Two and a half years since President Obama announced that “America’s economic prosperity in the 21st century will depend on cybersecurity,” the Department of Homeland Security (DHS) is finally launching their new cybersecurity strategy.
A companion to similar documents from the White House, Department of Defense, and Department of Commerce (not to mention a legislative proposal sent to Capitol Hill), this new DHS “Blueprint for a Secure Cyber Future” is a strong document that helps fulfill the president’s call to treat “digital infrastructure … as a strategic national asset.” The Blueprint certainly shows the government has learned many lessons since the White House National Strategy to Secure Cyberspace, released in 2003, and seems well balanced between innovation, security, and privacy.
DHS has generally been taking this role seriously and cyber is one of the five core homeland security missions (alongside preventing terrorism, securing borders, enforcing immigration, and ensuring resilience to disasters). However, for many years, the United States government has been unsuccessfully trying to defeat cyber criminals, balance security and privacy, and create a secure cyberspace. As noted by the Government Accountability Office, the department has had problems executing this mission and it is not clear that this Blueprint and its recently released brethren will be sufficient to pull us out of this long dive.
The DHS Blueprint. This cyber strategy makes it clear from the beginning that DHS has two separate but interrelated cyber “focus areas” of protecting critical information infrastructure and strengthening general cybersecurity. The former helps protect finance; oil, gas and electricity; the backbone telecommunications networks; and similarly important sectors. To enhance general cybersecurity – including corporate networks, home users, and everyone in between – DHS is expanding on their previous idea of an interlinked cyber ecosystem.
The goals to succeed in each focus area certainly overlap, but DHS is on the right track to split these two missions. The cyber ecosystem interconnects each and every person and device in cyberspace, which requires a very wide aperture with heavy emphasis on education and outreach. In comparison, protecting critical information infrastructure includes a much smaller (but still dauntingly large) number of companies and organizations with different laws, including some regulatory authority.
Accordingly, to protect critical information infrastructure DHS specifies four tailored goals with accompanying “objectives”: Reduce Exposure to Cyber Risk, Ensure Priority Response and Recovery, Maintain Shared Situational Awareness, and Increase Resilience. By comparison, to strengthen the cyber ecosystem, DHS has a wider set of goals: Empower Individuals and Organizations to Operate Securely, Make and Use More Trustworthy Cyber Protocols, Products, Services, Configurations and Architectures, Build Collaborative Communities, and Establish Transparent Processes.
Assessment. These are generally solid goals and objectives, but will they be enough? Compare these to the 2003 National Strategy to Secure Cyberspace, issued by the White House, and you’ll find that many (perhaps even most) actions appear in both: “sharing a synoptic view of the health of cyberspace, ” improve incident response, secure key standards and protocols, enhance education and awareness, and reduce vulnerabilities.
Fortunately, DHS has improved on the previous document in several important ways. For example, it very tidily matches the recent well-balanced and clearly written White House International Strategy for Cyberspace. That strategy’s influence is clear in the DHS Blueprint in the paragraphs on guiding principles like innovation and privacy (though, oddly, there doesn’t seem to be much mention how DHS will work with international partners).
Also, while the 2003 strategy mentioned investment, the newer Blueprint puts an emphasis on “return on investment” to “quantify the cost of cybersecurity investments and rapidly determine the resulting benefits of those investments.” Calculating ROI has been a key factor in risk management in critical infrastructure companies, so it is good to see the government taking it more seriously.
For the idea of calculating ROI to work at the national level, it may be especially important to fully expand the notion of the “ecosystem” to include the costs that an insecure computer or network forces on its interconnected neighbors. A risk accepted by one is imposed on all. As just one example, according to Arbor Networks, nearly a quarter of network providers they surveyed monitor for outbound or cross-bound attacks (that is, cyber attacks that are not directed at their own customers) and only half of those that did look for such attacks took any steps to stop them. This makes sense for each network provider’s ROI but not for the health of the ecosystem as a whole.
One of the strengths of the DHS Blueprint is their championing the idea of a cyber ecosystem which may make it easier to identify and understand this interrelationship of devices, technologies and people that make up cyberspace. Other concepts, such as a cyber environment, have additional strengths (such as accepted norms of behavior like “don’t pollute”) that aren’t as strong in the notion of an ecosystem but it is at least a start.
Regardless of the content, the most important factor is whether the actions here can be executed and in a way that is both scalable and measurable. For example, DHS has conducted dozens of voluntary security reviews of critical information infrastructures, which is excellent progress – except that there are thousands of organizations that may need such a review and the private sector provides these services anyhow.
The blueprint’s confusing mash of goals, objectives, focus areas, and measurements may be a foreboding potent of how well it can be implemented. It would have been far preferable if DHS would have taken a core vision such as “clean the ecosystem” or “reduce the cost of control” and worked it into every single objective. Even if the rest of the document were muddled, that kind of simple motto can help keep propelling a bureaucracy forward.
If this Blueprint is to be remembered as a defining moment, one that is remembered as a key step in when we finally started to push back the tide of cyber attackers (and if not, why are we bothering to publish it?), then DHS has to deliver. We will not quickly see changes, whether for better or worse. As President Obama reminded us 18 months ago: “… we need to remember: We’re only at the beginning. The epochs of history are long — the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy.” DHS has a very hard task in front of it and one that will take years. This document just might, if matched by execution, be the beginning of a better era.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.