyber/errors and omissions thought and product leader for Willis Towers Watson P.L.C., said: “I think it’s timely. Given the landscape and cyber instances seen over the past couple of years,” it is in line “with how we recommend cyber organizations look to address their cyber risk” in taking a holistic approach.

“Of course, the goals are pretty broad” and “cover a lot of different areas with this strategy,” he said. But it “generally goes hand in hand with a lot of the state cyber regulations and statutes that are out there,” he said, pointing also to the May 25 implementation of the European Union’s General Data Protection Regulation.

Earlier this month, South Carolina became the first state to have a cyber security law requiring insurers to establish a “strong and aggressive” program to protect companies and their consumers from a data breach, with Gov. Henry McMaster’s signing of legislation. 

This “adds to what’s out there already in terms of recommendations and strategies to combat cyber risk,” said Mr. Krauss, who said he agrees that how it is implemented will be significant.

On the cyber coordinator position, Rep. Jim Langevin, D-R.I., said in a statement last week that he and Rep. Ted Lieu, D-Calif., have introduced a bill to create a permanent director of cyber security policy in the White House.

Rep. Langevin said the removal of the cyber coordinator position “is an enormous step backwards to de-emphasize the importance of this growing domain within the White House.”

“The decision to eliminate the top White House cyber policy role is outrageous, especially given that we’re facing more hostile threats from foreign adversaries than ever before,” he said.

The bill, H.R. 5822, has been referred to the House Committee on Oversight and Government Reform.

Mr. McCabe said the cyber coordinator’s office has carried out “a lot of important work.” But, he added, Ms. Nielsen, who is responsible for the strategy, is “stronger on cyber security than any of her predecessors. Secretary Nielsen gets it,” he said.

She has worked on cyber issues for the federal government from the beginning of implementation of its policy in this area, Mr. McCabe said.

“She’s a strong asset for the federal government to carry out its priorities right now,” he said. “She’s really going to be capable of shepherding what’s to come next,” he said.