The U.S. Department of Homeland Security (DHS) has a new strategy to steer its cybersecurity efforts to meet what it recognizes as a growing threat to U.S. national security and critical infrastructure days after the White House eliminated its Cybersecurity Coordinator position.
The simultaneous decisions by the White House show the persistent inconsistency in the Trump administration, which has shown a less-than-united front more or less since its inception. Trump’s White House has been a revolving door of personnel in top positions, and the latest contrary decisions show that there continues to be a lack of communication in strategy and planning between the Oval Office and top agencies.
Some also view the elimination of the cybersecurity coordinator position as a sign that the administration is not taking cyber risk seriously enough, even as the DHS Tuesday released what it’s deeming a department-wide approach to address the nation’s evolving cyber and critical infrastructure security.
The idea behind the DHS initiative is to provide a guideline for the department to prioritize and streamline all department planning, programming, budgeting and operational activities across its cybersecurity mission areas.
The National Defense Authorization Act of 2017 called for the move to help the DHS successfully strategize and plan to execute the full range of the DHS Secretary’s cybersecurity responsibilities, according to the agency.
“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” DHS Secretary Kirstjen Nielsen said in a press statement on the DHS website. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy.”
[You might also like: Cyber Attacks May Be Early Consequence of Trump Exiting Iran Nuclear Deal]
Indeed, the United States faces perhaps the most critical time in its history in terms of being a target for government-coordinated cyber attacks from nation states like Russia, China and Iran, all of whom have active programs to mount attacks against critical infrastructure and transactional systems not only in the United States but worldwide.
Symbolic or strategic move?
One would think if the DHS’ cybersecurity mission is so critical and the cybersecurity climate so dire that the Trump White House might see fit to maintain the position appointed by President Obama in 2009 that connected–both symbolically and strategically–the White House to that mission. However, it apparently did not, with published reports and lawmakers reporting an elimination this week of the cybersecurity coordinator position.
The move comes only a few weeks into the tenure of national security adviser John Bolton, whose agency defended it as more of a bureaucratic decision to streamline National Security Council authority than part of what many view as Trump’s systematic housecleaning of policies by his predecessor.
“With our two senior directors for cybersecurity, cyber coordination is already a core capability,” according to an announcement by the council. “Eliminating another layer of bureaucracy delivers greater ‘decision, activity, secrecy and despatch (sic)’ as Alexander Hamilton put it in Federalist Number 70.”
Some Democratic lawmakers criticized the move, however symbolic it may have been, believing it will hamper the government’s cybersecurity strategy. In a tweet, Senator Mark Werner (D-Virginia) said the coordinator was “the only person in the federal government tasked with delivering a coordinated, whole-of-government response to the growing cyber threats facing our nation.”
“Here’s the point: we should be investing in our nation’s cyber defense, not rolling it back,” Werner said in another tweet. “We also need to articulate a clear cyber doctrine. I don’t see how getting rid of the top cyber official in the White House does anything to make our country safer from cyber threats.”
The White House seems to disagree. However, if the new DHS strategy is any indication, the administration still believes cybersecurity is a top priority. The department posted a comprehensive white paper on its new strategy and a fact sheet online that provide specific details on the approach it plans to take.
Five pillars of DHS cybersecurity strategy
The department aims to use a five-part effort to manage national cyber risk to ensure the mitigation of attacks that could hinder or debilitate critical national functions, as well as to protect the privacy and civil liberties of people in the United States, it said.
The five pillars of the plan are: risk identification, vulnerability reduction, threat reduction, consequence mitigation and the enabling of cybersecurity outcomes.
The first pillar will focus on assessing the evolving national cybersecurity risk posture to inform and prioritize risk management activities of the department. The second aims to protect federal government information systems by reducing the vulnerabilities of federal agencies to ensure they achieve an adequate level of cybersecurity.
Threat reduction aims to reduce national cyber threats by countering nation-sponsored criminal organizations and sophisticated cyber criminals, while consequence mitigation aims to do just that by responding quickly and effectively to cyber incidents through coordinated community-wide response efforts.
Finally, the last pillar of the plan aims to strengthen the security and reliability of the cyber ecosystem by supporting policies and activities to improve global cybersecurity risk management and execute departmental cybersecurity efforts.
It remains to be seen whether the DHS strategy will be carried out with the conviction and recognition of the critical cybersecurity risk facing the United States that the department put behind its messaging this week. Without a liaison in the White House to help direct the strategy, it’s possible the department may feel a lack of support from the top, but only time will tell.